UK Online Safety Act: A Look Ahead

Ofcom, the U.K. Online Safety Act (the Act) regulator, released an updated roadmap on the timing of obligations for covered services on October 17, 2024. The Act was passed in October 2023 and introduces new legal obligations for user-to-user services and search services. Last year, we covered Ofcom’s plan to implement the Act and develop codes of practice in three phases: (1) duties regarding illegal content; (2) duties regarding the protection of children; and (3) additional duties for certain designated services to provide transparency and empower users. For more information, please read our Update.

Below is Ofcom’s updated timeline. Most notable and immediate among them are that Ofcom plans to publish final illegal content codes of practice in December, at which point services will have three months to complete the illegal content risk assessment.

December 2024: Ofcom will publish its final illegal harms codes and guidance (the draft guidance is here). Platforms will then have three months to complete the illegal harms risk assessment.

January 2025: Ofcom intends to finalize its children’s access assessment guidance and guidance for pornography providers on age assurance. Companies will have three months to assess whether their service is likely to be accessed by children.

February 2025: Ofcom intends to consult on best practice guidance on protecting women and girls online.

March 2025: Companies must complete their illegal harms risk assessments and implement appropriate safety measures.

April 2025: Companies must complete children’s access assessments. Ofcom intends to finalize its illegal harms and children’s safety codes and guidance. Companies will have three months to complete the children’s risk assessment.

Spring 2025: Ofcom intends to consult on additional measures for second-edition codes and guidance.

July 2025: Deadline for companies to complete children’s risk assessments and implement appropriate safety measures.

Takeaways
Companies that offer user-to-user and search services should ensure they meet their deadlines for completing applicable risk assessments. Ofcom may bring enforcement actions against companies that do not meet their compliance obligations, as well as impose fines of up to £18 million or 10% of worldwide revenue (whichever is greater). In the most serious cases of noncompliance, Ofcom is authorized to seek a court order that would require third-party internet service providers to block access to a service in the United Kingdom or limit its access to payment providers or advertisers.

Ofcom has signaled that it is “prepared to take strong action if tech firms fail to put in place the measures that will be most impactful in protecting users, especially children,” including those relating to child sexual abuse.