Ensuring online safety for children: New legal obligations for online service providers

Ofcom’s final versions of its Protection of Children Codes and its related Guidance have now been published.

Background

The Online Safety Act 2023 (' the OSA') received Royal Assent in October 2023. Its main provisions will apply after Ofcom and the Secretary of State publish Codes of Practice and Guidance. Ofcom has now published final versions of its Protection of Children Codes and related Guidance, requiring service providers to take action.

What steps should service providers take to ensure compliance with the Codes and Guidance?

Risk assessments

In scope service providers should now carry out children’s risk assessments and should be prepared to justify the accuracy of their assessments, as Ofcom may request to review them. This is particularly important given Ofcom's recent enforcement action against OnlyFans for failing to respond accurately to requests for information about its age assurance measures on the platform, resulting in a £1.05 million fine.

Ofcom have published specific Guidance to assist service providers with completing the children’s risk assessments which can be found here - Children’s Risk Assessment Guidance and Children’s Risk Profiles.

The Guidance sets out a four-step methodology for carrying out the risk assessment:

• Understand the content harmful to children that needs to be assessed.
• Assess the risk of harm to children.
• Decide measures, implement, and record.
• Report, review and update risk assessments.

The Guidance also states that the risk assessment should be reviewed at least annually, or if Ofcom makes a significant change to the children's risk profile relevant to your service, or before making a significant change to the design or operation of your service.

The codes

From 25th July 2025, provided that the Codes successfully complete the UK Parliamentary process, in scope service providers will be required to adhere to the steps outlined in the Codes or implement alternative effective measures to safeguard children from harmful content.

These requirements vary based on the size, risk level, or purpose of the service. The measures include:

• Safer algorithms: Services that use algorithms to provide personalised recommendations and are at higher risk of harmful content should identify their child users and configure their algorithms to filter out the most harmful content from children's feeds.
• Content moderation: All “user to user” (“U2U”) services should have content moderation systems and processes that ensure that action is taken quickly against content harmful to children.
• Governance and accountability: This includes having a named person accountable for compliance, an employee code of conduct that sets standards for employees around protecting children and an annual senior-body review of all risk management activities related to children's safety.
• Age checks: Ofcom expects increased utilisation of age assurance measures. Ofcom have issued specific Guidance to assist with the implementation of age assurance measures. The Guidance can be found here- Guidance on highly effective age assurance part 3 guidance.
• Support for children: This includes providing clear and accessible information for children and carers, easy complaints processes and tools to support children to ensure they remain safe.

What powers do Ofcom have to enforce this?

Ofcom has the authority to take enforcement action and impose significant fines for non-compliance.

Companies may be fined up to £18 million or 10 percent of their qualifying worldwide revenue, whichever is greater, for breaches of the OSA. Criminal action can also be taken against senior managers who do not ensure compliance with information requests from Ofcom.

Ofcom can also hold companies and senior managers (where they are at fault) criminally liable if the service provider fails to comply with enforcement notices concerning specific child safety duties or child sexual abuse and exploitation on their service.

In extreme cases, and with court approval, Ofcom can require payment providers, advertisers, and internet service providers to stop working with a site, preventing it from generating revenue or being accessed from the UK.

Additionally, Ofcom may issue a provisional notice of contravention or a confirmation decision to both the service provider and another related entity or individuals controlling the service provider, including a parent and subsidiary undertaking. In such cases, the related company or controlling individual will be jointly and severally liable with the service provider for any contravention that Ofcom find in a confirmation decision.

What can we expect to see next?

The Codes are pending Parliamentary approval. There is no indication at present that they will not be approved, and thus they are expected to come into effect as scheduled. 

Additionally, Ofcom has initiated a consultation on proposals to expand the application of its measures for blocking and muting user accounts and disabling comments in the Illegal Content Codes to encompass a wider range of services. This consultation is a result of Ofcom considering it is proportionate for these measures to also apply to certain smaller services that are likely be accessible to children.

A response to the consultation can be submitted no later than 5pm on 22nd July 2025.

Please contact us if you need further guidance on how the OSA and these new Codes and Guidance may impact your business operations. The Codes and Guidance referenced throughout the article can be accessed via this link: Statement: Protecting children from harms online - Ofcom.