Today, 17 October 2024, Ofcom published an update on its progress on the UK's new online safety regime, under the Online Safety Act (OSA).
The full 18-page update can be accessed here, and a table setting out important dates and deadlines can be found here.
More analysis will follow, but for now we thought it would be useful to make you aware of these updates and to set out some of the context and main time frames.
Context
The Online Safety Act (OSA) mandates that companies running various online services are legally accountable for ensuring the safety of users, particularly children. These companies must now protect UK users by identifying and mitigating potential risks of harm. The new regulations apply to all relevant services with a substantial UK user base or those targeting the UK market, irrespective of their geographical location.
The key takeaway for now is that, from December 2024, services will need to take steps to comply with their duties. Ofcom will be publishing Codes of Practice and guidance on how in scope companies can comply with their duties. If you provide an online service, there are actions you must take when duties come into force.
Phase one: illegal harms
Ofcom's immediate focus is on illegal harms. It will publish an update in December 2024, which will include the first edition of the Illegal Harms Codes of Practice and the illegal content risk assessment guidance.
At that time all providers of services in scope of the Act must complete their assessments by mid-March 2025.
Once the Codes of Practice have passed through Parliament, service providers will need to take the steps laid down in the Codes or use other effective measures to protect users and Ofcom can enforce against non-compliance. Ofcom expects that the illegal harms safety duties will become enforceable around March 2025.
Alongside its Illegal Harms statement in December 2024, Ofcom will also publish its final enforcement guidance, and final record keeping and review guidance.
It also plans to launch a further consultation which builds on the foundations established in the first Codes in spring 2025.
Phase two: child safety, pornography and the protection of women and girls
In January 2025, Ofcom will issue its final age assurance guidance for publishers of pornographic content. They expect these duties relevant to part 5 providers to become enforceable around the same time and they will start to monitor compliance. Ofcom will publish its final children’s access assessments guidance in January 2025.
Service providers will then have three months to complete the children’s access assessment process. Services likely to be accessed by children must then carry out a children’s risk assessment within three months of Ofcom publishing its Protection of Children Codes and risk assessment guidance in April 2025. Those services should prepare to complete their children’s risk assessments by July 2025. Ofcom expects that the child protection safety duties will become enforceable around July 2025.
In February 2025, Ofcom will publish its draft guidance on protecting women and girls, containing advice on content and activity which disproportionately affects women and girls, and on assessing and reducing the risk of harm to them.
Phase three: categorisation and additional duties for categorised services
A small proportion of regulated services will be designated Category 1, 2A or 2B services if they meet certain thresholds set out in secondary legislation to be made by Government. The final stage of implementation focuses on additional requirements that fall only on these categorised services.
These categorised services will be required to comply with a range of additional requirements, depending which category they are in, largely focused on bringing an enhanced level of safety, transparency, and accountability to the online world.
The next stage is for Government to confirm the thresholds for categorisation in secondary legislation, which is expected to take place by the end of 2024. Ofcom expects to:
- publish the register of categorised services in summer 2025,
- issue draft transparency notices within a few weeks of publication of the register, and to issue final transparency notices soon after,
- publish draft proposals regarding the additional duties on categorised services no later than early 2026.
Technology companies needed to be "honest and transparent" about what their "services are actually exposing their users to." "If we don't think they've done that job well enough, we can take enforcement action, simply against that failure." - Ofcom chief executive, Dame Melanie Dawes