UK’s internet watchdog finalizes first set of rules for Online Safety law
07:02 Share

This is TechCrunch. This episode is brought to you by Factor.

Notice how the days are shorter but your to-do lists aren't? Here's a trick: Factor. From breakfast to dinner and anything in between, Factor has easy, nutritious options to keep you fueled and feeling your best. My box at Factor is on its way and it could not get here sooner. I'm so excited because you get to choose from six menu preferences to help you manage calories, maximize protein intake, or avoid meat, or simply eat a well-balanced diet.

Whether you like routine or you enjoy mixing things up, Factor has you covered with 35 different delicious meals every week and over 60 additional convenience options you can add to your box like keto cookies, pressed juices, and smoothies.

Don't let shorter days slow you down. Stay energized with America's number one ready-to-eat meal delivery service. Head to factormeals.com slash 50TCIndustry and use code 50TCIndustry to get 50% off your first box plus free shipping. That's code 50TCIndustry at factormeals.com slash 50TCIndustry to get 50% off your first box plus free shipping while your subscription is active.

On Monday, the UK's internet regulator Ofcom published the first set of final guidelines for online service providers subject to the Online Safety Act. This starts the clock ticking on the sprawling online harms law's first compliance deadline, which the regulator expects to kick in in three months' time.

Ofcom has been under pressure to move faster in implementing the online safety regime following riots in the summer that were widely perceived to have been fueled by social media activity, although it is just following the process lawmakers set out, which has required it to consult on and have Parliament approve final compliance measures.

This decision on the illegal harms codes and guidance marks a major milestone, with online providers now being legally required to protect their users from illegal harm, Ofcom wrote in a press release. Providers now have a duty to assess the risk of illegal harms on their services

with a deadline of March 16, 2025. Subject to the codes completing the parliamentary process from March 17, 2025, providers will need to take the safety measures set out in the codes or use other effective measures to protect users from illegal content and activity. We are ready to take enforcement action if providers do not act promptly to address the risks on their services, it added.

According to Ofcom, more than 100,000 tech firms could be in scope of the law's duties to protect users from a range of illegal content types. In relation to the over 130 priority offenses the act sets out, which cover areas including terrorism, hate speech, child sexual abuse and exploitation, and fraud and financial offenses.

Failure to comply risks fines of up to 10% of global annual turnover or up to £18 million, whichever is greater. InScope firms range from tech giants to very small service providers with various sectors impacted including social media, dating, gaming, search and pornography. The duties in the Act apply to providers of services with links to the UK regardless of where in the world they are based.

The number of online services subject to regulation could total more than 100,000 and range from some of the largest tech companies in the world to very small services, wrote Ofcom. The codes and guidance follow a consultation with Ofcom looking at research

and taking stakeholder responses to help shape these rules since the legislation passed Parliament last fall and became law back in October 2023. The regulator has outlined measures for user-to-user and search services to reduce risks associated with illegal content. Guidance on risk assessments, record-keeping, and reviews is summarized in an official document which is linked in the text version of this article.

Ofcom has also published a summary covering each chapter in today's policy statement. The approach the UK law takes is the opposite of one-size-fits-all, with generally more obligations placed on larger services and platforms where multiple risks may arise compared to smaller services with fewer risks.

However, smaller, lower-risk services do not get a carve-out from obligations either. And, indeed, many requirements apply to all services, such as having a content moderation system that allows for swift takedown of illegal content, having mechanisms for users to submit content complaints, having clear and accessible terms of service, removing accounts of prescribed organizations, and many others.

Although many of these blanket measures are features that mainstream services, at least, are likely to already offer. But it's fair to say that every tech firm that offers user-to-user or search services in the UK is going to need to undertake an assessment of how the law applies to their business –

at a minimum, if not make operational revisions to address specific areas of regulatory risk. For larger platforms with engagement-centric business models, where their ability to monetize user-generated content is linked to keeping a tight leash on people's attention, greater operational changes may be required to avoid falling foul of the law's duties to protect users from myriad harms.

A key lever to drive change is the law introducing criminal liability for senior executives in certain circumstances, meaning tech CEOs could be held personally accountable for some types of noncompliance.

Speaking to BBC Radio 4's Today program on Monday morning, Ofcom CEO Melanie Dawes suggested that 2025 will finally see significant changes in how major tech platforms operate. What we're announcing today is a big moment, actually, for online safety because in three months' time, the tech companies are going to need to start taking proper action, she said. What are they going to need to change? They've got to change the way the algorithms work. They've got to test them so that illegal content like terror and...

and hate, intimate image abuse, lots more, actually, so that doesn't appear in our feeds. And then if things slip through the net, they're going to have to take it down. And for children, we want their accounts to be set to be private so they can't be contacted by strangers, she added.

That said, Ofcom's policy statement is just the start of it actioning the legal requirements, with the regulator still working on further measures and duties in relation to other aspects of the law, including what Dawes couched as wider protections for children that she said would be introduced in the new year. So, more substantive child safety-related changes to platforms that parents have been clamoring to force may not filter through until later in the year.

In January, we're going to come forward with our requirements on age checks so that we know where children are, said Dawes. And then in April, we will finalize the rules on our wider protections for children. And that's going to be about pornography, suicide and self-harm material, violent content, and so just not being fed to kids in the way that has become so normal but is really harmful today.

Ofcom's summary document also notes that further measures may be required to keep pace with tech developments such as the rise of generative AI, indicating that it will continue to review risks and may further evolve requirements on service providers. The regulator is also planning crisis response protocols for emergency events such as last summer's riots, proposals for blocking the accounts of those who have shared CSAM, child sexual abuse material, and guidance for using AI to tackle illegal harms.