Skip to main content
CLOSE

Search on BDB

Charities

Close

Corporate and Commercial

Close

Employment and Immigration

Close

Environmental, Social, and Corporate Governance

Close

Fraud and Investigations

Close

Individuals

Close

Litigation

Close

Planning and Infrastructure

Close

Public Law

Close

Real Estate

Close

Restructuring and Insolvency

Close

Energy

Close

Entrepreneurs

Close

Private Wealth

Close

Real Estate

Close

Tech and Innovation

Close

Transport

Close
+44 (0)34 5222 9222
Home / News and Insights / Not just for giants – the Online Safety Act affects businesses of all sizes
24 November 2023

Not just for giants – the Online Safety Act affects businesses of all sizes


Oliver Willis Partner
Tech and Innovation

Coverage of the Online Safety Act 2023 has mostly focused on the impact on tech giants like Meta and TikTok, but key parts of the Act apply to online service providers regardless of size. Those changes are due to be implemented in 2024, so what should smaller services think about now?

New duties for user-to-user (U2U) services

Businesses that provide U2U services have new duties under the Act. Broadly speaking, a U2U service is an internet-based service that allows content generated by a user to be viewed or accessed by other users. Content generated by users could include anything from messages to videos, so the definition of U2U services is deliberately wide. Ofcom’s list of examples includes:

  • video or file-sharing services;
  • messaging services;
  • marketplaces and listing services;
  • dating services;
  • gaming services;
  • discussion forums and chat rooms; and
  • fundraising services.

What do U2U service providers have to do?

U2U service providers have a host of new duties, which apply regardless of size. In summary, they will need to:

  • assess the risk of illegal content appearing on the service or that the service might be used to commit an offence or might facilitate an offence;
  • take proportionate measures in designing or operating the service to prevent users from encountering illegal content and to mitigate and manage the kinds of risks identified in its risk assessment; and
  • implement proportionate systems to minimise the length of time that priority illegal content is present on the service and swiftly remove that content once alerted to its presence.

U2U services will also need to update their terms of service to:

  • explain how users are protected from illegal content;
  • explain any proactive technology used to protect users from illegal content; and
  • ensure that the terms of service are clear and accessible. That includes informing users about their right to claim against the service provider for certain breaches of the terms.

U2U services will need to apply their terms of service consistently. They will also need to provide content reporting systems for users and a complaint handling service.

If a U2U service is likely to be accessed by children, the service provider must carry out an additional risk assessment for the risks posed to children. The service provider’s duties will also apply to a wider range of material that is harmful to children.

What is the impact on U2U service providers?

Service providers will need to get on top of their new duties. Ofcom will be responsible for regulating this area and will have the power to issue fines of up to £18 million or 10% of global annual turnover (whichever is higher) for the most serious breaches. Unlike UK GDPR, the OSA does not create a direct right for individuals to claim against service providers for breach of the duties, but some experts think that breaches of the duties might make it easier for individuals to make other sorts of claims.

The duties for U2U service providers will be phased in over 2024. Ofcom is consulting on draft guidance, which will set out how to comply with the duties, and the final guidance is expected in autumn 2024.

Service providers have time to prepare for the new duties and should think now about how to resource the compliance work. There are limited exemptions in the OSA, which put certain U2U services outside the scope of the regulations. Service providers will want to consider whether they are covered by an exemption or whether they could change their services to qualify for an exemption.

This article was first published in Tech+, a newsletter from our tech and innovation team designed to help readers unpack complex topics in the tech space and keep up-to-date with the changes across this rapidly evolving sector. Be the first to receive the next edition and subscribe here.

'...unlike UK GDPR, the OSA does not create a direct right for individuals to claim against service providers for breach of the duties, but some experts think that breaches of the duties might make it easier for individuals to make other sorts of claims....'

Latest articles

Broadfield Image Library_0001
Businessman entering office cabin
High street rental
Businessman validates and manages business documents and agreements, signing business contract approval of contract documents confirmation or warranty certificate ,employment idea ,project review
Lawyers are mediating disputes and providing legal advice
If you have love you have everything
Idyllic patchwork landscape green fields and farm
The Big Ben in London
Judge or Legal advisor lawyer examining and signing legal documents
cineworld
Close

Our Services

Charities chevron
Corporate and Commercial chevron
Employment and Immigration chevron
Environmental, Social, and Corporate Governance chevron
Fraud and Investigations chevron
Individuals chevron
Litigation chevron
Planning and Infrastructure chevron
Public Law chevron
Real Estate chevron
Restructuring and Insolvency chevron

Sectors and Groups

Close
Energy chevron chevron
Entrepreneurs chevron chevron
Private Wealth chevron
Real Estate chevron chevron
Tech and Innovation chevron chevron
Transport chevron