Skip to main content
CLOSE

Charities

Close

Corporate and Commercial

Close

Employment and Immigration

Close

Environmental, Social, and Corporate Governance

Close

Fraud and Investigations

Close

Individuals

Close

Litigation

Close

Planning, Infrastructure and Regeneration

Close

Public Law

Close

Real Estate

Close

Restructuring and Insolvency

Close

Energy

Close

Entrepreneurs

Close

Private Wealth

Close

Real Estate

Close

Tech and Innovation

Close

Transport and Infrastructure

Close
Home / News and Insights / Insights / Not just for giants – the Online Safety Act affects businesses of all sizes

Coverage of the Online Safety Act 2023 has mostly focused on the impact on tech giants like Meta and TikTok, but key parts of the Act apply to online service providers regardless of size. Those changes are due to be implemented in 2024, so what should smaller services think about now?

New duties for user-to-user (U2U) services

Businesses that provide U2U services have new duties under the Act. Broadly speaking, a U2U service is an internet-based service that allows content generated by a user to be viewed or accessed by other users. Content generated by users could include anything from messages to videos, so the definition of U2U services is deliberately wide. Ofcom’s list of examples includes:

  • video or file-sharing services;
  • messaging services;
  • marketplaces and listing services;
  • dating services;
  • gaming services;
  • discussion forums and chat rooms; and
  • fundraising services.

What do U2U service providers have to do?

U2U service providers have a host of new duties, which apply regardless of size. In summary, they will need to:

  • assess the risk of illegal content appearing on the service or that the service might be used to commit an offence or might facilitate an offence;
  • take proportionate measures in designing or operating the service to prevent users from encountering illegal content and to mitigate and manage the kinds of risks identified in its risk assessment; and
  • implement proportionate systems to minimise the length of time that priority illegal content is present on the service and swiftly remove that content once alerted to its presence.

U2U services will also need to update their terms of service to:

  • explain how users are protected from illegal content;
  • explain any proactive technology used to protect users from illegal content; and
  • ensure that the terms of service are clear and accessible. That includes informing users about their right to claim against the service provider for certain breaches of the terms.

U2U services will need to apply their terms of service consistently. They will also need to provide content reporting systems for users and a complaint handling service.

If a U2U service is likely to be accessed by children, the service provider must carry out an additional risk assessment for the risks posed to children. The service provider’s duties will also apply to a wider range of material that is harmful to children.

What is the impact on U2U service providers?

Service providers will need to get on top of their new duties. Ofcom will be responsible for regulating this area and will have the power to issue fines of up to £18 million or 10% of global annual turnover (whichever is higher) for the most serious breaches. Unlike UK GDPR, the OSA does not create a direct right for individuals to claim against service providers for breach of the duties, but some experts think that breaches of the duties might make it easier for individuals to make other sorts of claims.

The duties for U2U service providers will be phased in over 2024. Ofcom is consulting on draft guidance, which will set out how to comply with the duties, and the final guidance is expected in autumn 2024.

Service providers have time to prepare for the new duties and should think now about how to resource the compliance work. There are limited exemptions in the OSA, which put certain U2U services outside the scope of the regulations. Service providers will want to consider whether they are covered by an exemption or whether they could change their services to qualify for an exemption.

This article was first published in Tech+, a newsletter from our tech and innovation team designed to help readers unpack complex topics in the tech space and keep up-to-date with the changes across this rapidly evolving sector. Be the first to receive the next edition and subscribe here.

Related Articles

Our Offices

London
One Bartholomew Close
London
EC1A 7BL

Cambridge
50/60 Station Road
Cambridge
CB1 2JH

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
4 Grosvenor Square
Southampton SO15 2BE

 

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
4 Grosvenor Square
Southampton SO15 2BE

  • Lexcel
  • CYBER ESSENTIALS PLUS

© BDB Pitmans 2024. One Bartholomew Close, London EC1A 7BL - T +44 (0)345 222 9222

Our Services

Charities chevron
Corporate and Commercial chevron
Employment and Immigration chevron
Environmental, Social, and Corporate Governance chevron
Fraud and Investigations chevron
Individuals chevron
Litigation chevron
Planning, Infrastructure and Regeneration chevron
Public Law chevron
Real Estate chevron
Restructuring and Insolvency chevron

Sectors and Groups

Private Wealth chevron
Real Estate chevron
Transport and Infrastructure chevron