Late last year, the Online Safety Act (OSA) finally became UK law. Ever since, organisations have been working through the complex categorisation requirements along with other forthcoming requirements. See our previous materials for more details on who the rules apply to, the key obligations, and the consequences of non-compliance. See also our dedicated web page to follow the latest announcements and developments.
One of the hottest topics in the OSA is the obligations relating to child safety. Ofcom recently published its third consultation, which focuses specifically on the duties to protect children. We summarise the key components of the consultation, including the draft access assessment and risk assessment guidance, and the children’s safety codes, below.
Why has this consultation been published?
In addition to the wider measures required to address illegal harms (which invariably also seek to protect child users), the OSA sets out a number of specific requirements for in-scope services that reflect the particular risks of harm to children.
The very detailed codes and guidance (all five volumes and 15 annexes of them) set out in the consultation outline Ofcom’s expectations as to how to comply with the core duties, including: (1) how platforms should determine whether children are likely to access their services, (2) for services likely to be accessed by children, how services should assess and manage the risks of harm to children, and (3) what measures they should take or use to prevent or minimise children’s exposure to harmful content.
Having trouble knowing where to start? The 25-page summary of the overall duties is a good entry point.
What are the key obligations and what does the consultation propose?
There are various key obligations, which can be broadly broken down into three different stages. We summarise each stage below.
Step 1: Children’s access assessment and guidance
All services in scope of the OSA are required to carry out children’s access assessments to determine whether their service, or a part of their service, is likely to be accessed by children under the age of 18. This consists of two parts:
- Firstly, the service provider must determine whether it is possible for children to access the service or a part of it; and
- Secondly, is the child user condition met?
The key for part 1 is that service providers may only conclude that access by children is not possible if a highly effective age verification or age estimation system is used on the service. Ofcom proposes four criteria for measuring effectiveness, being (1) technical accuracy, (2) robustness, (3) reliability, and (4) fairness. Whilst the guidance itself does not mandate a particular approach, it does provide examples of methods that could be considered highly effective (e.g., photo-ID matching, credit card checks, digital identity wallets, and facial age estimation) and those that will not suffice (e.g., self-declaration and general contractual restrictions). Although the consultation on the specific duties on service providers that display or publish pornographic content on their services is separate, it offers similar guidance, including proposed “highly effective” thresholds.
Moving on to part 2, the child user condition is met if either a significant number of children are users of the service or part of it, or the service or part of it is of a kind likely to attract a significant number of users who are children. Service providers need to consider who is actually using the service, rather than who the intended users are. Ofcom proposes to interpret “significant number” as a number that is material in the context of the service in question, meaning a relatively small number of children could in fact be considered significant relative to each service. It is not a quantitative threshold. The guidance also proposes a non-exhaustive list of factors that may indicate whether a service is of a kind likely to attract a significant number of users, including whether the service benefits children, the content on the service, the design of the service, and the business model. Thankfully, some example case studies are included to help service providers reach a conclusion.
The result of all the above is that:
- If a service provider concludes that it is not possible for children to access their service, then they need to collate and record evidence to support this. Assessments should be reviewed at least annually.
- However, if the service provider concludes that it is possible for children to access the service, they must proceed to steps 2 and 3.
Step 2: Children’s risk assessment and guidance
Whilst the access assessment in step 1 should be relatively straightforward for most services, conducting a “suitable and sufficient” – Ofcom’s own words – children’s risk assessment may be more complex.
Ofcom has set out in Volume 4 of the consultation the key parts of this risk assessment, which follows the same broad structure as the illegal harms assessment proposals. More specifically, services provider should:
- Carry out a four-step risk assessment methodology, which involves: (1) understanding the harms of the content; (2) assessing the risks of harm; (3) deciding on measures, implementing them, and keeping a record of actions taken; and (4) reporting, reviewing, and updating the risk assessment.
- Consult the Children’s Risk Profiles, which are guidance documents that outline the risk factors and levels associated with different kinds of harmful content for services and are intended to be used as yes/no checklists.
- Consider the user base, especially the number and age of children who use the service, and assign a risk level of low, medium, or high to each kind of harmful content, based on the risk level table (see Annex 6). Ofcom categorises children into four age groups: 0-5, 6-9, 10-12, and 13-17.
- Use both “core” and “enhanced” evidence inputs, such as data, research, user feedback, and expert advice, to inform the risk assessment, with enhanced inputs recommended for services in a more complex risk environment.
- Consider numerical values and thresholds, such as the number of monthly UK users who are children, the impact of harm to children, and the significance of a change to the service, when conducting, reviewing, and updating the risk assessment.
Service providers must keep a written record of each risk assessment (although the exact format is not prescribed) and must summarise the findings in the terms of service or a public statement. Assessments must be reviewed and updated at least annually, or whenever a significant change is made to the design or operation of a service. Many service providers will want to dig out and refer to their Children’s Code (aka Age-Appropriate Design Code) assessments for information and consistency.
Step 3: Safety measures to protect children online – what does the code of practice say service providers have to do?
Based on the determination of the risk assessment, the safety codes recommend different measures for different types of services depending on the size, capacity, and risk level (low, specific, or multi) of a service. These are broadly divided into seven categories: recommender systems, terms of service and publicly available statements, user support, search moderation, governance and accountability, content moderation, and age assurance.
Key examples of measures include:
- Recommender systems measures (RS1-RS3) aim to prevent or reduce the exposure of children to harmful content through the algorithms that suggest content to users. These measures include filtering out content likely to be primary priority content (PPC) from recommender feeds of children, reducing the prominence of content likely to be priority content (PC) from recommender feeds of children, and providing children with a means of expressing negative sentiment to influence their recommender feeds.
- Terms of service and publicly available statements measures (TS1-TS3) require service providers to provide clear and accessible information to users about how they protect children from online harms. These measures include terms and statements regarding the protection of children containing all information mandated by the OSA, terms and statements regarding the protection of children being clear and accessible, and terms and statements for Category 1 and 2A services containing the findings of the service provider’s most recent children’s risk assessment. Additionally, a new measure (6AA) requires terms and statements for Category 1 and 2A services to contain the findings of the service provider’s most recent illegal content risk assessment. See more on the additional duties for ‘categorised’ online services at ofcom.org.
- User support measures (US1-US6) aim to empower children and their parents or carers to manage their online interactions and access support when needed. These measures include group chat invites, blocking and muting users, disabling comments, supportive information when restricting interactions, signposting to support, and age-appropriate user support materials.
- Search moderation measures (SM1-SM7) apply to search services that enable users to find content online. These measures aim to prevent or reduce children’s exposure to harmful content through the search function. They include reporting predictive search suggestions and crisis prevention information for search requests.
- Governance and accountability measures (GA) apply to large U2U and search services that have a high potential for online harms. These measures aim to ensure proper governance and accountability in protecting children online. They include various requirements for service providers to conduct risk assessments, appoint responsible persons, publish transparency reports, cooperate with regulators, and implement effective complaint mechanisms.
- Content moderation measures (CM1-CM7) apply to U2U services that enable users to upload, share, or view content created by other users. These measures aim to ensure effective content moderation to protect children from harmful content. They include various requirements for service providers to remove or restrict access to illegal, harmful, and priority content, as well as to provide clear and consistent moderation policies, processes, and outcomes.
- Age assurance measures (AA1-AA6) apply to U2U services that enable users to access harmful content. These measures aim to use highly effective age assurance (HEAA) to prevent children from accessing harmful content. They include various requirements for service providers to use HEAA methods, such as identity verification or age estimation, to determine the age of users and to apply appropriate measures based on the age of the user and the nature of the content.
One key point to note is that measures are voluntary but recommended by Ofcom, meaning that, if service providers were to put these measures in place (as applicable), then they would meet their obligations under the OSA. Service providers can choose to implement other child protection measures, but only if they can justify how those alternative measures amount to compliance.
What are the next steps and the timeframe?
Clearly, there is a lot of information to digest in the draft guidance, but when do the duties actually become enforceable? The consultation closes on 17 July 2024 (so there’s still time for service providers to get their responses in). After that, the main duties will only apply once the guidance and codes of practice are finalised.
The key dates are:
- Ofcom is expected to finalise the children’s access assessment guidance in Q1 2025, and service providers will need to complete the assessment within three months of the final guidance being published (i.e., in Q2 2025).
- The safety duties are expected to take full effect by Q3 2025, and the first children’s risk assessment will need to be completed within three months of the final guidance being published (if applicable).
The documentation is mammoth in volume and undoubtedly daunting. Also, given that it is still only in draft form, some changes can still be expected. However, work can start now since the high-level obligations, structure for assessments, and core areas of risk focus will not change. Service providers may wish to explore how their services will be classified based on the existing draft and consultation documentation and can also begin to look at the recommendations that are applicable across all services. It might then be helpful to map out existing practices and compare them against what is in the consultation to identify any gaps that may need to be filled.
In-depth 2024-120