Children's Online Safety

The Online Safety Act 2023 imposes specific duties on platforms that are "likely to be accessed by children" (under 18). These platforms must:

• Complete a children's risk assessment to identify and evaluate risks to children, including harmful content, contact with adults, and conduct risks (cyberbullying, grooming).
• Implement safe design measures to mitigate identified risks — for example, preventing algorithmic recommendation of harmful content to children.
• Prevent children from accessing primary priority harmful content — including pornographic content and content that promotes eating disorders, self-harm, or suicide.
• Apply age assurance — proportionate measures to verify or estimate a user's age to restrict access to harmful content.
• Provide an accessible, effective complaints process for users, including children and parents.

The ICO's Age Appropriate Design Code (Children's Code) applies to online services likely to be accessed by children in the UK. Services must:

• Apply the highest privacy settings by default for child users — geolocation, direct messaging, and public profile settings should be off by default.
• Not use nudge techniques to encourage children to share more personal data than necessary or to spend more time on the platform.
• Not use children's data in ways that are detrimental to their wellbeing — for example, algorithmic personalisation that increases anxiety or exposure to harmful content.
• Provide clear, transparent privacy information in plain language appropriate for the age group.
• Not collect more personal data than is necessary for the service.

The ICO can investigate platforms that fail to comply and impose fines up to £17.5 million or 4% of global turnover.

As a parent, you have several options if you are concerned about your child's online safety:

• Use parental controls — most devices and internet service providers offer parental control tools to restrict access to certain types of content. The UK's major ISPs (BT, Virgin Media, Sky, TalkTalk) provide free parental control filters.
• Report concerns to platforms via their reporting mechanisms — platforms must have accessible complaints processes under the OSA 2023.
• Complain to Ofcom if a platform is not complying with its Online Safety Act duties — Ofcom can investigate and take enforcement action.
• Exercise UK GDPR rights on behalf of your child — as a parent you can submit SARs and erasure requests on behalf of children under 13 (or under 18 where the child lacks capacity to act for themselves).

If your child has been harmed online:

• Online grooming or sexual exploitation: Report to the police (999 if immediate danger, 101 otherwise) and to the Child Exploitation and Online Protection Command (CEOP) at ceop.police.uk.
• Cyberbullying: Report to the platform and, if serious or persistent, to the school and police. The Diana Award's Anti-Bullying Pro programme and Childline (0800 1111) provide support.
• Exposure to illegal content: Report child sexual abuse material (CSAM) to the Internet Watch Foundation at iwf.org.uk. Report other illegal content to the platform and, if serious, to the police.
• Harmful algorithmic recommendations: Report to Ofcom if a platform's recommendation algorithm is exposing children to content that causes harm.