Online Safety Act 2023: Platform Duty of Care

The Online Safety Act 2023 received Royal Assent on 26 October 2023. It introduces statutory duties on online platforms operating in the UK. The Act covers:

• User-to-user services: social media (Facebook, Instagram, TikTok, X), messaging (WhatsApp where group features apply), forums, content-sharing services.
• Search services: Google, Bing, DuckDuckGo.
• Combined services (search and user-to-user features).

The Act creates three categories of duty:

• Illegal content duty — applies to all platforms. Take effective measures to prevent, remove, and report illegal content.
• Child safety duty — applies to platforms likely to be accessed by children. Risk assess, mitigate, and protect children from harm.
• Category 1 duties — apply to the largest user-to-user platforms with risk-multiplying features. Include adult user empowerment tools, transparency duties, fraudulent advertising controls.

Ofcom is the regulator. The Act came into force in stages from March 2025.

All platforms must take effective measures to:

• Prevent users from encountering "priority illegal content" — child sexual abuse material, terrorism, incitement to violence, fraud, drugs, weapons, intimate image abuse (revenge porn), threats to kill, and others listed in Schedule 7.
• Minimise the time content is present on the service before removal.
• Provide user reporting mechanisms.
• Operate effective content moderation.
• Conduct illegal content risk assessments.

The "priority illegal content" list is wide. For users, this means platforms now have a legal duty to remove much harmful content quickly. Reports through the platform's reporting tools should trigger faster response than under voluntary policies.

From March 2025 platforms must publish their risk assessments and reporting flows. Ofcom is auditing the largest platforms first.

Platforms likely to be accessed by children must:

• Risk-assess their service for harm to children.
• Mitigate identified risks proportionately.
• Protect children from "primary priority content" (pornography, content promoting suicide, self-harm, eating disorders).
• Protect from "priority content" (bullying, dangerous activities, illegal drug content, certain violent content).
• Implement age verification for adult content (from July 2025, "highly effective" age assurance required).

The age verification rules for adult content sites are among the most controversial. Major adult sites must use highly effective age verification — credit card, government ID, or third-party age verification — from July 2025. Privacy concerns are significant; users complain about identification routes.

For children: the implementation gives parents more recourse against platforms hosting harmful content. Reports through platform tools must be acted on more reliably. If a platform fails, parents can complain to Ofcom.

Platforms designated by Ofcom as "Category 1" face additional duties:

• User empowerment tools — adult users must be able to filter out content from non-verified users (a "verification" tier).
• Transparency reports — annual reports on content moderation, complaints, and outcomes.
• Fraudulent advertising controls — proactive duty to prevent paid scam advertising (a response to the financial fraud explosion).
• Compliance with codes of practice — Ofcom publishes detailed codes; following them creates a "safe harbour" for compliance.

The Category 1 designations were finalised by Ofcom in 2025. Expected to include Meta platforms (Facebook, Instagram), X (Twitter), TikTok, YouTube, Snapchat. Designation triggers significant operational changes.

Ofcom's enforcement powers:

• Information notices — requiring platforms to provide evidence.
• Confirmation decisions — finding of breach.
• Fines — up to £18 million or 10% of global turnover, whichever is higher.
• Business disruption measures — restricting payment services, blocking access (in extreme cases).
• Senior manager criminal liability — for failure to comply with information notices, providing false information, or repeated failure to act on illegal content. Maximum 2 years' imprisonment.

User-level redress:

• Platform reporting — the platform's in-service reporting tools. Should now be faster and more reliable post-Act.
• Complain to Ofcom at ofcom.org.uk for systemic platform failures.
• Civil action — under existing torts: defamation, harassment, malicious falsehood, breach of statutory duty. The OSA itself does not create a new private right of action — but users can rely on the OSA duties as evidence in other claims.
• Police for criminal content — call 101 or 999, or report online for cybercrime.