Tag: user generated content law

  • Ofcom’s Online Safety Act Duties: What Digital Business Owners in the UK Must Actually Do

    Ofcom’s Online Safety Act Duties: What Digital Business Owners in the UK Must Actually Do

    The Online Safety Act is now firmly in force, and Ofcom is no longer in the mood for vague promises or half-measures. If you run a digital product with user-generated content — a community platform, a marketplace, a forum, a social feature bolted onto a SaaS tool — this legislation applies to you. The question is not whether your business falls under Online Safety Act compliance obligations; for most UK digital founders, it does. The question is what you are actually required to do about it, and how quickly Ofcom will notice if you do not.

    This is not a briefing for household-name social networks. It is for the founders, product owners, and digital operators running smaller platforms who may have quietly assumed this was someone else’s problem. It is not.

    UK digital business founder reviewing Online Safety Act compliance documents at a London office
    UK digital business founder reviewing Online Safety Act compliance documents at a London office

    Who Does the Online Safety Act Actually Cover?

    The Act applies to any service that hosts user-generated content and is accessible to UK users. That scope is broad by design. Ofcom’s own guidance makes clear that this includes forums, review platforms, dating apps, messaging features, comment sections, and online marketplaces where users can post. If your product has any mechanism through which one user can publish content that another user can see, you are almost certainly in scope.

    The legislation creates a tiered structure. Category 1 services are the largest platforms — think Meta, X, YouTube. Category 2 services cover a much wider range of businesses, and this is where most UK founders sit. Within Category 2, there are further distinctions based on functionality. The practical implication: even a modest B2B community platform with a few thousand monthly active users likely has real obligations to fulfil.

    Ofcom publishes a register of Category 1 and Category 2A services, and it is worth checking whether you should be registered. Failure to register when required is itself a compliance breach.

    The Illegal Content Risk Assessment: Your First Real Obligation

    Most in-scope services are required to complete an illegal content risk assessment. This is not a box-ticking exercise. Ofcom expects you to systematically identify the ways in which your platform could be used to share or facilitate illegal content — terrorism, child sexual abuse material, fraud, hate speech, and similar categories — and to document the likelihood and potential impact of each risk given your user base and product design.

    The assessment needs to be proportionate to your service. A small professional networking community carries different risk vectors than a public image-sharing platform. But proportionality does not mean minimal effort. You need to consider your user demographics, your content moderation capabilities, your upload volumes, and the design choices that might attract bad actors.

    Once you have identified risks, you must put in place proportionate measures to mitigate them. Ofcom’s codes of practice provide detailed guidance on what those measures should look like, and while you can depart from the codes, you need to be able to demonstrate that your alternative approach achieves an equivalent standard of protection.

    Content moderation tools used for Online Safety Act compliance on a UK digital platform
    Content moderation tools used for Online Safety Act compliance on a UK digital platform

    User Reporting Mechanisms: Not Optional, Not Cosmetic

    One of the more concrete requirements is the obligation to provide users with a clear, accessible way to report content they believe is illegal or harmful. This has to actually work. A buried link in the footer that opens a broken form is not compliance. Ofcom expects reporting mechanisms to be easy to find, easy to use, and connected to a genuine review process.

    Beyond the mechanics, you need a documented process for handling reports. How quickly do reports get reviewed? Who reviews them? What happens when content is found to violate your terms or the law? What happens when it does not, and the user who reported it disagrees with your decision? These are not rhetorical questions — they are the kinds of questions Ofcom will ask if your platform comes under scrutiny.

    If your platform is likely to be accessed by children, the obligations become significantly heavier. Age assurance, age-appropriate design, and child safety risk assessments layer on top of the baseline requirements. Any founder running an education tool, a creative platform, or a consumer-facing app needs to take this seriously.

    Record-Keeping and Review Cycles

    Compliance under the Online Safety Act is not a one-time task. Ofcom expects services to keep records of their risk assessments, the measures they have put in place, and the decisions they make about content. If your platform changes significantly — new features, new geographies, a step-change in user numbers — your risk assessment should be revisited.

    Build this into your product development cycle. When you plan a new feature that changes how users interact with each other, someone in your team should be asking whether the Online Safety Act obligations need to be reviewed. This is the kind of governance discipline that separates businesses that are genuinely compliant from those that have filed a document and forgotten about it.

    The record-keeping requirement also has a practical upside: if Ofcom ever investigates, your documented evidence of a considered, proportionate approach is your best defence. An absence of records is, from a regulatory perspective, almost as damaging as an absence of measures.

    What Ofcom Enforcement Actually Looks Like

    Ofcom has real teeth here. Fines for non-compliance can reach £18 million or 10% of qualifying global turnover, whichever is greater. For larger platforms in Category 1, senior managers can face criminal liability if they fail to comply with information requests during an investigation. That second point will sharpen minds in boardrooms considerably.

    In practice, Ofcom has signalled it will begin with larger services and work down the register. But that sequencing does not mean smaller operators are invisible. Regulatory investigations can be triggered by complaints, media coverage, or a single serious incident on your platform. The regulator does not need to work through a queue in order to come to you specifically.

    The more prudent approach is to treat your compliance obligations as a genuine operational matter rather than a legal formality. Document your thinking, implement proportionate measures, and revisit them regularly. That is also, incidentally, good product practice.

    Practical Steps for Founders Who Are Not Yet Compliant

    If you have not yet completed your illegal content risk assessment, the immediate priority is to start. Ofcom’s website has detailed guidance and template frameworks that are genuinely useful starting points. Assign ownership clearly — this sits somewhere between your legal, product, and operations functions, and if it belongs to no one specifically, it will be done by no one effectively.

    Audit your user reporting mechanisms. Test them yourself. Ask a colleague who has never used the platform to try reporting something. If they struggle, your users will too, and Ofcom will not be sympathetic to usability excuses.

    If your physical workspace hosts servers or technical infrastructure, you will also have noticed that compliance culture extends into the physical environment. From hygienic flooring in data centres to documented incident response plans, regulated businesses increasingly find that operating standards touch every layer of the business, not just the software.

    Finally, consider whether you need specialist legal advice. The Online Safety Act is detailed, and the codes of practice run to hundreds of pages. For most founders, a few hours with a solicitor who specialises in digital regulation is a worthwhile investment compared to the cost of getting this materially wrong.

    The Bottom Line

    Online Safety Act compliance is not a distant concern for large tech companies. It is a live obligation for any UK digital business operating a platform where users can interact. The regime is structured, the regulator is active, and the penalties are meaningful. Founders who treat this as an operational priority rather than a legal afterthought will be in a considerably stronger position — both with Ofcom and with the users who trust their platforms.

    Frequently Asked Questions

    Does the Online Safety Act apply to small UK businesses with user-generated content?

    Yes. The Act applies to any service that hosts user-generated content accessible to UK users, regardless of company size. Even a small B2B community platform or a SaaS product with a commenting feature is likely to be in scope and should complete an illegal content risk assessment.

    What is an illegal content risk assessment under the Online Safety Act?

    It is a documented exercise in which you identify the ways your platform could be used to facilitate or spread illegal content, assess the likelihood and impact of each risk, and put proportionate measures in place to mitigate them. Ofcom provides codes of practice with detailed guidance on what those measures should look like.

    What are the fines for failing to comply with the Online Safety Act?

    Ofcom can impose fines of up to £18 million or 10% of qualifying global annual turnover, whichever is greater. For the largest Category 1 services, senior managers can also face criminal liability for failing to comply with information requests during an investigation.

    Do I need to register my platform with Ofcom under the Online Safety Act?

    Certain Category 1 and Category 2A services are required to register with Ofcom. You should check Ofcom’s published register and guidance to determine whether your platform meets the threshold. Failing to register when required is itself a compliance breach.

    How often do I need to update my Online Safety Act risk assessment?

    There is no fixed statutory interval, but Ofcom expects assessments to be kept up to date. You should review yours whenever your platform undergoes significant changes, such as new features that alter how users interact, substantial growth in user numbers, or expansion into new markets.