Ofcom's consultation on protecting children from online harms casts a wide net

Ofcom has published its second major consultation on the Online Safety Act (OSA) focusing on protecting children from harms online. Under the OSA, user-to-user and search services likely to be accessed by children have safety duties relating to content that is harmful to them. 

The starting point is to carry out a children's access assessment to establish whether or not the service is likely to be accessed by children. As with the ICO's Children's Code, the bar for accessibility is low and Ofcom anticipates most services not using highly effective age assurance will meet it. The next step of the access assessment is to work out whether the child user condition is met. This requires that one of both of the following criteria are met:

• A significant number of children are using the service; and/or
• The service is of a kind likely to attract a significant number of children.

If the child user condition is met, this kicks off a whole range of safety duties revolving around assessing and mitigating risks of harm. Ofcom's consultation provides an initial insight into how in-scope businesses will be expected to work out whether they are caught and then how to comply.

What does the consultation cover?

The consultation covers:

• How to assess whether a service is likely to be accessed by children.
• The causes and impacts of harms to children.
• How services should assess and mitigate the risks of harm to children.

In another lengthy set of documents, Ofcom provides a summary of its consultation together with documents including:

• Proposed Codes at a glance.
• Guidance on completing children's access and risk assessments (including risk profiles).
• Draft Children's Safety Codes.
• Large services guidance.

Safety measures - what will compliance look like?

Ofcom is proposing more than 40 safety measures to include:

• Robust age checks - much greater use of age assurance will be required by services which do not ban harmful content or which have a higher risk of it being shared.
• Safer algorithms - any service which operates a recommender system and is at higher risk of harmful content will be required to configure algorithms to filter out the most harmful content from children's feeds and reduce other harmful content.
• Effective moderation to enable swift action against content which is harmful to children.
• Strong governance and accountability processes.
• More choice and online support for children including clear and accessible information and provision of tools and support to children to help keep them safe.

Proportionality is key and the draft Children's Safety Codes, like the Illegal Content Codes, set out duties in relation to the type and size of service, and the level of risk (in this case as identified in the children's risk assessment and relating to the functionalities and other characteristics of the service). The most onerous obligations will apply to large, multi-risk services with large services potentially being defined as those with an average user base greater than seven million per month in the UK - approximately equivalent to 10% of the UK population.

What next?

Final guidance on children's access statements is anticipated in early 2025. Regulated services will have three months to carry out children's access assessments following publication.  If they determine their services are likely to be accessed by children and they meet the child user condition, they will then need to carry out children's risk assessments.  Ofcom plans to publish its final statement on child safety duties in spring 2025, allowing services to complete their children's access statements before the requirement to carry out children's risk assessments comes into force three months later. Also in spring 2025, Ofcom will submit the Children's Safety Codes to the Secretary of State and by this time, it plans to have published its draft guidance on protecting women and girls.

What should in-scope services do now?

Given the wide interpretation of when a service is likely to be accessed by children, in-scope services should read the consultation documents and consider responding by the deadline of 17 July 2024. 

Considering the emphasis on age assurance and recommender systems, services which anticipate being caught by the children's safety duties should begin focusing on these aspects of their services and start reviewing their governance procedures. Ofcom also recommends organisations begin calculating the number of their UK users.

See here for more on the OSA, the EU's Digital Services Act and related online safety issues.