The Online Safety Act 2023 (the Act), aims to protect people online, particularly children, and places more responsibility on online media platforms and search engines, which now have new legal duties to protect users’ safety on their platforms. This includes a duty to undertake risk assessments to identify illegal content or harmful material and to take appropriate risk mitigation and prevention measures. In turn, the Office of Communications (Ofcom) has been assigned the role of independent regulator of online safety. To assist it in this role, Ofcom has been granted significant powers to assess and enforce online providers’ compliance with the new framework. 

As a result of its expanding remit under the Act, Ofcom has been growing its enforcement division. Indeed, in a recent interview, Suzanne Cater, Ofcom’s enforcement director, confirmed that “2025 is the year of action…This is where we’re really going to see a huge uptick in that [enforcement] work.” 

This alert outlines Ofcom’s future approach to enforcement and recommends how businesses can best respond to avoid enforcement measures. 

ENFORCEMENT ACTION

The Act has granted Ofcom various powers to strengthen its oversight and enforcement of the new online safety regime. Possible enforcement action includes:

• Imposing fines of up to £18m or 10% of a service provider’s worldwide revenue (whichever is greater).
• Gaining court orders that impose “business disruption measures,” which may withdraw, or limit access to, online services in the United Kingdom.

Furthermore, the Act imposes criminal offences on those that refuse to comply with an information notice or fail to take compliance action specified in an Ofcom decision regarding child safety. In such instances, directors and senior managers may be criminally liable. Although Ofcom does not expect to have to use these new criminal powers until 2026, Cater has made clear that it “won’t hesitate to use them if it’s necessary.”

Where required, Ofcom may give companies the choice to either collaborate or to face formal enforcement action. Cater described this as the “last chance saloon – you can fix it now or we will take enforcement action.” 

Ofcom will not tolerate businesses that are not prioritising safety and will “drag them kicking and screaming into compliance if [they] have to.” 

A PREFERENCE FOR COLLABORATION…BUT NOT A NECESSITY 

Ofcom hopes to coordinate with businesses to help them understand online harms, what factors increase the risks of harm and what businesses should do to remain compliant with the new rules. Over the course of the next year, Ofcom will publish various Codes of Practice and guidance on how companies can implement and comply with their duties.

If uncertain, Ofcom encourages companies to engage in collaborative and constructive discussions to assist with compliance. Its preference is “always for voluntary compliance” and it has a “bias against intervention.” 

Nonetheless, whilst the regulator has made clear that collaboration is a preference, it is not a necessity, and it will not shy away from enforcement action where needed. Cater clarified that where the team “come[s] across services who are not willing to engage with us, who are not willing to accept there’s a problem, who are putting profits above safety and just not caring about their users, they’re going to have a very different experience.”

Dame Melanie Dawes, Ofcom’s Chief Executive, echoed such sentiments when stating: “[Ofcom has] already engaged constructively with some platforms and seen positive changes ahead of time, but our expectations are going to be high, and we’ll be coming down hard on those who fall short.”

It is clear, therefore, that if Ofcom identifies a failure in compliance with online safety requirements, it will not hesitate to launch enforcement action. 

OFCOM’S TARGETED ENFORCEMENT 

Ofcom expects its early enforcement action to focus on:

• Ensuring businesses introduce and maintain adequate risk assessments; 
• Implementing measures that are most effective in protecting users, particularly children, from serious harm; and 
• Initiating broader sector-wide compliance programmes to address any systemic issues that may arise as key safety duties are implemented. 

Cater communicated that Ofcom’s intentions are to “find those cases which resonate across the sector, which have a huge impact.” 

This is demonstrative of Ofcom’s commitment to its role as online safety regulator and its dedication to tackling those online safety issues that are of greatest concern. 

WHAT DOES THIS MEAN FOR BUSINESSES? 

Businesses that operate online platforms and search engines should be reassured by Ofcom’s anticipated collaborative approach and incentivised into early engagement with the regulator if they are unsure about their duties but wanting to remain compliant. This open approach presents an opportunity for online providers to understand the new rules, ask for guidance and implement changes where necessary to avoid enforcement action. 

However, businesses should not exploit this approachable style and mistake it for a light touch method of enforcement. Ofcom has been clear that it intends to cast a wide net to target significant online harm. It has specified that it will not hesitate to use its enforcement powers where necessary, which could result in significant financial, legal and reputational consequences for businesses found to be in breach of their online safety duties.