Child safety online: Key considerations and how to make your views heard

Ofcom's consultation on child safety online includes a raft of new proposed measures for services, alongside the message that services should be taking steps now. This consultation provides a key window of opportunity to help shape market practice, raise any concerns and engage with the regulator. We also explore how the general election and/or new government might impact the online safety regime.   

October 2023 heralded a "new era for online regulation" when the Online Safety Act 2023 (the "OSA") finally became law. Since then, the regulator Ofcom has made significant steps in its "roadmap" to implementation of the OSA, with each step providing greater detail on what compliance by services will look like.

Where are we on the "roadmap" to implementation?

The latest key milestone is that, on 8 May, Ofcom published its consultation on duties in relation to content harmful to children (the "Child Safety Consultation"). This comprises "a comprehensive set" of draft codes and guidance, setting out proposed child safety measures that services should take going forward. The deadline to respond is 17 July 2024.

The Child Safety Consultation marks the start of Phase 2 (out of 3) of Ofcom's roadmap (for an overview of the various steps and consultations that Ofcom has planned, please see our briefing here.

To briefly recap, Phase 1 primarily involved consulting on duties in relation to illegal content online and proposed guidance on how services should assess and mitigate the risks of illegal harms (including 234 proposed measures which regulated services should take to comply with their illegal harms duties). This consultation closed on 23 February 2024, with final guidance expected in early 2025.  

Does the General Election and/or new government have any impact here?

The dissolution of Parliament and the pre-election period (which followed the calling of the General Election, as we explain in our blog here, 

may impact the implementation process and the timing for finalising and approving any secondary legislation or Codes of Practice envisaged under the OSA. Looking further ahead, it remains to be seen whether, when a new government is formed, its immediate legislative agenda and priorities will lead to changes in the overall timetable for implementation of the OSA. In addition, given that the OSA relies on secondary legislation and Codes of Practice/Guidance to provide the detail on implementation, it will be interesting to see whether a new government has any impact on the substance of upcoming secondary legislation/proposals. 

The OSA has also been mentioned in both the Labour and Conservative manifestos. Labour has said that it "will build on the Online Safety Act, bringing forward provisions as quickly as possible, and explore further measures to keep everyone safe online, particularly when using social media." It remains to be seen what this would mean in practice, for example, whether this will entail future amendments to the OSA to impose additional duties on services.

Overview of the Child Safety Consultation

While Phase 1 concerned illegal harms, Phase 2 focuses on legal but harmful content to children. As with the illegal harms consultation, the latest consultation is lengthy, spanning 5 volumes and nearly 1300 pages.

The Child Safety Consultation consults on detailed measures that flesh out the duties set out in the OSA in relation to child online safety. Given the level of detail and complexity in Ofcom's proposals, it will be important that organisations which are potentially affected carefully review the content of the consultation, engage with Ofgem where appropriate, and consider seeking further advice where necessary.

The key requirements discussed in the consultation include the following:

1. As required by the OSA, all in-scope services must carry out child access assessments to determine whether its services (or part of them) are "likely to be accessed by children". This criterion is fulfilled where a service (i) does not already have "highly effective age assurance" in place and (ii) the "child user condition" is met – i.e. a significant number of children are using the service or the service is of a kind likely to attract "a significant number" of children. What a "significant number" means is not defined in the OSA, however, Ofcom has proposed that it should be interpreted in the context of the service in question and that "even a relatively small number of children could be significant in terms of the risk of the harm".¹
2. For services that are likely to be accessed by children, they will need to complete a children's risk assessment and implement measures to mitigate the risks identified. As part of the Child Safety Consultation, Ofcom has provided more details on this including draft guidance on how services should complete the draft risk assessment and register of risks.
3. The next step would be for services to implement the safety measures that are proposed by Ofcom (many of which flesh out duties in the OSA). Ofcom has proposed over 40 measures in various draft Children's Safety codes for user-to-user and search services. The measures to be taken will depend on factors such as the risk of harm identified and the type of service provided. These proposed measures include the following requirements for services:

• To identify which of their users are children and use what Ofcom calls "highly effective age assurance". Ofcom has provided further detail on what criteria a service can use to determine whether or not it has highly effective age assurance in place. By way of illustration, Ofcom has stated that self-declaration of age and general contractual restrictions on the use of service by children will not be deemed to qualify as highly effective age assurance.
• To identify who their child users are and configure any algorithms which provide personalised recommendations so that they filter out harmful content from children's feeds and reduce the visibility of other harmful content. This is proposed to apply to any service which operates a recommender system and is at higher risk of harmful content.
• To have content moderation systems and processes to take down content that is harmful to children where identified.
• To have governance processes and senior body accountability and responsibility, staff policies and training. For example, all services should name a person accountable for compliance with children's safety duties.  
• To provide child users with more information, tools and support online and ensuring they can easily report content and make complaints.
• To carry out regular monitoring and reviews of the key assessments.

Importantly, Ofcom has stated that "we propose that all services accessed by children – regardless of their size or risk - implement a core set of measures to protect children online.²" The robustness and number of measures which a service will be expected to implement depends on the "category" of content harmful to children that is being targeted. Ofcom has set out a tiered system which proposes certain measures for services to implement depending on the extent to which these specified categories of harm (ie "primary priority content", "priority content" or "non-designated content") may feature on a service.

Note that "non-designated content" is a potentially wide category of harmful content which is linked with a range of proposed measures that could have far-reaching implications for services. As an example, one key question Ofcom is consulting on is whether non-designated content should include 'body image content' and 'depressive content'.

Ofcom's expectation on services to start acting in compliance

The protection of children when navigating the online world has been a focal point of the online safety regime and has received significant coverage in the press. It is therefore unsurprising that Ofcom appears keen to show that it is doing 'enough' to protect children from online harms. For example:

• Ofcom has quoted, Michelle Donelan, Technology Secretary, "To platforms, my message is engage with us and prepare. Do not wait for enforcement and hefty fines – step up to meet your responsibilities and act now.”
• Ofcom has stated, "Services cannot decline to take steps to protect children merely because it is too expensive or inconvenient…all services, even the smallest, will have to take action as a result of our proposals." (Volume 1 of the Child Safety Consultation)
• In addition to the full range of enforcement powers "to hold platforms to account", Ofcom's chief executive, Melanie Dawes, also indicated that in-scope services would be "named and shamed" for non-compliance.

According to Ofcom's "Roadmap to regulation", it is expected that services will be required to (i) complete a children's access assessment from Q2 2025, (ii) complete a children's risk assessment from Q3 2025, and (iii) comply with the "protecting children" safety duties once the children related Codes come into force in Q3 2025. Ofcom will be able to enforce against non-compliance in respect of these requirements after the latest of these deadlines for compliance (ie Q3 2025).

The opportunity to voice concerns and try to shape Ofcom's proposed measures is now

The regulator's messaging around the Child Safety Consultation therefore appears to be one which requires in-scope services to start preparing for compliance now. This is unsurprising given the amount of time that some services will need to implement the proposed measures, with more to come in Phase 3, particularly for services which find themselves categorised as higher risk for online harms.

It is also important to remember that the current consultation is a crucial juncture at which consultees can put forward their views on Ofcom's proposals. Not only does public law require that the regulator conscientiously take into account these views, but expressing such views now is important for evidencing concerns if there were to be any future challenge. 

In particular, if consultees have significant concerns in relation to specific aspects of the proposals, they should make this clear in their responses (and provide any accompanying evidence). In our briefing on tips for engaging with Ofcom in consultation and other interactions, we set out the key public law principles that might assist consultees in framing their responses most effectively. Such principles can be used by reference to both procedural concerns with the consultation process or substantive issues with the proposed measures themselves.

By way of illustration, on the substance, this might involve considering whether there are aspects of the proposals which are disproportionate in their impact. This question of proportionality is central to the OSA regime given that many of the duties on services in the OSA have an inbuilt "proportionality" requirement. For example, services have a duty to take or use "proportionate measures" relating to the design or operation of the service to effectively manage the risks of harm to children in different age groups (section 12(2)(a)). It is important for services to highlight where they consider that Ofcom's proposals are inconsistent with the proportionality requirements in the OSA.

Proportionality is also a key factor when considering aspects of the OSA regime and Ofcom's proposals which interfere with a fundamental human right (such as freedom of expression). Not only will human rights be important for consultees to consider when responding to Ofcom's latest consultation, but they are more generally a key consideration in relation to all of Ofcom's proposals and ultimately, for any challenge that might be brought in relation to Ofcom's final Codes of Practice and Guidance. We will explore some of these considerations in further detail going forward.