Check if the Online Safety Act applies to you
If you or your business provides an online service, like a website or app, then the Online Safety Act might apply to you.
The Act introduces new rules for providers of online services to help keep people in the UK – especially children – safe from illegal and harmful content online.
When deciding if the rules apply to you, there are three important questions to consider:
- Does your service have links with the UK?
- Do you provide a relevant service?
- Do any exemptions apply to your service?
If your answer to the first two questions is yes, and no exemptions apply, then it's likely that the new rules apply to your service.
An online service is a service made available over the internet.
For example, this could be a website or app that's made available over the internet. Or it could be a service tha's partly made available over the internet, and partly over an electroniic communications service (like the public switched telephone network). The service can be accessed through a mobile app or an internet web browser.
The legal requirements can apply to all of your service, or just the parts of it that are covered by the Act.
Does your service have links with the UK?
Your online service has links with the UK if:
- UK users are a target market for your service; or
- it has a significant number of UK users.
A 'UK user' is anyone based in the UK who visits or interacts with your service. You might call them a customer, client, subscriber, visitor or something else.
A user could be an individual or an entity (like an organisation). It doesn't matter if they've registered with you (i.e. created an account) or not.
UK as a target market
There are a variety of factors which could mean the UK is a target market for your online service. The UK is likely to be a target market if you direct your service towards UK users in the way you design your service, promote your service, receive revenue from your service, or in any other way.
A target market is a specific group of people (or organisations) that you are aiming your service toward. The UK could be a target market for a range of reasons, for example your service:
- is designed for UK users;
- is promoted or marketed toward UK users;
- generates revenue from UK users either:
- directly (e.g. via subscriptions or sales); or
- indirectly (e.g. through advertising to UK users, including people or organisations);
- includes functionalities or content that is tailored for UK users; or
- has a UK domain or provides a UK contact address and/or telephone contact number.
Even if the UK is not a target market, your service will still have links to the UK if any part of it has a significant number of UK users.
Significant number of UK users
UK users can be individuals or entities (e.g. organisations), and users of a service include both registered and unregistered users of the service.
For the purpose of counting UK users, you do not need to include any of your employees and contractors or third-party workers, who may access the service in the course of their work for you.
You should count only those users who have actually engaged with the service. For a search service this would be such users who have submitted a search query.
Whatever methodology you use to calculate user numbers, it must be consistent with the definition of users as set out under the Act.
The Act does not set out how many UK users is considered “significant”. You should be able to explain your judgement, especially if you think you do not have a significant number of UK users.
Note: a user-to-user service or a search service will also have links with the UK if the service is capable of being used by individuals within the UK and there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK presented by:
- for a user-to-user service, the user-generated content on the service, or
- for a search service, from the search content of the service.
Do you provide a relevant service?
The rules apply to services where:
- users can create and share content, or interact with each other (the Act calls these ‘user-to-user services’);
- users can search other websites or databases (‘search services’); or
- you or your business publish or display pornographic content.
The rules only apply to relevant parts of these services: the parts where users can encounter content generated, uploaded or shared by other users; search multiple websites and databases; and encounter relevant pornographic content. All other parts of a service are not covered by the rules.
Imagine you run a retail website where users can buy your products. This isn't relevant, because there's no way for users to interact with each other.
But what if the same website has a chat forum, where users can write messages to each other? This is relevant, because you're allowing users to interact with each other. So, you should only consider the forum bit when referring to the 'service'.
User-to-user services
A user-to-user service is an online service that allows its users to interact with each other. This includes the ability to generate, upload or share content, such as images, videos, messages or comments, with other users of that online service.
User-to-user services include online services that allow private messaging between users.
To give only a few examples, a 'user-to-user' service could be:
- a social media site or app;
- a photo- or video-sharing service;
- a chat or instant messaging service, like a dating app; or
- an online or mobile gaming service.
What we mean by 'users'
A 'user' is anyone based in the UK who visits or interacts with your service. You might call them a customer, client, subscriber, visitor or something else.
A user could be an individual or an entity (like an organisation). It doesn't matter if they've registered with you (i.e. created an account) or not.
What we mean by 'user-generated content'
Under the Act, 'content' means anything communicated using an online service, whether publicly or privately, including written material or messages, oral communications, photographs, videos, visual images, music and data of any description.
'User-generated content' is any content that is generated by the user (either directly on the service or uploaded/shared from elsewhere) that can be encountered by other users.
However, certain types of content are exempt from being regulated user-generated content. We cover these types later.
It doesn’t matter if content is actually posted or shared with another user, as long as a service has the functionality that allows such sharing. It also doesn’t matter what proportion of content on a service is user-generated content.
Content generated through a generative AI (Gen AI) service or tool could also be user-generated content, where a user uploads such content on to a user-to-user service and it can be encountered by other users of that service. Equally, where a user embeds a Gen AI enabled bot on a user-to-user service, content created by that bot would also be user generated content, where it can be seen or shared with other users of that service.
Search services
A search service is an online service that is (or includes) a search engine. A search engine is something that allows a user to search more than one website and/or database.
However, if your online service only searches one website or database, then it does not count as a search service. For example, having a search bar on your website, to help users find content on that website, wouldn't count.
Some online services use or embed a search engine provided by a third party (this is known as a plug-in). If your service has embedded a search engine that a third party controls, not you, then the rules on search services are likely to apply to the third party instead.
Under the Act, a search engine is a service or functionality which enables users to search at least more than one website and/or database or, in principle, to search all websites and/or databases.
This includes 'vertical' search engines. These are focused on a specific topic, or a type of content. For example, a search engine that only indexes academic articles from some websites or databases would be in scope. Similarly, comparison websites that provide results from many different websites or databases are considered search services.
A GenAI model could constitute a search service where it enables the search of more than one website or database, for example via plug-ins (in a GenAI model, a plug-in is a software add-on that enhances the model’s functionalities by allowing access to external or partner sources of data, beyond the original training dataset).
Publishing or displaying pornographic content
The Act defines 'pornographic content' as content that was produced solely or principally for the purpose of sexual arousal. This only includes audio, image and video content. It does not include text or written content.
Different parts of the Act will apply depending on whether the pornographic content is published or displayed by the provider of the service, or generated by a user.
The Act covers services that feature 'provider pornographic content'. This means pornographic content that the provider (or someone acting on their behalf) publishes on their own service.
This is different from 'user-generated content', which (as explained above) is content that the user creates -- either directly on the service or by uploading/sharing from elsewhere.
Provider pornographic content also includes content that is published or displayed on the service by means of software, automated tools, or algorithms. It could even include you adding, to your service, the thumbnail of an image or video that is hosted on a third party's server.
Do any exemptions apply to your service?
Some types of user-to-user service are exempt from the Act. Generally, this is either because:
- there are limits to the ways users can communicate on your online service; or
- there are limits to the type of content users can generate or share on your online service.
Other services are exempt because they are internal business services, or services provided by a public body, education or childcare provider.
Exemptions based on the type of content
Your online service will be exempt if the only way users can communicate on your online service is by email, SMS, MMS and/or one-to-one live aural communications.
It will also be exempt if users can only interact with content that you (the provider of the service) publish. This interaction could be comments, likes or dislikes, ratings and reviews (including with emojis and symbols).
For example, if you only allow users to comment on blog posts you put on your website, or review the goods or services you sell, then the exemption would apply. But it wouldn't apply if a user can interact with content that another user generates.
Under the Act, 'content' means anything communicated using an online service, whether publicly or privately, including written material or messages, oral communications, photographs, videos, visual images, music and data of any description.
'User-generated content' is any content that is generated by the user (either directly on the service or uploaded/shared from elsewhere) that can be encountered by other users.
The following types of user-to-user services, are exempt from regulatory duties under the Act: i) certain forms of direct communication services; and ii) services with limited user-interaction functionality.
Certain forms of direct communication services
A service is exempt if the only user-generated content enabled by the service is e-mail, SMS, MMS or one-to-one live aural communication.
One-to-one live aural communications means communication consisting solely of real time speech or other sounds between two users of the service by means of the service, including any identifying content of the users. It includes, for example, live Voice over Internet Protocol (VoIP) calls.
Services with limited user-interaction functionality
A service is exempt if the only way users can communicate on it is by posting comments or reviews on the service provider’s content. Provider content is any content that is published on a service by the service provider or someone acting on their behalf.
For example, this would exempt online services where the only content users can upload or share is comments on media articles you have published, or reviews of goods and services your business provides.
This exemption includes features which allow users to share comments or reviews made on provider content on your service, onto another online service (for example, users sharing a review of a news article or an online game, made on your service onto a social media site).
It also includes expressing views on other users’ comments or reviews about provider content. These views can be expressed through likes, emojis or symbols of any kind, engaging in a yes/no voting or rating or scoring of the content in any way.
In contrast, user comments or reviews on user-generated content would be in scope of the Act. This includes user reviews or comments on third party sellers offering goods or services on online marketplaces.
Exemptions based on the type of service
Your service will be exempt if:
- it is an internal business service, including services such as business intranet, content management systems, or customer relationship management systems;
- it is provided by a public body, such as Parliament, a UK public authority, or foreign government; or
- it is provided by an UK education or childcare provider.
Internal business services
A user-to-user or search service would be exempt if it is an ‘internal business service’. This exemption covers services like business intranets, productivity and collaboration tools, content management systems, customer relationship management systems and database management systems.
Services provided by public bodies
A U2U or search service would be exempt if the provider of the service is a public authority and the service is provided in the exercise of its public functions only. This exemption covers services provided by UK Parliament, devolved legislatures (such as Scottish Parliament, Senedd Cymru and the Northern Ireland Assembly) and foreign governments, as well as services provided by public bodies in and outside of the UK.
Services provided by UK education and childcare providers
A U2U or a search service is exempt if it is provided by an education or childcare provider in the UK as described in the Act (Part 2 Schedule 1), and for the purpose of education and childcare.
I think the rules will apply to me – what next?
Most of the new rules will only come into force in late 2024. But if you think they'll apply to you, here are some things you can start doing now:
Subscribe to updates from us
If you subscribe to email updates, we'll send you the latest information about how we regulate. This includes any important changes to what you need to do. You'll also be the first to know about our new publications and research.
Give your views on how we regulate illegal harms
We're consulting on how businesses need to protect their users from illegal harms online. We expect these requirements to come into force in late 2024. Respond to the consultation before it closes on 23 February 2024, to share your views and evidence. Your input will shape our decisions.
Read more about our approach to implementing the Act
Ofcom will implement the new rules in three phases. We explain each phase fully in our approach document.
If you receive an information request from us, respond to it
We'll send you a request for information (or 'information notice') if we need it from you as the regulator. If you get a request, you are legally required to respond to it – and we could take enforcement action against you if you don't. Find out more.