The Online Safety Act 2023 (“OSA”) introduces a new legal framework for companies to improve online safety for all individuals with extra obligations in order to protect children. The OSA applies to user to user services and search engines both in the UK and where the service has “links to” the UK. The UK is seeking to make itself the “safest place to be online” and the OSA introduces a number of onerous duties which are supported by a range of robust enforcement powers for Ofcom.

With the OSA due to be in full force later this year, many organisations need to start taking steps towards compliance now as guidance from Ofcom has started to be released.

What does the OSA seek to do?

The OSA seeks to achieve five key objectives:

  • To increase user safety online
  • To preserve and enhance freedom of speech
  • To improve law enforcement agencies’ ability to tackle illegal content online
  • To improve users’ ability to keep themselves safe online
  • To improve society’s understanding of online threats
Isabel Simpson - profile image blog posts
Isabel Simpson
Partner, KPMG Law
KPMG in the UK
Profile | | Phone
James Cassidy blog posts
James Cassidy
Director, Data Protection
KPMG in the UK
Profile | | Phone
Hannah Burrows blog posts
Hannah Burrows
Senior Manager, KPMG Law
KPMG in the UK
Profile | | Phone

What are the obligations?

The OSA introduces a range of wide ranging duties that will apply to those in scope. Ofcom have confirmed there will be a range of organisations who will be subject to the regime and their duties will change according to the services they provide.

Obligations include:

  • Conducting content risk assessments
  • Taking proportionate measures to mitigate and manage risk in relation to illegal content – including taking active steps to prevent users from accessing inappropriate or illegal content
  • Introducing methods and systems to allow transparency in compliance with OSA duties
  • Operating accessible complaints procedures
  • Protecting privacy and freedom of expression
  • Offering of age verification
  • Taking proportionate steps to protect children

What the implications for non-compliance?

Ofcom will regulate the OSA and will have the power to fine organisations up to £18m or 10% of global annual turnover (whichever is the higher) for non-compliance. The OSA also introduces several new criminal offences including potential liability for senior managers who fail to take all reasonable steps to prevent an offence being committed under the new regime.

What do you need to be doing now?

Identifying if the OSA applies to you will be critical. Whilst some companies will clearly fall within scope, there may be many which could potentially be caught depending on the services they provide and the operability of their systems. Consideration as to whether any element of your business permits user to user interaction online will be an important question.

We have developed an online questionnaire tool which will help all businesses assess if the OSA could apply to you.

How can KPMG support?

We have a multidisciplinary team to provide you support in assessing your legal obligations and embedding compliance within your business. Ofcom have set out a roadmap and further guidance and codes of practice will be released which will be vital to understand more about the regulator’s expectations. We can help identify how the OSA applies to you and what your obligations going forward will be. We can support with:

  • Designing risk assessments;
  • Scoping the applicability of each OSA duty to your business;
  • Conducting ‘as is’ gap and readiness assessments;
  • Supporting with the design and implementation of robust policies, procedures and processes for each OSA duty; and
  • Introducing compliance and assurance frameworks