Ofcom has published a major consultation setting out how it expects online services to meet their legal responsibilities to protect children online under the Online Safety Act 2023 (“OSA”). The consultation comprises five volumes and 15 annexes alongside draft guidance and codes of practice. We will doubtless comment in more detail on specific elements of the consultation in the weeks ahead, but here we report on some of the headline points to consider.

The consultation offers guidance in relation to each step that an in-scope user-to-user or search service will be expected to take in order to comply with its obligations under the OSA. The first of these is to carry out a ‘Children’s Access Assessment’ to determine if children are likely to access the service. This assessment will have two stages. First, services must decide whether it is possible for children to access their service or part of it. Ofcom makes clear that the only way that a service can conclude that it is not possible for children to gain access is if it has age assurance measures that are technically accurate, robust, reliable, and fair. This would likely include, for example, photo-ID matching or facial age estimation. Measures such as requiring users to declare their age or the inclusion of contractual restrictions on the use of services by children will not be sufficient.

Once a service has concluded that children can indeed gain access, it will have to determine if a significant number of children are using the service or it is of a kind likely to attract a significant number of children. Ofcom suggests that the second of these should be the primary focus, and sets out a number of factors which might be relevant such as: whether the service provides benefits to children like entertainment or education; whether the content or design of the service is appealing to children; and whether children form part of the service’s commercial strategy. Ofcom points out that even if a service does not actively target children, it may still be likely to attract a significant number, and that whilst a “significant number” is not defined in the legislation, a relatively small number could still be significant in terms of the risk of harm. Services will then be required to record the outcome of this assessment and detail how they reached their conclusions.

Assuming they find that a significant number of children are likely to access their service, the next step is for services to complete a ‘Children’s Risk Assessment’ (separate from and in addition to an ‘illegal harms risk assessment’) to identify the risks that their services pose to children. As with the Children Access Assessment, the consultation contains guidance to help services conduct a Children’s Risk Assessment. Ofcom proposes that services follow a ‘four-step methodology’: (1) services should review the types of content that could be harmful to children; (2) they should then assess the risks of harm that children might face when they use the services; this includes considering the impact of a service’s features and characteristics that might increase the risk of harm to children, by reference to the draft ‘Children’s Risk Profiles’; (3) services should then decide on safety measures to be implemented to reduce the risk of harm to children, informed by the draft ‘Children’s Safety Codes’; and (4) services should report their risk assessment and measures via appropriate governance channels and review their effectiveness at least every 12 months.

The next phase is to put in place proportionate and effective measures to keep children safe. The consultation includes draft Children’s Safety Codes that contain over 40 such measures covering three broad areas: (1) ensuring service providers have robust governance and accountability; (2) making sure services understand their users’ ages and keep children safe though appropriate platform design choices (such as ensuring that recommender systems and content moderation systems prevent harm to children); and (3) ensuring service providers equip children and their carers with information, tools and support which are easy to use and effective in keeping children safe. Specific measures are set out in detail in relation to each of these three areas, and Ofcom suggests that “all services accessed by children – regardless of their size or risk – implement a core set of measures to protect children online”.

The consultation closes on 17 July 2024, and can be read in full here.