Online platforms face child access assessment deadline this April

Gemma Erskine of Pinsent Masons was commenting ahead of a forthcoming compliance deadline under the UK’s Online Safety Act (OSA).

The OSA requires all regulated user-to-user (U2U) and search services (together, Part 3 services) to carry out a children’s access assessment. Ofcom, the regulator under the OSA, has stipulated that that assessment must be completed by 16 April.

Last month, Ofcom issued guidance in relation to the children’s access assessments to assist providers of in-scope services in assessing whether those services are likely to be accessed by children. Ofcom will publish its guidance on child risk assessments and children’s safety codes of practice in April of this year. Services that determine, following the children’s access assessment, that their service is accessible to and likely to be used by children must then complete a children's risk assessment and will have until July 2025 to comply with their duties under the OSA in relation to content that is likely to be harmful to children.

Enforcement in relation to child safety duties can begin three months after the publication of Ofcom’s children’s risk assessment guidance due in April. Ofcom can begin enforcement from July. Based on Ofcom’s activity to date on online safety work under the Communications Act 2003, Erskine expects it to be an active regulator.

The access assessment is a two-step process. Providers of relevant services must firstly assess whether it is possible for children to normally access their service. Secondly, they must assess whether there is a significant number of children who are users of the service or the services are of a kind likely to attract a significant number of children. If both steps are satisfied, the risk assessment obligations are triggered.

According to Ofcom’s guidance, a provider can only conclude that it is not possible for children to access its service if they are using age assurance with the result that children are not normally able to access the service. It said only ‘highly effective age assurance’ (HEAA) is suitable for this purpose. Where services do have age assurance in place, providers must assess whether this age assurance is highly effective. Separate HEAA guidance was issued by Ofcom last month to assist with this assessment. Ofcom expects that most services that are not using highly effective age assurance will be required to comply with the children’s safety duties.

Ofcom has provided a non-exhaustive list of factors that providers should consider when assessing whether a service is “likely” to attract a “significant number” of children. These include whether the service provides benefits to children; whether the content on a service is appealing to children; whether the design of the service is appealing to children; whether children form part of the service’s commercial strategy; and if there is any evidence of use by children from internal or external sources – such as internal reporting and statistics on removing users who are under 18, or third-party market research that has been undertaken.

Ofcom provided examples of the type of content which it considers may appeal to children. This encompasses content related to popular culture, creative activities, games and sports, health challenges and support, as well as educational learning and knowledge. The regulator also explained that if a service includes information in its terms and conditions that children are permitted to use the service and how they may do so, then it is reasonable to assume that the service is likely to attract a significant number of child users.

In considering whether the service is likely to attract a significant number of children, Ofcom also stressed that providers should have regard to the fact that children are often attracted to services not marketed towards them.

The OSA itself does not specifically define what constitutes a “significant number” of child users. However, it does state that “significant” can refer to a number that is proportionate to the total number of UK users of a service. Even a relatively small number or percentage of children could be considered significant. The ICO's 'likely to be accessed by children' guidance, updated in October 2023, closely resembles the draft OSA guidance and could be beneficial for service providers to consider in tandem, according to Erskine.

Ofcom has acknowledged that it may be challenging to count how many children are accessing a service, but it does require recorded evidence. This could be qualitive evidence to show children do not access the site, such as through advertising data, internal evidence such as complaints from or about children, or third-party trackers. Ofcom said reliance cannot be placed solely on self-declaration, general contractual restrictions, or payment methods which do not require a user to be over 18.

According to Ofcom’s HEAA guidance issued last month, to ensure that an age assurance process is highly effective at correctly determining whether or not a user is a child, service providers should ensure that the process fulfils four criteria: it must be technically accurate; robust; reliable; and fair. Examples cited of methods being capable of being highly effective include: open banking, photo-ID matching, facial age estimation, mobile-network operator age checks, credit card checks, digital identity services, and email-based estimation.

Providers of services in scope of OSA duties regarding pornographic content do not need to complete a children’s access assessment for a service. This is because it is assumed that implementing HEAA measures will prevent children from accessing the service Ofcom issued separate HEAA guidance for such services last month, to support regulated providers of pornographic content in implementing HEAA.

Erskine said that recent enforcement action taken by Ofcom indicates its appetite for taking action in relation to child safety when its OSA enforcement in that respect begins in July.

“All Ofcom investigations to date in relation to online safety have been conducted under the authority it has been granted by the Communications Act 2003,” Erskine said. “However, the conclusions drawn from these investigations indicate the type of investigative and enforcement actions that Ofcom might undertake under the OSA.”

“The OSA provides Ofcom with significant powers of enforcement, especially in comparison to the Communication Act, including the power to issue fines of up to £18 million, or 10% of a company’s annual global revenue, whichever is highest. Failure to meet certain child protection duties could also give rise to criminal liability for senior managers – including a risk of imprisonment of up to two years,” she said.

“Ofcom recently investigated OnlyFans under the Communications Act, which predates the OSA and requires video-sharing platforms to take appropriate measures to prevent under-18s from accessing pornographic material. The investigation focused on whether OnlyFans had implemented sufficient age verification to prevent underage users from accessing adult content. Although the investigation has been closed, Ofcom said it will continue to engage with OnlyFans regarding the measures taken to protect children from restricted material, where appropriate,” Erskine said.

“Similarly, Ofcom recently concluded an investigation into MintStars Limited, a video-sharing platform specialising in adult content. The investigation focused on whether MintStars had appropriate age assurance measures in place. Ofcom found that MintStars had ‘seriously breached’ its obligations under the Communications Act and fined the company £7,000,” she said.

Ofcom’s investigation revealed that MintStars had changed the platform's functionality, increasing the risk of under-18s viewing pornographic content. Specifically, users could view a page which contained blurred but semi-clear thumbnails of pornographic nudity and video previews, without creating an account and undergoing age verification. Ofcom further concluded that “self-declaration” by users that they were over 18 and a general disclaimer within MintStars’ terms and conditions stating the site was only for adults, were not appropriate forms of age verification to protect under-18s from accessing pornographic and other restricted content.

Erskine said: “The immediate action is for providers of so-called Part 3 services – U2U services and search services – to complete their child access assessments by 16 April 2025. If not, Ofcom may consider taking enforcement action in line with its online safety enforcement guidance. If an investigation is opened, and a service is found to contravene its obligations, Ofcom has the power to impose potentially severe fines and require remedial action to be taken.

Where providers conclude that their services are not likely to be accessed by children, they must repeat the assessment within 12 months, or earlier under some specific circumstances detailed Ofcom’s guidance.