Online Safety Act 2023

User-to-user services likely to be accessed by childrenU.K.

11Children’s risk assessment dutiesU.K.

(1)This section sets out the duties about risk assessments which apply in relation to regulated user-to-user services that are likely to be accessed by children (in addition to the duties about risk assessments set out in section 9 and, in the case of services likely to be accessed by children which are Category 1 services, the duties about assessments set out in section 14).

(2)A duty to carry out a suitable and sufficient children’s risk assessment at a time set out in, or as provided by, Schedule 3.

(3)A duty to take appropriate steps to keep a children’s risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.

(4)Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient children’s risk assessment relating to the impacts of that proposed change.

(5)Where a children’s risk assessment of a service identifies the presence of non-designated content that is harmful to children, a duty to notify OFCOM of—

(a)the kinds of such content identified, and

(b)the incidence of those kinds of content on the service.

(6)A “children’s risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—

(a)the user base, including the number of users who are children in different age groups;

(b)the level of risk of children who are users of the service encountering the following by means of the service—

(i)each kind of primary priority content that is harmful to children (with each kind separately assessed),

(ii)each kind of priority content that is harmful to children (with each kind separately assessed), and

(iii)non-designated content that is harmful to children,

giving separate consideration to children in different age groups, and taking into account (in particular) algorithms used by the service and how easily, quickly and widely content may be disseminated by means of the service;

(c)the level of risk of harm to children presented by different kinds of content that is harmful to children, giving separate consideration to children in different age groups;

(d)the level of risk of harm to children presented by content that is harmful to children which particularly affects individuals with a certain characteristic or members of a certain group;

(e)the extent to which the design of the service, in particular its functionalities, affects the level of risk of harm that might be suffered by children, identifying and assessing those functionalities that present higher levels of risk, including functionalities—

(i)enabling adults to search for other users of the service (including children), or

(ii)enabling adults to contact other users (including children) by means of the service;

(f)the different ways in which the service is used, including functionalities or other features of the service that affect how much children use the service (for example a feature that enables content to play automatically), and the impact of such use on the level of risk of harm that might be suffered by children;

(g)the nature, and severity, of the harm that might be suffered by children from the matters identified in accordance with paragraphs (b) to (f), giving separate consideration to children in different age groups;

(h)how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.

(7)In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to children presented by content that is harmful to children.

(8)See also—

(a)section 23(2) and (10) (records of risk assessments), and

(b)Schedule 3 (timing of providers’ assessments).

12Safety duties protecting childrenU.K.

(1)This section sets out the duties to protect children’s online safety which apply in relation to regulated user-to-user services that are likely to be accessed by children (as indicated by the headings).

All services

(2)A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to effectively—

(a)mitigate and manage the risks of harm to children in different age groups, as identified in the most recent children’s risk assessment of the service (see section 11(6)(g)), and

(b)mitigate the impact of harm to children in different age groups presented by content that is harmful to children present on the service.

(3)A duty to operate a service using proportionate systems and processes designed to—

(a)prevent children of any age from encountering, by means of the service, primary priority content that is harmful to children;

(b)protect children in age groups judged to be at risk of harm from other content that is harmful to children (or from a particular kind of such content) from encountering it by means of the service.

(4)The duty set out in subsection (3)(a) requires a provider to use age verification or age estimation (or both) to prevent children of any age from encountering primary priority content that is harmful to children which the provider identifies on the service.

(5)That requirement applies to a provider in relation to a particular kind of primary priority content that is harmful to children in every case except where—

(a)a term of service indicates (in whatever words) that the presence of that kind of primary priority content that is harmful to children is prohibited on the service, and

(b)that policy applies in relation to all users of the service.

(6)If a provider is required by subsection (4) to use age verification or age estimation for the purpose of compliance with the duty set out in subsection (3)(a), the age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child.

(7)Age verification or age estimation to identify who is or is not a child user or which age group a child user is in are examples of measures which (if not required by subsection (4)) may be taken or used (among others) for the purpose of compliance with a duty set out in subsection (2) or (3).

(8)The duties set out in subsections (2) and (3) apply across all areas of a service, including the way it is designed, operated and used as well as content present on the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—

(a)regulatory compliance and risk management arrangements,

(b)design of functionalities, algorithms and other features,

(c)policies on terms of use,

(d)policies on user access to the service or to particular content present on the service, including blocking users from accessing the service or particular content,

(e)content moderation, including taking down content,

(f)functionalities allowing for control over content that is encountered, especially by children,

(g)user support measures, and

(h)staff policies and practices.

(9)A duty to include provisions in the terms of service specifying—

(a)how children of any age are to be prevented from encountering primary priority content that is harmful to children (with each kind of primary priority content separately covered);

(b)how children in age groups judged to be at risk of harm from priority content that is harmful to children (or from a particular kind of such content) are to be protected from encountering it, where they are not prevented from doing so (with each kind of priority content separately covered);

(c)how children in age groups judged to be at risk of harm from non-designated content that is harmful to children (or from a particular kind of such content) are to be protected from encountering it, where they are not prevented from doing so.

(10)A duty to apply the provisions of the terms of service referred to in subsection (9) consistently.

(11)If a provider takes or uses a measure designed to prevent access to the whole of the service or a part of the service by children under a certain age, a duty to—

(a)include provisions in the terms of service specifying details about the operation of the measure, and

(b)apply those provisions consistently.

(12)A duty to include provisions in the terms of service giving information about any proactive technology used by a service for the purpose of compliance with a duty set out in subsection (2) or (3) (including the kind of technology, when it is used, and how it works).

(13)A duty to ensure that the provisions of the terms of service referred to in subsections (9), (11) and (12) are clear and accessible.

Additional duty for Category 1 services

(14)A duty to summarise in the terms of service the findings of the most recent children’s risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to children).

13Safety duties protecting children: interpretationU.K.

(1)In determining what is proportionate for the purposes of section 12, the following factors, in particular, are relevant—

(a)all the findings of the most recent children’s risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to children), and

(b)the size and capacity of the provider of a service.

(2)So far as a duty set out in section 12 relates to non-designated content that is harmful to children, the duty is to be taken to extend only to addressing risks of harm from the kinds of such content that have been identified in the most recent children’s risk assessment (if any have been identified).

(3)References in section 12(3)(b) and (9)(b) and (c) to children in age groups judged to be at risk of harm from content that is harmful to children are references to children in age groups judged to be at risk of such harm as assessed by the provider of a service in the most recent children’s risk assessment of the service.

(4)The duties set out in section 12(3) and (9) are to be taken to extend only to content that is harmful to children where the risk of harm is presented by the nature of the content (rather than the fact of its dissemination).

(5)The duties set out in section 12 extend only to such parts of a service as it is possible for children to access.

(6)For the purposes of subsection (5), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.

(7)In section 12 and this section “children’s risk assessment” has the meaning given by section 11.

(8)See also, in relation to duties set out in section 12, section 22 (duties about freedom of expression and privacy).