(1)A provider of a Category 1 service must offer all adult users of the service the option to verify their identity (if identity verification is not required for access to the service).
(2)The verification process may be of any kind (and in particular, it need not require documentation to be provided).
(3)A provider of a Category 1 service must include clear and accessible provisions in the terms of service explaining how the verification process works.
(4)If a person is the provider of more than one Category 1 service, the duties set out in this section apply in relation to each such service.
(5)The duty set out in subsection (1) applies in relation to all adult users, not just those who begin to use a service after that duty begins to apply.
(6)The duties set out in this section extend only to—
(a)the user-to-user part of a service, and
(b)the design, operation and use of a service in the United Kingdom.
(7)For the purposes of this section a person is an “adult user” of a service if the person is an adult in the United Kingdom who—
(a)is a user of the service, or
(b)seeks to begin to use the service (for example by setting up an account).
(8)For the meaning of “Category 1 service”, see section 95 (register of categories of services).
Commencement Information
I1S. 64 not in force at Royal Assent, see s. 240(1)
(1)OFCOM must produce guidance for providers of Category 1 services to assist them in complying with the duty set out in section 64(1).
(2)In producing the guidance (including revised or replacement guidance), OFCOM must have particular regard to the desirability of ensuring that providers of Category 1 services offer users a form of identity verification likely to be available to vulnerable adult users.
(3)Before producing the guidance (including revised or replacement guidance), OFCOM must consult—
(a)the Information Commissioner,
(b)persons whom OFCOM consider to have technological expertise relevant to the duty set out in section 64(1),
(c)persons who appear to OFCOM to represent the interests of vulnerable adult users of Category 1 services, and
(d)such other persons as OFCOM consider appropriate.
(4)OFCOM must publish the guidance (and any revised or replacement guidance).
Commencement Information
I2S. 65 not in force at Royal Assent, see s. 240(1)
I3S. 65 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(r)
Prospective
(1)A UK provider of a regulated user-to-user service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported CSEA content present on the service to the NCA.
(2)A non-UK provider of a regulated user-to-user service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported UK-linked CSEA content present on the service to the NCA (and does not report to the NCA CSEA content which is not UK-linked).
(3)A UK provider of a regulated search service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported CSEA content present on websites or databases capable of being searched by the search engine to the NCA.
(4)A non-UK provider of a regulated search service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported UK-linked CSEA content present on websites or databases capable of being searched by the search engine to the NCA (and does not report to the NCA CSEA content which is not UK-linked).
(5)A UK provider of a combined service must comply with the requirement under subsection (3) in relation to the search engine of the service.
(6)A non-UK provider of a combined service must comply with the requirement under subsection (4) in relation to the search engine of the service.
(7)Providers’ reports under this section—
(a)must meet the requirements set out in regulations under section 67, and
(b)must be sent to the NCA in the manner, and within the time frames, set out in those regulations.
(8)If a person is the provider of more than one regulated user-to-user service or regulated search service, requirements under this section apply in relation to each such service.
(9)Terms used in this section are defined in section 70.
(10)This section applies only in relation to CSEA content detected on or after the date on which this section comes into force.
Commencement Information
I4S. 66 not in force at Royal Assent, see s. 240(1)
(1)The Secretary of State must make regulations in connection with the reports that are to be made to the NCA (including by non-UK providers) as required by section 66.
(2)The regulations may make provision about—
(a)the information to be included in the reports,
(b)the format of the reports,
(c)the manner in which the reports must be sent to the NCA,
(d)the time frames for sending the reports to the NCA (including provision about cases of particular urgency),
(e)the records that providers must keep in relation to the reports, or the details that providers must retain as evidence that they have made the reports, and
(f)such other matters relating to the reports as the Secretary of State considers appropriate.
(3)The regulations may also—
(a)require providers to retain, for a specified period, data of a specified description associated with a report, and
(b)impose restrictions or requirements in relation to the retention of such data (including how the data is to be secured or stored or who may access the data).
(4)The power to require the retention of data associated with a report includes power to require the retention of—
(a)content generated, uploaded or shared by any user mentioned in the report (or metadata relating to such content), and
(b)user data relating to any such person (or metadata relating to such data).
“User data” here has the meaning given by section 231.
(5)Before making regulations under this section, the Secretary of State must consult—
(a)the NCA,
(b)OFCOM, and
(c)such other persons as the Secretary of State considers appropriate.
Commencement Information
I5S. 67 not in force at Royal Assent, see s. 240(1)
I6S. 67 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(s)
In section 16 of the Crime and Courts Act 2013 (interpretation of Part 1), in subsection (1), in the definition of “permitted purpose”, after paragraph (o) insert—
“(oa)the exercise of any function of OFCOM (the Office of Communications) under the Online Safety Act 2023;”.
Commencement Information
I7S. 68 not in force at Royal Assent, see s. 240(1)
I8S. 68 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(t)
Prospective
(1)A person commits an offence if, in purported compliance with a requirement under section 66—
(a)the person provides information that is false in a material respect, and
(b)at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.
(2)A person who commits an offence under this section is liable—
(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);
(c)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);
(d)on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).
Commencement Information
I9S. 69 not in force at Royal Assent, see s. 240(1)
(1)This section applies for the purposes of this Chapter.
(2)A provider of a regulated user-to-user service or a regulated search service is a “UK provider” of the service if the provider is—
(a)an individual or individuals who are habitually resident in the United Kingdom, or
(b)an entity incorporated or formed under the law of any part of the United Kingdom.
(3)Otherwise, a provider of a regulated user-to-user service or a regulated search service is a “non-UK provider” of the service.
(4)CSEA content is “detected” by a provider when the provider becomes aware of the content, whether by means of the provider’s systems or processes or as a result of another person alerting the provider.
(5)CSEA content is “unreported”, in relation to a provider, if the reporting of that content is not covered by arrangements (mandatory or voluntary)—
(a)by which the provider reports content relating to child sexual exploitation or abuse to a foreign agency, or
(b)by which an entity that is a group undertaking in relation to the provider reports content relating to child sexual exploitation or abuse to—
(i)the NCA, or
(ii)a foreign agency.
(6)CSEA content is “UK-linked” if a provider has evidence of a link between the content and the United Kingdom, based on any of the following—
(a)the place where the content was published, generated, uploaded or shared;
(b)the nationality of a person suspected of committing the related offence;
(c)the location of a person suspected of committing the related offence;
(d)the location of a child who is a suspected victim of the related offence.
For the purposes of paragraphs (b), (c) and (d) an offence is “related” to CSEA content if the content amounts to that offence (construed in accordance with section 59: see subsections (3), (11) and (12) of that section).
(7)In this Chapter—
“CSEA content” has the same meaning as in Part 3 (see section 59);
“foreign agency” means a person exercising functions in a country outside the United Kingdom which correspond to the NCA’s functions insofar as they relate to receiving and disseminating reports about CSEA content;
“group undertaking” has the meaning given by section 1161(5) of the Companies Act 2006;
“NCA” means the National Crime Agency.
(8)Sections 1161(5) and 1162 of, and Schedule 7 to, the Companies Act 2006—
(a)are to apply in relation to an entity which is not an undertaking (as defined in section 1161(1) of that Act) as they apply in relation to an undertaking, and
(b)are to be read with any necessary modifications if applied to an entity formed under the law of a country outside the United Kingdom.
Commencement Information
I10S. 70 in force at Royal Assent, see s. 240(4)(i)
Prospective
(1)A provider of a Category 1 service must operate the service using proportionate systems and processes designed to ensure that the provider does not—
(a)take down regulated user-generated content from the service,
(b)restrict users’ access to regulated user-generated content, or
(c)suspend or ban users from using the service,
except in accordance with the terms of service.
(2)Nothing in subsection (1) is to be read as preventing a provider from taking down content from a service or restricting users’ access to it, or suspending or banning a user, if such an action is taken—
(a)to comply with the duties set out in—
(i)section 10(2) or (3) (protecting individuals from illegal content), or
(ii)section 12(2) or (3) (protecting children from content that is harmful to children), or
(b)to avoid criminal or civil liability on the part of the provider that might reasonably be expected to arise if such an action were not taken.
(3)In addition, nothing in subsection (1) is to be read as preventing a provider from—
(a)taking down content from a service or restricting users’ access to it on the basis that a user has committed an offence in generating, uploading or sharing it on the service, or
(b)suspending or banning a user on the basis that—
(i)the user has committed an offence in generating, uploading or sharing content on the service, or
(ii)the user is responsible for, or has facilitated, the presence or attempted placement of a fraudulent advertisement on the service.
(4)The duty set out in subsection (1) does not apply in relation to—
(a)consumer content (see section 74);
(b)terms of service which deal with the treatment of consumer content.
(5)If a person is the provider of more than one Category 1 service, the duty set out in subsection (1) applies in relation to each such service.
(6)The duty set out in subsection (1) extends only to the design, operation and use of a service in the United Kingdom, and references in this section to users are to United Kingdom users of a service.
(7)In this section—
“criminal or civil liability” includes such a liability under the law of a country outside the United Kingdom;
“fraudulent advertisement” has the meaning given by section 38;
“offence” includes an offence under the law of a country outside the United Kingdom.
(8)See also section 18 (duties to protect news publisher content).
Commencement Information
I11S. 71 not in force at Royal Assent, see s. 240(1)
(1)A provider of a regulated user-to-user service must include clear and accessible provisions in the terms of service informing users about their right to bring a claim for breach of contract if—
(a)regulated user-generated content which they generate, upload or share is taken down, or access to it is restricted, in breach of the terms of service, or
(b)they are suspended or banned from using the service in breach of the terms of service.
(2)The duties set out in subsections (3) to (7) apply in relation to a Category 1 service, and references in subsections (3) to (9) to “provider” and “service” are to be read accordingly.
(3)A provider must operate a service using proportionate systems and processes designed to ensure that—
(a)if the terms of service indicate (in whatever words) that the presence of a particular kind of regulated user-generated content is prohibited on the service, the provider takes down such content;
(b)if the terms of service state that the provider will restrict users’ access to a particular kind of regulated user-generated content in a specified way, the provider does restrict users’ access to such content in that way;
(c)if the terms of service state cases in which the provider will suspend or ban a user from using the service, the provider does suspend or ban the user in those cases.
(4)A provider must ensure that—
(a)terms of service which make provision about the provider taking down regulated user-generated content from the service or restricting users’ access to such content, or suspending or banning a user from using the service, are—
(i)clear and accessible, and
(ii)written in sufficient detail to enable users to be reasonably certain whether the provider would be justified in taking the specified action in a particular case, and
(b)those terms of service are applied consistently.
(5)A provider must operate a service using systems and processes that allow users and affected persons to easily report—
(a)content which they consider to be relevant content (see section 74);
(b)a user who they consider should be suspended or banned from using the service in accordance with the terms of service.
(6)A provider must operate a complaints procedure in relation to a service that—
(a)allows for complaints of a kind mentioned in subsection (8) to be made,
(b)provides for appropriate action to be taken by the provider of the service in response to complaints of those kinds, and
(c)is easy to access, easy to use (including by children) and transparent.
(7)A provider must include in the terms of service provisions which are easily accessible (including to children) specifying the policies and processes that govern the handling and resolution of complaints of a kind mentioned in subsection (8).
(8)The kinds of complaints referred to in subsections (6) and (7) are—
(a)complaints by users and affected persons about content present on a service which they consider to be relevant content;
(b)complaints by users and affected persons if they consider that the provider is not complying with a duty set out in any of subsections (1) or (3) to (5);
(c)complaints by a user who has generated, uploaded or shared content on a service if that content is taken down, or access to it is restricted, on the basis that it is relevant content;
(d)complaints by users who have been suspended or banned from using a service.
(9)The duties set out in subsections (3) and (4) do not apply in relation to terms of service which—
(a)make provision of the kind mentioned in section 10(5) (protecting individuals from illegal content) or 12(9) (protecting children from content that is harmful to children), or
(b)deal with the treatment of consumer content.
(10)If a person is the provider of more than one regulated user-to-user service or Category 1 service, the duties set out in this section apply in relation to each such service.
(11)The duties set out in this section extend only to the design, operation and use of a service in the United Kingdom, and references to users are to United Kingdom users of a service.
(12)See also section 18 (duties to protect news publisher content).
Commencement Information
I12S. 72 not in force at Royal Assent, see s. 240(1)
I13S. 72(1)(10)(11) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(u)
(1)OFCOM must produce guidance for providers of Category 1 services to assist them in complying with their duties set out in sections 71 and 72(3) to (7).
(2)OFCOM must publish the guidance (and any revised or replacement guidance).
Commencement Information
I14S. 73 not in force at Royal Assent, see s. 240(1)
I15S. 73 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(v)
(1)This section applies for the purposes of this Chapter.
(2)“Regulated user-generated content” has the same meaning as in Part 3 (see section 55), and references to such content are to content that is regulated user-generated content in relation to the service in question.
(3)“Consumer content” means—
(a)regulated user-generated content that constitutes, or is directly connected with content that constitutes, an offer to sell goods or to supply services,
(b)regulated user-generated content that amounts to an offence under the Consumer Protection from Unfair Trading Regulations 2008 (S.I. 2008/1277) (construed in accordance with section 59: see subsections (3), (11) and (12) of that section), or
(c)any other regulated user-generated content in relation to which an enforcement authority has functions under those Regulations (see regulation 19 of those Regulations).
(4)References to restricting users’ access to content, and related references, are to be construed in accordance with sections 58 and 236(6).
(5)Content of a particular kind is “relevant content” if—
(a)a term of service, other than a term of service mentioned in section 72(9), indicates (in whatever words) that the presence of content of that kind is prohibited on the service or that users’ access to content of that kind is restricted, and
(b)it is regulated user-generated content.
References to relevant content are to content that is relevant content in relation to the service in question.
(6)“Affected person” means a person, other than a user of the service in question, who is in the United Kingdom and who is—
(a)the subject of the content,
(b)a member of a class or group of people with a certain characteristic targeted by the content,
(c)a parent of, or other adult with responsibility for, a child who is a user of the service or is the subject of the content, or
(d)an adult providing assistance in using the service to another adult who requires such assistance, where that other adult is a user of the service or is the subject of the content.
(7)In determining what is proportionate for the purposes of sections 71 and 72, the size and capacity of the provider of a service is, in particular, relevant.
(8)For the meaning of “Category 1 service”, see section 95 (register of categories of services).
Commencement Information
I16S. 74 in force at Royal Assent, see s. 240(4)(j)
Prospective
(1)A provider of a relevant service must make it clear in the terms of service what their policy is about dealing with requests from parents of a deceased child for information about the child’s use of the service.
(2)A provider of a relevant service must have a dedicated helpline or section of the service, or some similar means, by which parents can easily find out what they need to do to obtain information and updates in those circumstances, and the terms of service must provide details.
(3)A provider of a relevant service must include clear and accessible provisions in the terms of service—
(a)specifying the procedure for parents of a deceased child to request information about the child’s use of the service,
(b)specifying what evidence (if any) the provider will require about the parent’s identity or relationship to the child, and
(c)giving sufficient detail to enable child users and their parents to be reasonably certain about what kinds of information would be disclosed and how information would be disclosed.
(4)A provider of a relevant service must respond in a timely manner to requests from parents of a deceased child for information about the child’s use of the service or for updates about the progress of such information requests.
(5)A provider of a relevant service must operate a complaints procedure in relation to the service that—
(a)allows for complaints to be made by parents of a deceased child who consider that the provider is not complying with a duty set out in any of subsections (1) to (4),
(b)provides for appropriate action to be taken by the provider of the service in response to such complaints, and
(c)is easy to access, easy to use and transparent.
(6)A provider of a relevant service must include in the terms of service provisions which are easily accessible specifying the policies and processes that govern the handling and resolution of such complaints.
(7)If a person is the provider of more than one relevant service, the duties set out in this section apply in relation to each such service.
(8)The duties set out in this section extend only to the design, operation and use of a service in the United Kingdom, and references in this section to children are to children in the United Kingdom.
(9)A “relevant service” means—
(a)a Category 1 service (see section 95(10)(a));
(b)a Category 2A service (see section 95(10)(b));
(c)a Category 2B service (see section 95(10)(c)).
(10)In this section “parent”, in relation to a child, includes any person who is not the child’s parent but who—
(a)has parental responsibility for the child within the meaning of section 3 of the Children Act 1989 or Article 6 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)), or
(b)has parental responsibilities in relation to the child within the meaning of section 1(3) of the Children (Scotland) Act 1995.
(11)In the application of this section to a Category 2A service, references to the terms of service include references to a publicly available statement.
Commencement Information
I17S. 75 not in force at Royal Assent, see s. 240(1)
(1)OFCOM must produce guidance for providers of relevant services to assist them in complying with their duties set out in section 75.
(2)OFCOM must publish the guidance (and any revised or replacement guidance).
(3)In this section “relevant service” has the meaning given by section 75.
Commencement Information
I18S. 76 not in force at Royal Assent, see s. 240(1)
I19S. 76 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(w)
(1)Once a year, OFCOM must give every provider of a relevant service a notice which requires the provider to produce a report about the service (a “transparency report”).
(2)If a person is the provider of more than one relevant service, a notice must be given to the provider in respect of each such service.
(3)In response to a notice relating to a relevant service, the provider of the service must produce a transparency report which must—
(a)contain information of a kind specified or described in the notice,
(b)be in the format specified in the notice,
(c)be submitted to OFCOM by the date specified in the notice, and
(d)be published in the manner and by the date specified in the notice.
(4)A provider must ensure that the information provided in a transparency report is—
(a)complete, and
(b)accurate in all material respects.
(5)A “relevant service” means—
(a)a Category 1 service (see section 95(10)(a));
(b)a Category 2A service (see section 95(10)(b));
(c)a Category 2B service (see section 95(10)(c)).
(6)In a notice which relates to a Category 1 service or a Category 2B service, OFCOM may only specify or describe user-to-user information.
But in the case of a service described in subsection (9), that subsection applies instead.
(7)In a notice which relates to a regulated search service that is a Category 2A service, OFCOM may only specify or describe search engine information.
(8)In a notice which relates to a combined service that is a Category 2A service, and is not also a Category 1 service or a Category 2B service, OFCOM may only specify or describe search engine information.
(9)In a notice which relates to a combined service that is a Category 2A service, as well as being a Category 1 service or a Category 2B service, OFCOM may specify or describe user-to-user information or search engine information, or both those kinds of information.
(10)In subsections (6) to (9)—
(a)“user-to-user information” means information which—
(i)is about the matters listed in Part 1 of Schedule 8, and
(ii)relates to the user-to-user part of a service;
(b)“search engine information” means information which—
(i)is about the matters listed in Part 2 of Schedule 8, and
(ii)relates to the search engine of a service.
(11)Part 3 of Schedule 8 makes further provision about transparency reports.
(12)The Secretary of State may by regulations amend subsection (1) so as to change the frequency of the transparency reporting process.
(13)The Secretary of State must consult OFCOM before making regulations under subsection (12).
(14)In this section “notice” means a notice under subsection (1).
Commencement Information
I20S. 77 not in force at Royal Assent, see s. 240(1)
I21S. 77 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(x)
(1)OFCOM must produce guidance about—
(a)how OFCOM will determine which information they will require transparency reports under section 77 to contain, including—
(i)the principles that they will apply in relation to each of the factors mentioned in paragraph 37 of Schedule 8, and
(ii)the steps that they will take to engage with providers of relevant services before requiring information in a notice under section 77(1);
(b)how information from transparency reports produced by providers of relevant services under section 77 will be used to produce OFCOM’s transparency reports (see section 159); and
(c)any other matter that OFCOM consider to be relevant to the production and publication of transparency reports under section 77 or 159.
(2)Before producing the guidance (including revised or replacement guidance), OFCOM must consult such of the following as they consider appropriate—
(a)providers of regulated user-to-user services, and of regulated search services,
(b)persons who appear to OFCOM to represent such providers,
(c)persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),
(d)persons whom OFCOM consider to have expertise in equality issues and human rights, in particular—
(i)the right to freedom of expression set out in Article 10 of the Convention, and
(ii)the right to respect for a person’s private and family life, home and correspondence set out in Article 8 of the Convention,
(e)the Information Commissioner,
(f)persons who appear to OFCOM to represent the interests of those with protected characteristics (within the meaning of Part 2 of the Equality Act 2010), and
(g)persons whom OFCOM consider to have expertise in the enforcement of the criminal law and the protection of national security that is relevant to online safety matters,
and OFCOM must also consult such other persons as OFCOM consider appropriate.
(3)OFCOM must publish the guidance (and any revised or replacement guidance).
(4)In exercising their functions under section 77 or 159, OFCOM must have regard to the guidance for the time being published under this section.
(5)In this section, “relevant service” has the same meaning as in section 77 (see subsection (5) of that section).
Commencement Information
I22S. 78 not in force at Royal Assent, see s. 240(1)
I23S. 78 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(x)