Ofcom's consultation on children's harms under the Online Safety Act (OSA) recently closed. It is the second of four key consultations under the OSA and  follows the consultation on illegal harms duties published in October last year (see RPC's discussion of this here).

Alongside the key duties, Ofcom's summary lists some key goals which include limiting children's access to pornography and potentially harmful content both through children's own use of the platforms and their recommender systems, ensuring children are not added to group chats without consent and improving children's complaints processes.

In these draft Children's Codes and Guidance, Ofcom has proposed a range of measures including for in-scope services to have in place governance and accountability systems to ensure adequate management of the risks concerning child safety. These documents are intended to meet Ofcom's aims to increase transparency for children users and ensure that they are protected from harmful content online.

We explore what Ofcom's guidance may mean for in-scope service providers below.

Access and Risk Assessments

Providers of user-to-user or search services will be required to assess whether the service or part of the service is likely to attract and/or be accessed by "a significant number of children" in order to determine whether the service provider is required to carry out a risk assessment and comply with the children's safety duties under the OSA.  These access assessments should be carried out within three months from publication of the guidance, and thereafter, annually and prior to significant changes in the platform.  If the assessment concludes that children are unlikely to access the service, the service providers should be prepared to demonstrate this with a detailed evidence-based assessment, though the guidance suggests that only services with "highly effective age assurance measures" and appropriate access control measures are likely to be able to conclude the accessibility test in the negative.

If the access assessment confirms that services are likely to be accessed by children, the service provider must go onto consider the risks included in the Risk Profiles published by Ofcom, and more generally the risks that children might encounter harmful content whilst using their service, as well as the level of risk of harm to children from the various characteristics of the service (such as the user base, functionalities and algorithmic systems), and any other relevant aspects of the design of the service.  Particular regard must also be paid to the different characteristics of the in-scope service's user base including: the different age groups of child users, their backgrounds and potential vulnerabilities, for example due to ethnicity, gender and sexual orientation, and the different ways in which the service may be used.

Ofcom proposes that the risk assessment should follow the same four-step process outlined in respect of the Illegal Harms risk assessment, namely that services should:

1. Understand the kinds of content which is harmful to children, including by reference to the three broad categories of Ofcom defined under the OSA (more below);
   
   
2. Assess the risks of harm including the likelihood and impact of children encountering each kind of content (both individually and cumulatively) and assigning an appropriate risk level, e.g. low, medium or high;
   
   
3. Decide measures to reduce the risks identified, implement them and record their implementation; and
   
   
4. Report on outcomes via the relevant governance channels internally, review the matter periodically and update the risk assessments accordingly.

Importantly, Category 1 and 2A services will be required to provide their risk assessments to Ofcom as soon as possible. Category 1 services must publish a summary of their risk assessments in their Terms of Service, and Category 2A services must publish a summary in a publicly available statement.

As with the access assessment, the risk assessments should be carried out at least every 12 months or sooner where there is a significant change to the service proposed. This is similar to the obligations placed on 'Very Large Online Platforms' and 'Very Large Online Search Engines' under the EU Digital Services Act (DSA), which Ofcom recognises and accordingly has left it to services providers to consider whether their obligations under both regimes could be streamlined by conducting the risk assessments at the same time, though notably there is no guidance on whether one single risk assessment could suffice.

Key Safety Duties

Similarly to the Illegal Harms Register of Risks, Ofcom envisions that in-scope services should be required to implement measures to protect against the risks identified in Ofcom's Children's Register of Risks. The Register broadly provides three categories of harmful content and includes detailed guidance on the types of content that could be caught by each category. The categories of content are:

• Primary Priority content (PPC) – being pornographic, suicide and self-harm and eating disorder content;
• Priority content (PC) – being content relating to hateful, bullying, violent and dangerous content; and
• Non-designated content (NDC) – a catch-all covering content which is not caught by the above categorises but presents a "material risk of a significant harm to an appreciable number of children in the UK". If any user-to-user service identifies the presence of any kind of NDC during the course of their risk assessments, they must report this to Ofcom.

The guidance also sets out a myriad of measures that platforms are required to implement to mitigate against the risks of harm identified in the Register. These include the following for 'large' or 'multi-risk services' (i.e. services with more than 7 million UK monthly users, or services which have a medium or high risk for two or more kinds of harmful content):

1. The requirement for 'highly effective' age assurance preventing children from accessing services or designated harmful content.  Those operating in this space will know that there is no single prescribed or accepted mechanism for age assurance and Ofcom does intend to propose one. Instead, its  guidance goes some way to suggest which measures could be highly effective, including open banking, ID matching and facial age estimation but otherwise relies on general metrics such as fairness and technical accuracy.  This list is caveated with Ofcom's suggestion that the overall effectiveness of age assurance depends on how it is implemented by the service provider.
   
   
2. The requirement for recommender systems to 'consistently' remove PPC and reduce the prominence of PC as defined above and in ss.61 and 62 of the OSA. Whilst some major platforms take this approach as a matter of principle, Ofcom's guidance stipulates a number of practical measures which should be taken to ensure that this type of content is not surfaced to children, including the requirement to downrank content to reduce visibility automatically and to make available an option for children to express "negative sentiment" towards the content that they encounter in their recommended feed so that similar content is downranked in future (similar to existing "don't show me this again" style tools). Ofcom does not require platforms to offer an opportunity for child users to provide a reason for wishing to see less of a certain type of content but if reasons are provided, that should be factored into the downranking process.
   
   
3. The requirement for content moderation teams to be 'well resourced', receive 'adequate' training and ensure reviews are 'appropriately prioritised'.  Ofcom expressly notes that it refrains from providing specific metrics on how in-scope services can meet these descriptors.  Ofcom suggests content moderation teams could have multiple language capabilities, sufficient resources to meet spikes in demand caused by external events, and training on decision-making that balances users' privacy and freedom of expression rights as well as emerging harmful content. On ensuring appropriate prioritisation, Ofcom suggests services should consider the 'virality' of content and whether content is likely to be PPC, as above, as well as whether any reports have been submitted by 'trusted flaggers' (in a similar vein to the regime under the DSA for EU users).  In-scope services will also need to consider whether restrictions should be placed on child user accounts, such as automatic content-filtering and restrictions on forums, communities and groups.
   
   
4. The requirement to provide 'age-appropriate' user support measures and materials.  Ofcom calls for in-scope service providers to have regard to the varied risks of child users from different age groups, backgrounds or with particularly vulnerable characteristics, when providing support to users, such as through content reporting tools, signposting to external resources when users search for certain types of content, and easily understood policy documents. It also requires platforms to provide children with more choices in respect of interacting with other users, such as the option to accept or decline invitations to group chats, to block and mute other users, and to disable comments on their posts.  

There are also more prescriptive measures required by these guidance documents for governance and accountability purposes, including the requirement to designate one person accountable for compliance with these safety duties, obligations to track unusual increases or new kinds of PPC, PC and NDC present on the services, and internal monitoring processes to ensure that the measures being undertaken are effective.  These are similar to the duties proposed under the Illegal Harms consultation.

Next Steps

This consultation provides a significant insight into how in-scope service providers can expect Ofcom to enforce its duties under the OSA.  Sophisticated service providers will not be surprised by the measures proposed, as they build on measures which have largely become standard practice in the industry, but, all providers will need to consider more carefully the factors Ofcom suggests which should be utilised for each measure in order to have a better picture of their existing compliance and any changes that may be required.  

Whilst the guidance is not yet in force, in-scope service providers should prepare to meet the first deadline under these Codes, to carry out their first Access and Risk Assessments within 3 months of the guidance being formally published. 

Whilst the consultation closed on 17 July, final versions of these documents are expected to be published in Spring 2025, so watch this space.

If you have specific questions on the OSA, please contact Rupert Cowper-Coles or Mafruhdha Miah.