UK Online Safety Act - Forums & Chatrooms

[fdk]

I don't know if it's just the way I see this, but it seems initially this thread was more like "Not a big deal" and now it's more like "Yeah, this is annoying".

Absolutely - the initial reading was definitely (in my view, anyhow) that this was nothing more than a minor inconvenience.

Having read a lot more of the detail and OFCOM's expectations, my view has started to change ever so slightly, in the sense that I believe there's been a massive error in not offering exemptions to small websites run by a single "hobbyist" essentially. As you rightly previously stated, crap admins are simply going to either not bother with the requirements, get ChatGPT to write their assessments, or block UK access to their sites. The good admins will already have had consideration of Online Safety and for the most part will have these risk assessments in place informally anyway, asking them to put it onto paper is just causing administrative headache for your regular joe hobbyist.

The further problem is that the nominating of a "responsible person" who's duty is to report "priority illegal content" is worrying to me having studied the legislation in further detail. This is because the legislation provides for criminal liability for this "responsible person" for illegal content on the site, in certain circumstances. This could potentially lead to an admin who is perhaps careless, but not necessarily reckless or neglectful (in the legal sense of the word) being held criminally liable for content on their website.

I'm also really mindful that the implementation dates of some of the measures of the Online Safety Act have been somewhat rushed, not announced very well and in many respects have not given website owners, especially small websites, enough time to seek the necessary advice, expertise and assistance in order to become compliant. For example, it looks like this guidance and Code of Practice was published in December 2024, with implementation dates set for 16th March - I myself only realised the implementation date was this soon yesterday, so am now in a huge panic knowing that I have the whole of next week assisting the national charity organisation I work for to become compliant with this Act.

It's also not been explained to joe public very well that the Online Safety Act brings almost any website that offers service to UK consumers into scope. Even if you're an American or Australian website, if your website "has a significant number of UK users" or "has UK users as one of it's target markets", you're in scope and must comply. OFCOM provides further guidance on this significant number of UK users part, stating that a "significant number" need not be a majority, or even a small minority, but simply "more than an occasional UK user". It also does not matter whether or not the UK users are registered members of the site or not - the fact that they can access the site and there are a significant amount brings the site into scope.

While I don't see that all of this will be enacted rigorously in this way for small websites with a couple hundred visitors, and completely understand the need for the crackdown on "Big Tech" and their associated chums, for all these reasons I really do think the Government have significantly erred in not offering some limited exemptions, and whilst I personally do still feel that it is an overreaction of some to suggest that they need to either shut their websites down or block UK access to them, I do understand why some who might read the legislation or OFCOM Codes in isolation might think that this is simply too much personal risk involved.

I'm wondering if at some point it might be useful for me to write a really detailed guide on this subject, however, not sure how useful this will be given that the deadline date for implementation is 16th March. That being said, it's worth noting for anyone with a project in the pipeline - legislation now says that any service in scope that is online prior to 16th March must have it's risk assessments completed and in place by that date, but if the service launches after 17th March, the service will have 3 months in order to prepare it's assessments and come into compliance with the Act.

 

[ThomasW]

I'll be honest I don't really know what the whole thing is about, but based on experience with all those kind of regulations, the small ones are the ones that suffer the most.

Companies like FB etc. have lawyers to deal with that and tools already in place that may just need some tweaking. For any small website owner it's just pain in the ass that simply wasn't needed.

I don't know where I read this, but someone said something along those lines "You want to target Big Companies... you will end up with just Big Companies". This is obviously massive exaggeration, but it will 100% affect the number of independent small websites/communities which could be created, but won't.

 

[Cedric]

This is like the same shit happening as when they've announced the GDPR law years ago. The internet was chaotic with people not knowing what it would entail for them. Has anything really changed ? Did we have to adapt to GPPR? Yes, maybe for account deletions. But that's been a part of forums for ages already.
So, personally, I don't worry about it much.

I understand it, we need to protect our minors, but we don't see any minors on forums anyway.

 

[ThomasW]

This is like the same shit happening as when they've announced the GDPR law years ago. The internet was chaotic with people not knowing what it would entail for them. Has anything really changed ? Did we have to adapt to GPPR? Yes, maybe for account deletions. But that's been a part of forums for ages already.
So, personally, I don't worry about it much.

I understand it, we need to protect our minors, but we don't see any minors on forums anyway.

I think GDPR didn't require any kind of risk assessment or other BS of similar kind, did it?

The whole issue here is... It's doable, but why would a hobbyist, who runs the forum for fun and doesn't get anything out of it, do it.

This will do f all in regards to protecting minors. If they really wanted to do something, they should have either ban "social media" entirely or make it 18+ and make sure that the companies, who run those, enforce it. They have both the money and technology to do it.

Could such restrictions be bypassed? Yes, they could, but it would have more impact than requiring an average Joe, running a forum with maybe not even one minor user registered, to jump through hoops.

 

[Cedric]

I think GDPR didn't require any kind of risk assessment or other BS of similar kind, did it?

The whole issue here is... It's doable, but why would a hobbyist, who runs the forum for fun and doesn't get anything out of it, do it.

This will do f all in regards to protecting minors. If they really wanted to do something, they should have either ban "social media" entirely or make it 18+ and make sure that the companies, who run those, enforce it. They have both the money and technology to do it.

Could such restrictions be bypassed? Yes, they could, but it would have more impact than requiring an average Joe, running a forum with maybe not even one minor user registered, to jump through hoops.

It's more than likely some kind of hidden tax or ability to fine those larger companies. I really doubt they'll come after hobbyist forums who can show that they don't allow minors and have no cases in the first place.

They can't possibly control the whole internet. It's just going to be a case-by-case situation, I think. I just wouldn't allow minors on my forums to begin with. Keep that in your terms of service, and that's a good start.

Furthermore, I wonder as a Belgian running this forum - IF such case would arise here - how they'd handle it, as it's a UK law. But we have many UK members. It's impossible to know and impossible to be fully prepared I think.

Speaking of preparations, this is from someone on the XF forums who made his risk assessment:

Risk	Relevant Illegal Content	Risk Level	Evidence and Reasoning	Mitigation Measures
User Generated Content	Hate Speech, Harassment, CSEA, Terrorism, etc.	Negligible	Users can post content, but the community is small and moderation carried out regularly. Evidence: Low volume of user reports, active (DBS checked) moderator presence, clear community guidelines. There have been no incidents in 17 years. Users engaging in harmful behaviour would be immediately banned and any identified illegal behaviour reported to law enforcement agencies.	N/A
Anonymity	Harassment, Trolling, Illegal Content Sharing	Negligible	Users cannot post anonymously.	N/A
User Connections	Grooming, Harassment, Coercive Behavior	Low	Users can connect, but the community is small and connections may be limited. Evidence: Low number of user-to-user connections. Private messages are not available until users have posted publicly and known to have a legitimate interest in the forum topic as a professional, educator or hobbyist. Nor are private messages available to children. With or without effective age verification this would include any potential groomer posing as a child. A very obvious and simple to use effective private message report system is enabled and monitored regularly.	Monitor user interactions: Implement non-intrusive systems to detect and flag suspicious patterns of user interaction (e.g., excessive private messaging between adults and minors without infringing on privacy). Implement blocking features: Allow users to block other users who engage in harmful behavior. Educate users: Provide information and resources on online safety and how to identify and report grooming or coercive behavior.
Lack of Age Verification	CSEA, Exposure to Harmful Content	Medium	Any content that is inappropriate for children is removed via regular monitoring or reports. Any users that post such content are subject to disciplinary action and, depending on the severity, would be banned and if content was deemed to be illegal would be immediately reported to law enforcement agencies.	Consider age verification measures: Explore options for age verification (e.g., self-declaration, third-party verification services) while balancing privacy and accessibility concerns.

 

[fdk]

I think GDPR didn't require any kind of risk assessment or other BS of similar kind, did it?

The whole issue here is... It's doable, but why would a hobbyist, who runs the forum for fun and doesn't get anything out of it, do it.

This will do f all in regards to protecting minors. If they really wanted to do something, they should have either ban "social media" entirely or make it 18+ and make sure that the companies, who run those, enforce it. They have both the money and technology to do it.

GDPR was certainly nowhere near as onerous at this has the potential to be, that much is for certain.

Agree on the sentiment about it not being necessarily a targeted and effective enough tool to protect minors too.

It's more than likely some kind of hidden tax or ability to fine those larger companies. I really doubt they'll come after hobbyist forums who can show that they don't allow minors and have no cases in the first place.

They can't possibly control the whole internet. It's just going to be a case-by-case situation, I think. I just wouldn't allow minors on my forums to begin with. Keep that in your terms of service, and that's a good start.

Furthermore, I wonder as a Belgian running this forum - IF such case would arise here - how they'd handle it, as it's a UK law. But we have many UK members. It's impossible to know and impossible to be fully prepared I think.

You have to consider that the Online Safety Act doesn't only apply if you have children on your site - even if there are no children are ever present on Administrata, that does not mean it is out of scope.

You're absolutely correct in that the main sanctions directly offered by the Online Safety Act are huge fines. Well actually, they aren't huge fines - they're 5%/10% of annual turnover for a website. Huge for Meta or Google, but for Administrata, it'd be a hundred bucks or so I'd imagine. The more worrying thing is the actual sections of the legislation that confer legal responsibilities onto website owners for some "priority illegal content" on their service, as I previously mentioned. This will eventually lead to the possibility of criminal sanctions for individuals who run websites, if a nefarious actor uses their service for a malicious purpose.

You're right - the reach of the UK authorities will be limited by the fact that you're Belgian - for example, I don't imagine the Belgian authorities would be quick to agree to any sort of extradition request or anything (and of course, this is an absurdly unlikely scenario), but they could take action such as get UK court orders for ISPs to block access to certain non-compliant websites.

Sure - this is an unlikely occurrence, but imagine a scenario (which we all see on true crime TV) where somebody comes to harm as a result of somebody using an online service that I'm personally responsible for for a nefarious purpose. The law has conferred on me a responsibility essentially to "protect" visitors to my website. Now let's say something out of my control but disastrous happens - even if I am able to legally defend myself, what will the court of public opinion, media, newspapers etc do or think?

There is too much liability in society in this day. For this reason, am I to ever own a website again that comes into OSA scope, I will 100% complete everything on that OFCOM checklist to protect myself.

 

[Kyng]

Planning to do my risk assessment this weekend.

I've already had a look at the requirements, and I have a rough idea of what I'm going to say... just need to put pen to paper.

It's annoying - but once that's done, I believe all I have to do is to continue what I've been doing for the past 15 years anyway .

 

[Al]

Huge for Meta or Google, but for Administrata, it'd be a hundred bucks or so I'd imagine.

At the current time, they would be paying us!