FAQs a million

At the end of May Ofcom circulated a set of FAQs to the attendees of a three day Online Safety Act Explained event that it ran in February 2025. The FAQs address a series of questions for which time did not permit of an answer at the event. Sadly (since these points are of interest to a wider public) Ofcom has not published them on its website. Perhaps it may yet do so, but in the meantime here is a link to an unofficial copy.

Day 3 of the February event was billed as a ‘deep dive’ into three topics: Online safety worldwide, What it means to ‘low risk’, and How to tackle complex risks, including child sexual abuse, grooming and fraud - each with a Q&A session.

The ‘low risk’ session was eagerly anticipated by many who felt a bit like Online Safety Act orphans: apparently – or at least arguably – in scope, but with little in the way of practical help (notwithstanding Ofcom’s interactive regulation checker) to understand whether they were actually caught by the Act.

This was at a time when it was emerging that some community forums run by individuals on a voluntary basis were planning to close down rather than face the Act’s compliance burden or the risk of penalties.

Ofcom, it should be acknowledged, has to work within the constraints of the Act. It has no power to exempt categories of sites from most of the Act’s basic obligations. So if a site is in scope it has to do an illegal content risk assessment, a children’s access assessment and (if children are likely to access the site) a children’s risk assessment. Those (and some other obligations, such as a set of terms and conditions) are required by the Act and there is nothing that Ofcom can do about that.

Where Ofcom does have discretion is in the Code of Practice measures that it chooses to recommend for compliance with the substantive duties imposed by the Act. Ofcom went a long way towards minimising the burden on small, low risk sites (albeit it has now proposed, in its recent additional safety measures consultation, that all in-scope U2U sites should have a sanctions policy).

So it was never realistic to expect Ofcom unilaterally to exempt sites that are in scope of the Act, or to give assurances that it would not enforce against any of them.

There might, however, have been hope of gaining more clarity about two basic questions: exactly which kinds of site are in and out of scope; and who is treated as the provider of an in-scope service (and thus responsible for compliance with the Act)?

The latter question – who is the provider – can be crucial: if I run a community forum hosted on a commercial platform, is the platform the provider of my forum? If so, I can leave compliance to the platform. But if I am treated as the provider of my platform-based community forum, then the compliance obligations are on me and I am – at least theoretically – on Ofcom’s radar for enforcement.

That question has implications for the extent of Ofcom’s own responsibilities, as well as for the individual operator. The government’s Impact Assessment estimated that 25,000 UK service providers would be in scope. But on one answer to the ‘who is the provider?’ question, Ofcom ought to be considering hundreds of thousands, if not millions, of individual operators of forums and groups.

Similarly, consider bloggers who have ‘comments on comments’ functionality enabled. Are they, rather than the blogging platforms, regarded as the providers of a user to user service in relation to comments posted to their individual blogs?

Unfortunately, basic issues of scope and service provider identification are among the areas in which the Act is at its most opaque. As such, one can have considerable sympathy with the hospital pass that Ofcom, trying to make sense of the legislation, has received from Parliament. It would not be surprising if a lively sense of self-preservation within Ofcom HQ led to some reluctance to admit of the possibility that hundreds of thousands, or maybe more, individuals might have to conduct risk assessments and write terms and conditions for their small forums and blogs. Nevertheless, the Act is what it is.

The FAQs are revealing as to which unanswered questions from the event Ofcom has expanded on at length and for which it has opted for inscrutability.

There are careful explanations of the requirements applicable to low-risk services, extensive discussions of how to conduct risk assessments and children’s access assessments, implementation of highly effective age assurance, moderation requirements and a few others. But when it comes to scope Ofcom has for the most part little to say beyond reciting the words of the Act.

Three points in particular are relevant to whether a small, not for profit, service is in or out of scope:

(a) What is meant by a ‘significant number’ of UK users

(b) Whether a voluntary, not-for profit site can have a ‘target market’. If yes, then a UK-targeted site is in scope even if it does not have a significant number of UK users.

(c) Who is responsible for compliance where someone runs a volunteer community group on another social media or similar platform?

Ofcom plays the ‘significant number’ question straight back to the service provider: 

“The Act does not define what is meant by a ‘significant number’ of UK users for the purposes of considering the ‘UK links’ test. Service providers should be able to explain their judgement, especially if they think they do not have a significant number of UK users.”

To continue the cricketing metaphor, Ofcom plays no stroke to ‘target market’: the FAQs do not address the question at all.

For the critical question of who provides the U2U service where a community forum is hosted on a commercial platform, Ofcom adopts a stonewall defence: retreating behind two sentences copied out from S.226 of the Act.

 

For decentralised services Ofcom notes that ‘it is possible’ that if a user operates a decentralised service, and has control over who can use the user-to-user part of the service, they are the service provider under the Act.

One can speculate that if Ofcom were confident that the service provider for individual community forums is always the commercial platform, it would have said so. The fact that it has not done so suggests that Ofcom may reckon that it is arguable that an individual forum operator may, at least potentially, be a service provider.

This dog’s breakfast is, to reiterate, not Ofcom’s fault.  If difficult questions were raised during the legislative process, they were like as not to be ignored, or met with a lecture about Big Tech, algorithms, CSAM, terrorism, children, the Wild West Web, the cesspit of social media and all the rest.

From a purely political perspective donning blinkers is understandable. Revealing a can of worms could have derailed the Bill. Easier to keep the goggles on, power towards Royal Assent on the back of the techlash and worry about sweeping up the pieces of the car crash afterwards.

We are now seeing the results of that. Nevertheless, over a year into implementation of the Act, and with Ofcom’s cumulative expenditure to 2026 projected at £279 million, could it now usefully grasp the nettle of addressing at least some difficult interpretation questions?

For instance, might Ofcom publish non-binding discussion papers around the knotty points of scope and compliance responsibility? Such papers could usefully form the basis of a better-informed future discussion about what the Act should be regulating.

Otherwise, the danger is that we will continue to fumble in the dark, aided only by agenda-driven advocacy from all sides. After this amount of time more illumination would be welcome.

[This blogpost has its origins in a contribution to the “Future of the Online Safety Act 2023” event held by the University of Sussex on 6 June 2025.]