The Online Safety Act: What you need to know
The UK’s new Online Safety Act introduces a sweeping set of rules to regulate digital platforms and online content. This article explores the scope of the Act, how it works and the potential cyber security risks associated with compliance, including concerns about data privacy and identity verification.
Table of contents
- What is the Online Safety Act?
- Why has this been put in place?
- How does the Online Safety Act work?
- How does this affect users?
- How might the Online Safety Act affect your business?
- Potential security risks
- Final thoughts
What is the Online Safety Act?
The Online Safety Act is new legislation in the UK that essentially acts as content restriction rules. There are two sides to this act:
- It puts specific measures in place to restrict content to certain audiences.
- It introduces a new means of censoring online content and information.
Why has this been put in place?
The Online Safety Act has been introduced to reduce the amount of harmful content on the Internet, specifically for users under the age of 18. Supposedly, this is an attempt to make the Internet a safer place for all.
How does the Online Safety Act work?
Online platforms operating in the UK are now forced to be much stricter about what content can be shown and must conform to what the UK Government deems as “harmful content.”
Failure to comply with the new rules will result in Ofcom conducting an investigation into the platform and severe financial penalties, up to a maximum of £18 million or 10% of the company's global revenue, whichever is larger. In the most extreme case, Ofcom could request that the courts block the platform from operating in the UK.
Platforms are being forced to implement age verification techniques, such as AI face scanning or using a valid form of ID, to limit who can access certain content.
How does this affect users?
As a user, you may find that the content you are used to consuming now prompts you for age verification in order to watch, listen to, or read it. This will require users to upload a photograph of a valid form of government ID, such as a driver's licence or Passport.
Alternatively, platforms may offer the option of AI face scanning, which uses a device's camera to examine a user's face and determine whether the user is over 18.
This will require users to verify their age by:
- Uploading a photo of a valid form of ID (driver's license, passport)
- Scan their face using the device camera, with the platform using AI to determine their age
How might the Online Safety Act affect your business?
For businesses in the UK that host user-generated content, the Online Safety Act means stricter obligations to detect, remove, and prevent any “harmful material”, not just for children but for adults too. Any website, app, or platform with features such as comments, reviews, messaging, or search could be in the scope of this act, even if it's not a social media giant. A list of some of the types of content restricted can be found here: Keeping children safe online: changes to the Online Safety Act explained.
Ofcom provide a self-assessment form to help you determine if the Online Safety Act applies to you. Here are a few examples of the information you need to provide in the self-assessment form:
- Does your website have links to the UK?
- Does your website provide user-to-user services?
- Does your website provide a search service?
- Do any exemptions apply to the user-generated content?
Potential security risks
1. Data storage risks
From a cyber security standpoint, the Online Safety Act’s age verification and identity requirements introduce significant risks that could outweigh their intended benefits.
Platforms are essentially forced to implement these third-party age verification services, which then store large volumes of people’s personal identification data, making them very attractive targets for cyber criminals. This raises the question of whether personal ID information is being stored securely, who controls it, and if it could be used or monetised without your consent.
An example of this can be seen with Reddit, which uses a third-party US-based company called Persona for age verification. Therefore, these US-based companies could be compelled under the “Patriot Act” to give the data they hold to the US Government. Persona attempts to mitigate this by only storing data for a short period of time.
It is possible for platforms to implement age verification services that are not based in the UK, meaning that your data could be at the mercy of the laws and legislations of other countries.
2. Phishing and blackmail
A breach of this kind of data could lead to mass identity theft, helping threat actors conduct highly targeted phishing campaigns, commit fraud, or link online activity to real individuals for blackmail purposes. The knowledge that a company holds millions of verified IDs will inevitably make it a prime target for attackers.
3. VPNs
On the other hand, the individuals unwilling to submit their ID may turn to unregulated alternatives such as insecure VPN services or potentially even the dark web, likely exposing themselves to more harmful content than they otherwise would have experienced.
4. Navigating compliance through GDPR
This increase in sensitive data collection creates a tricky balancing act for businesses, meeting the demands of the Online Safety Act while staying within the bounds of GDPR. The two regulations can pull in different directions, making compliance feel like a moving target. As a Managed services provider, we support businesses with GDPR compliance tools, secure data storage solutions, and risk assessment frameworks that align with both sets of obligations, helping you stay compliant without compromising user trust.
Final thoughts
The Online Safety Act aims to make the internet a safer place in theory, but in practice, it introduces some serious challenges surrounding compliance and security. Businesses need to assess whether they fall into the scope of this new legislation, and if so, take the necessary actions to ensure compliance, while users need to stay vigilant as to who and where they give out their personal information.
If you’re unsure whether your business falls under the Online Safety Act or how to align its requirements with GDPR, our GDPR consultancy services can provide a compliance assessment and security roadmap to help you prepare with confidence. Contact us to learn more.