Why UK Online Safety Act may not be safe for bloggers

Updated Individuals who run their own website could be held liable for, weirdly enough, off-topic visitor-posted comments that break the UK's Online Safety Act.

According to Neil Brown, director of British law firm decoded.legal, it's a possibility under the wording of the law, though clear direction has not been provided.

The Online Safety Act (OSA) was passed in 2023 for the stated purpose of protecting children and adults online. It attempts to do so by requiring that designated online service providers police content and activity related to 17 categories of harm [PDF], including terrorism, harassment/stalking, coercion, hate, intimate abuse images, and child sexual exploitation and abuse (CSEA), among others.

As Ofcom, the regulatory body charged with implementing the law, explains, "The rules apply to organisations big and small, from large and well-resourced companies to very small 'micro-businesses.' They also apply to individuals who run an online service."

The rules cover a variety of "user-to-user" services that serve the UK market in a significant way, whether they're inside or outside the country. This includes social media sites, photo sharing sites, chat or instant messaging services, dating services, and gaming services. The rules also cover search services.

Ofcom has created an online Regulation Checker to help those operating web services understand whether they're obligated to comply. That decision is consequential because the penalty for non-compliance can be severe – a fine of £18 million ($22 million) or 10 percent of their global revenue, whichever is greater. There's also the potential of criminal liability for senior managers who have ignored obligations or lied about compliance.

Affected web services are expected to conduct a risk assessment and to put in place various mitigations (eg, more effective content filtering technology) to deal with identified risks. Even so, there's still some confusion about what's required of individuals operating websites.

"As with quite a lot of the Online Safety Act, even with Ofcom's tomes of guidance, the answer to some of these most basic questions, particularly in the context of services provided by individuals, is, at this point at least, 'sod knows,'" Brown told The Register via email.

Brown said he intends to put this question directly to Ofcom, though he doesn't expect a straight answer.

As we reported last month, the Online Safety Act has a set of obligations that come into force on March 17, 2025, and large website operators are already concerned. Several, like London Fixed Gear and Single Speed, have stated that they will shut their online forums rather than attempt to comply. And outside the UK, online discussion site Lobsters has implemented a geoblock that will prevent UK visitors from accessing the site after March 16.

if a service allows someone to comment on anything else, the exemption no longer applies

The issue for operators of small websites is whether they are exempt from the obligations imposed on what the law defines as a "regulated user-to-user service."

Because the wording of the law offers an exemption with regard to "posting comments or reviews relating to provider content" (eg, comments about bikes posted to a bike blog) and specifically says that user-generated content is not provider content, Brown believes individuals running websites could be held accountable for posts by third-parties that are unrelated (off-topic) to the content on that site (eg, an AI-generated explicit image posted to a bike blog).

"I think there's a reasonable interpretation of the words written by Parliament that, while a user-to-user service comprising posting comments relating to a blogpost is exempt, if a user-to-user service allows someone to comment on anything else, the exemption no longer applies, and the service is in scope of the Online Safety Act," Brown explained.

• UK government pledges law against sexually explicit deepfakes
• Investigatory Powers Bill to become law despite tech world opposition
• Brits must prove their age on adult sites by July, says watchdog
• DeepSeek rated too dodgy down under: Banned from Australian government devices

Brown makes that case in more detail via a sample illegal content risk assessment for a hypothetical blog. His conclusion is that the exemption from liability applies only to the extent that third-party blog comments relate to the topic of the blog post. If off-topic posts appear, the exemption no longer applies, he suggests.

"There is an argument that 4(a) applies only to comments about Alice blog posts, and that, if a commenter comments on something else, the comment brings the whole services outside the scope of 4(a), and thus is no longer exempt," Brown's content assessment explains.

Brown also observed in a Mastodon post that the UK government has exempted itself from liability for content posted by those visiting government websites.

Ofcom did not immediately respond to a request for comment. ®

Updated to add at 1439 UTC, February 6

After this story was filed, a spokesperson for Ofcom said: "Under Section 55 of the Online Safety Act, comments and reviews on provider content on user-to-user services are exempt from the safety duties (i.e. are excluded from the definition of 'regulated user-generated content'). 'Provider content' means content published on the service by the provider of the service, or by a person acting on their behalf. The 'provider' refers to the entity or individual that has control over who can use the user-to-user part of the service (see Section 226 of the Act).

"So in practice, if a blog and the platform on which it is posted are controlled by the writer of the blog, then the blog constitutes provider content, and comments and reviews on the blog are exempt. This exemption also extends to any further comments on such comments or reviews."

We've requested further confirmation that off-topic posts would qualify for the exemption. We'll update this story if we hear back.

Updated to add at 1735 UTC, February 6

In response to our request to clarify liability for off-topic content, Ofcom said, "Content will be exempt if it comprises comments or reviews 'relating to' provider content. The Act makes no mention of how closely connected to the provider content the comment or review must be to benefit from this exemption."