Practical Privacy, Security, and Speech Guide
A field guide to modern privacy, security, and freedom of speech.

17.1 The Online Safety Act in practice

A social media feed on a phone
One Act now shapes how almost every UK-facing service is run.

What the Act is

The Online Safety Act 2023 is a large and far-reaching piece of legislation that received Royal Assent in October 2023 and has been brought into force in stages since. Its stated purpose is to make the UK "the safest place in the world to be online", chiefly by requiring online services to protect users — and especially children — from illegal content and from material judged harmful. It is the single most consequential internet law the UK has passed, and most of the specific restrictions described elsewhere in this chapter either flow from it or sit alongside it.

The Act works not by banning particular words or images directly, but by imposing legal "duties of care" on the companies that run online services. Those duties are deliberately broad and outcome-focused: a service must assess the risks its users face and take proportionate steps to reduce them. The detail of what "proportionate" means in practice is filled in by the regulator, Ofcom, through codes of practice and guidance. This structure matters, because it means the real rules are set not by Parliament line by line but by a regulator interpreting open-ended duties — a process that is faster to change and harder for the public to follow.

Who it applies to

The Act applies to a very wide range of services: social media platforms, search engines, messaging apps, video-sharing sites, gaming platforms, dating apps, forums, and any site that hosts content generated by its users or allows them to interact. Crucially, it applies on the basis of who can access a service, not where the service is based. A small forum run by a hobbyist abroad, a community Discord, or a niche special-interest board is within scope if it has UK users, which in practice means almost everything. This global reach is one reason the Act's effects have been felt well beyond large platforms.

There is a tiered structure. The largest and riskiest services, designated "Category 1", carry the heaviest duties, including transparency reporting and additional requirements around content that is legal but considered harmful to adults. Smaller services have lighter but still real obligations. The threshold for the heaviest duties has itself been contested, because it determines whether a given platform faces the full weight of the regime. What unites all tiers is that none can simply ignore the Act on grounds of size, and the cost of compliance falls disproportionately on the small.

What services must now do

In concrete terms, an in-scope service is now expected to carry out and document risk assessments, put in place systems to detect and remove illegal content, provide mechanisms for users to report problems, enforce its own terms of service consistently, and — where children can access it — protect them from a defined set of harms. From March 2025 the illegal-content duties came into force, requiring services to act against material such as terrorism content, child sexual abuse material, fraud, and incitement. From July 2025 the child-safety duties added requirements to keep children away from pornography and other content judged harmful to them, which is where mandatory age checks entered everyday life.

The practical consequence is a great deal of new machinery: automated scanning and filtering, age-assurance systems, reporting tools, and compliance teams. For large companies this is an expense they can absorb. For small ones it can be the deciding factor in whether they continue to operate at all. The Act does not tell a service exactly which tools to use, but the duties are written so that doing nothing is not an option, and the safest course for a nervous operator is to over-remove and over-restrict rather than risk a finding of non-compliance.

The role of Ofcom

Ofcom, previously known mainly as the broadcasting and telecoms regulator, is the enforcer of the Online Safety Act, and the Act gives it formidable powers. It can demand information from companies, issue codes of practice that effectively define compliance, and impose fines of up to £18 million or ten per cent of a company's worldwide annual turnover, whichever is greater. In the most serious cases it can seek court orders requiring payment providers and internet infrastructure firms to withdraw services from a non-compliant site, a measure sometimes described as "business disruption". Senior managers can face criminal liability in defined circumstances.

This concentration of power in a regulator is one of the most significant features of the regime. Because the duties are broad and the codes are detailed and revisable, Ofcom's interpretation shapes what is permitted online for UK users more directly than the text of the Act itself. Decisions about what counts as proportionate, which age-assurance methods are acceptable, and how aggressively services must police content are, in effect, regulatory judgements rather than democratic ones. Whatever one thinks of the goals, this is a substantial transfer of authority over public discourse to an administrative body, and it deserves close scrutiny.

An earlier version of the Bill would have required platforms to tackle content that was lawful but considered harmful to adults. After sustained criticism that this would license the removal of perfectly legal speech, that specific duty for adults was largely replaced with a different approach: giving adult users tools to filter content they do not wish to see, and holding platforms to their own stated terms. This was a genuine improvement, and it is worth acknowledging when criticism of the Act is otherwise sharp.

The speech concerns did not disappear, however. Because the duties are broad and the penalties severe, platforms have a strong incentive to remove anything that might plausibly be illegal or harmful rather than risk being wrong. Automated systems used at scale cannot reliably tell satire from threat, education from promotion, or reporting from endorsement. The predictable result is over-removal: lawful, valuable, or merely awkward speech caught in filters designed to catch the genuinely unlawful. This dynamic, and the wider erosion of speech it produces, is examined throughout Chapter 16 and especially in 16.3 and 16.4.

The chilling effect on small sites

One of the clearest early effects of the Act has been on small, independent online communities. Faced with compliance duties written with large platforms in mind, a number of hobbyist forums, niche communities, and small special-interest sites concluded that the legal risk and administrative burden were not worth it, and either closed, blocked UK users, or restricted what they offered. This is not the headline outcome the Act's supporters intended, but it is a real one, and it falls on exactly the kind of small, human-scale internet that many people value most.

The mechanism is straightforward. A volunteer running a forum for a few thousand people cannot fund a compliance team, cannot easily judge where the line of "proportionate" lies, and cannot absorb a fine if they guess wrong. For such a person, the rational response to legal uncertainty is to withdraw. The effect is a quiet consolidation of online life onto a smaller number of large, well-resourced platforms — the opposite of a diverse and resilient internet, and a poor outcome for anyone who cares about independent spaces. This is worth remembering when the Act is described purely as a constraint on big technology firms.

What it means for you

For an ordinary user, the Online Safety Act mostly shows up indirectly: more age checks, more content removals, more friction, and the disappearance of some smaller communities. You cannot opt out of a law, and this guide does not suggest trying to. What you can do is understand the system you are now operating within, so that its effects do not surprise you and so that you make informed choices about where you spend your time and how much you disclose.

Practically, that means three things. First, treat large platforms as the heavily-regulated, heavily-monitored spaces they now are, and keep sensitive or easily-misread expression off them where another channel serves better, as discussed in 16.8. Second, support and use independent, privacy-respecting services where you can, since their survival is not guaranteed. Third, follow the specific measures in the rest of this chapter — age assurance in 17.2, encryption in 17.5 — because the Act is the framework, and those are the places where it touches your daily life most directly. The consolidated practical steps are in 17.7.