What do US technology companies need to know about the UK’s Online Safety Act?

1. What is the Online Safety Act and who does it affect? 

The Online Safety Act imposes a range of duties on certain services that are used in the UK. Those services are user-to-user services, search services and services with pornographic content. These duties are intended to protect users, especially children, from ‘harmful’ content online. They include removing illegal content, implementing age-verification measures to prevent children from seeing adult material, and establishing systems to risk-assess and reduce harm.

The UK’s Online Safety Act, which became law in October 2023, is being implemented in phases. Duties relating to illegal content came into force in March 2025, followed by children’s safety codes in July 2025. Ofcom continues to oversee the phased rollout, with full implementation expected in 2026.

The range of services within scope of the Online Safety Act is very broad. User-to-user services include services where people may encounter content (e.g. images, videos, messages or comments) that has been generated, uploaded or shared by others (e.g. social media sites or apps, photo or video sharing services, chat or instant messaging services or online or mobile gaming services). Search services include services where people can search other websites and databases. Services with pornographic content include services that publish or display certain pornographic content in the form of videos, images or audio. 

The duties apply to companies irrespective of their size or where they are based. 

2. Who makes and enforces the rules?

The Online Safety Act empowers Ofcom (the UK communications regulator) to make rules and guidance setting out what companies need to do in order to comply with Online Safety Act.

3. Does the Online Safety Act apply to US technology companies even if they have no employees or physical presence in the UK?

Yes – as long as the company provides relevant services that: (i) have a significant number of users in the UK; (ii) have the UK as a target market; or (iii) are capable of being used by individuals in the UK and there is a material risk of significant harm. It does not matter whether the company has any employees or physical presence the company has.

4. What does compliance with the Online Safety Act require?

Compliance with the Online Safety Act requires companies to implement systems to identify, assess, and remove illegal content, particularly child sexual abuse material, while also shielding children from harmful material such as that promoting self-harm, eating disorders, or pornography. Companies must conduct risk assessments, use effective age-assurance measures, and be transparent about risks on their platforms. There are additional requirements for companies that are categorised as particularly significant, for example due to their number of users. 

5. Why is the Online Safety Act and Ofcom’s approach to it so controversial?

The Online Safety Act has received substantial criticism, particularly in relation to its restrictions on the freedom of expression. Some of the most prominent criticisms include:

• Threatening freedom of expression – Ofcom defines what content is ‘harmful’ and individual companies must decide if content falls within that definition. It has been argued that Ofcom’s definitions have led/may lead to legitimate content being censored. 
• Outsourcing censorship – Private companies are required to decide on the legitimacy of particular content. It has been questioned whether this is an appropriate task for private companies to perform. Also given that draconian penalties for non-compliance and vague definitions, there is a significant risk that companies over-comply, notably in areas of political controversy. 
• Undermining end-to-end encryption – The Online Safety Act gives Ofcom the power to force companies to seek to access content sent via end-to-end encryption.
• Invasive age verification/digital exclusion – Certain content (e.g. pornography) can only be accessed by those who have passed age checks (e.g. providing official identification material). This has been criticised for being intrusive and excluding those without identification or who do not want to provide identity documentation to unknown entities and which themselves may not have adequate IT security.
• Imposing an excessive regulatory burden – Companies have to implement the rules and guidance. This has led to certain companies closing or withdrawing from the UK market.
• Ineffectiveness – Users based in the UK can use VPNs to make it appear as if they are accessing the content from outside of the UK and therefore avoid the measures that Ofcom has sought to impose.

6. Does the Online Safety Act require a company to access content sent via end-to-end encryption?

No, at least not yet. 

The Online Safety Act contains a provision that could require companies to use ‘accredited technology’ to identify illegal content. However, given that there is currently no technology that can scan end-to-end encrypted messages, there is no ‘accredited technology’ available. 

7. What are the penalties for not complying with the Online Safety Act?

Companies can be fined up to £18 million or 10 percent of their qualifying worldwide revenue, whichever is greater. Criminal action can be taken against senior managers who fail to ensure companies follow information requests from Ofcom. In certain circumstances, Ofcom will also be able to hold companies and senior managers criminally liable for failure to comply with Ofcom’s enforcement notices. Further, with the agreement of the courts, Ofcom will be able to require payment providers, advertisers and internet service providers to stop working with a site, preventing it from generating money or being accessed from the UK.

8. Has Ofcom taken any enforcement action to date?

So far, Ofcom has launched three ‘enforcement programmes’ and opened multiple investigations as a result of them. The ‘enforcement programmes’ relate to potential failure to comply with rules concerning:

• Age assurance for pornography
• Safety measure to prevent file-sharing and file-storage service being used for child sexual abuse imagery
• Illegal content risk assessment

Consistent with the infancy of the regime, no sanctions have yet been imposed, but we expect there to be sanctions imposed with considerable publicity, imminently. 

9. Has anyone challenged the legality of the Online Safety Act/Ofcom’s actions?

The Online Safety Act is primary legislation passed by Parliament. Unsurprisingly, its legality in and of itself has not been challenged – the UK has no equivalent of the US Constitution which legislation must comply with. However, it has faced/is facing the following challenges:

• The Wikimedia Foundation/Wikipedia has challenged the rules relating to how companies are categorised such that stricter rules may apply to them.
• 4chan – a US company whom Ofcom has provisionally decided to fine for non-compliance with requests - has said that it will not comply with the process. Its view is that its First Amendment right to freedom of speech under the US Constitution cannot be restricted by Ofcom.

10. What should a US technology company who receives a request for information/investigation notice from Ofcom do?

It is usually important for a company to seek legal advice, especially if it is unfamiliar with the Online Safety Act/Ofcom. 

It needs to be determined if the information request is a formal statutory information request. If it is, there can be penalties for non-compliance. If it is not, Ofcom may well send a formal statutory information request if the initial request is not complied with.

Companies should appreciate that the response will form part of the evidential record. Providing false and/or misleading information can be an offence. It can, along with a substandard or incomplete response, also undermine the company’s credibility with Ofcom. The response to the request is an opportunity for the company to put forward its version of events. Not doing this with care can have negative strategic consequences and put a company on the backfoot in what can be a prolonged process.

Even if a company is minded not to engage with or accept the jurisdiction of Ofcom (i.e. take the same approach as 4chan), it will likely want advice on the potential consequences of this, especially considering Ofcom’s ability to disrupt the company’s UK activities. In addition, UK judgement may be enforced in the US, in certain circumstances. 

About Brown Rudnick’s UK/US technology and regulatory capabilities

Brown Rudnick advises technology companies on complex legal and regulatory challenges globally. Our integrated UK and US team helps clients navigate cross-border issues including online safety, content regulation, data protection, cybersecurity, AI, fintech, and digital platforms.
We are experienced in dealing with the UK’s Online Safety Act, guiding clients on compliance strategies, risk management, and engagement with regulators. We are also expert at challenging regulators if and when they overstep, including acting in Ofcom’s first and only defeat in a judicial review concerning its Broadcasting Code.