Notice

Online Safety Act: Protection of Children Codes of Practice - explanatory memorandum

Published 24 April 2025

1. Introduction

1.1 This explanatory memorandum has been prepared by the Department for Science, Innovation and Technology and is laid before Parliament by Command of His Majesty.

2. Purpose of the instrument

2.1 Rt Hon Peter Kyle MP, Secretary of State for Science, Innovation and Technology at the Department for Science, Innovation and Technology confirms that this explanatory memorandum meets the required standard.

2.2 1. Daniel Okubo, Deputy Director for Online Safety Policy and Regulation at the Department for Science, Innovation and Technology confirms that this explanatory memorandum meets the required standard.

3. Contact

3.1 Daniel Wilson at the Department for Science, Innovation and Technology Telephone: 07826 217 062 or email: osaimplementation@dsit.gov.uk can be contacted with any queries regarding the draft codes of practice.

Part 1: explanation, and context, of the codes of practice

4. Overview of the codes of practice

What does the document do?

4.1 The Online Safety Act 2023 (the OSA) confers duties on the providers of certain internet services (regulated ‘user-to-user services’ and ‘search services’) to take proportionate measures to protect children from accessing or being exposed to harmful and age in-appropriate content. These are the ‘child safety duties’ (section 12 and 29 of the OSA).

A user-to-user service is an internet service if content that is generated directly on the service by a user of the service or uploaded to or shared on the service by a user of the service – may be encountered by another user (or other users) of the service. A search service means an internet service that is, or includes, a search engine.

4.2 The strongest protections in the OSA are for children. Service providers will be required to operate a service using proportionate systems and measures designed to prevent children from accessing the most harmful content and protect them from age-inappropriate content and provide parents and children with clear and accessible ways to report problems online when they do arise.

4.3. Ofcom is the independent regulator of the OSA. The OSA requires Ofcom to set out in codes of practice the measures service providers can take to fulfil their child safety duties (section 12 and section 29 of the OSA) as well as their duties on content reporting and complaints procedures (sections 20, 21, 31 and 32 of the OSA).Ofcom has compiled these codes of practice into 2 documents. One is for user-to user services and one for search services. The child safety codes of practice propose practical measures for online services to meet their legal responsibility to protect children online under the OSA. Once in force, these protections will ensure service providers protect children from harmful content online and create safer experiences for children online.

Where do the draft codes of practice extend to, and apply?

4.4 The extent of these codes of practice (that is, the jurisdiction(s) which these codes of practice forms part of the law of) is England and Wales, Scotland and Northern Ireland.

4.5 The territorial application of these codes of practice (that is, where these codes of practice produce a practical effect) is England and Wales, Scotland and Northern Ireland.

5. Policy context

What is being done and why?

5.1 The OSA creates a new regulatory framework for user-to-user services and search services. As part of this, it gives all user-to-user services and search services new duties to protect children from harmful content on their services. Protecting children is at the heart of the OSA. Even if content is not illegal it could be harmful or age-inappropriate for children and service providers will be required to protect children from it. Services that are likely to be accessed by children need to take steps to protect children from harmful content and behaviour.

5.2 The OSA requires Ofcom to produce codes of practice setting out measures that service providers may take in order to be deemed compliant with the child safety duties. The measures outlined in the codes of practice should improve children’s online experiences as:

• children should not be able to access pornography and will be protected from seeing, and being recommended, harmful content including violent content
• children must not be added to group chats without their consent
• it will be easier for children to complain when they see harmful content and they can be more confident that their complaints will be acted on

5.3 The codes of practice will apply to services in scope of the OSA which are likely to be accessed by children. The codes cover 3 broad areas:

• robust governance and accountability – ensuring service providers have appropriate senior oversight and accountability for children’s safety online

• safer platform design choices– making sure services understand their users’ age and keep children safe, including ensuring recommender systems and content moderation operate effectively to prevent harm to children, alongside highly effective age assurance

• providing children with information, tools, and support - ensuring service providers provide clear and accessible information to children and carers, making sure reporting and complaints functions are easy-to-use, and giving children tools and support to help them stay safe online

5.4 Section 41 of the OSA sets out that Ofcom should consult on draft versions of its codes of practice. After this, section 43 of the OSA sets out that Ofcom should submit final proposed versions to the Secretary of State. Under section 44 of the OSA, the Secretary of State then has the power to direct Ofcom to modify the codes, where the Secretary of State believes this is required for certain public policy reasons. Where the Secretary of State does not use these powers, they must lay the draft codes of practice in Parliament as soon as practicable for scrutiny.

5.5 Section 47(1) of the OSA require Ofcom to keep under review each code of practice.

What was the previous policy, how is this different?

5.6 Prior to the codes of practice coming into force, services did not have to assess whether children access their service and if so, to carry out a risk assessment and comply with the duties to prevent children from seeing the most harmful content and protect them from other harmful content and age-inappropriate content. These are the first set of codes of practice for the child safety duties produced by Ofcom under section 41 of the OSA. In accordance with section 43(11), Ofcom have met the statutory deadline to submit the codes to the Secretary of State within 18 months of the OSA being passed.

6. Legislative and legal context

How has the law changed?

6.1 This is part of a new regulatory regime under the OSA. These are the first set of codes of practice for the child safety duties that Ofcom has prepared and which the Secretary of State has laid for parliamentary scrutiny. They set out Ofcom’s recommended measures that user-to-user services and search services can take to fulfil their child safety duties under the OSA.

6.2 Section 49 of the OSA provides that a provider which takes the steps in a codes of practice recommended for compliance with a particular duty is treated as complying with that duty. Section 50 provides that, although a failure to act in accordance with the codes of practice is not of itself a ground for bringing legal action against a provider, a court of tribunal must take into account a provision of the codes of practice where it is relevant to a question in proceedings and was in force at the relevant time. Ofcom must similarly take a relevant codes of practice provision into account in determining questions arising in connection with the exercise of certain functions.

Why was this approach taken to change the law?

6.3 There is a duty under section 41 of the OSA for Ofcom to issue codes of practice for these child safety duties. The Secretary of State has considered the draft codes of practice and under section 44, does not intend to make a direction to Ofcom to modify the draft codes submitted.  Therefore, in line with section 43(2) of the OSA, the Secretary of State is laying the draft codes of practice before Parliament.

7. Consultation

Summary of consultation outcome and methodology

7.1 Ofcom consulted on the protection of children codes of practice as a part of a package of regulatory proposals under the OSA (the other products included in the package do not need to be laid). Ofcom issued one consultation.

7.2 There has been a high level of public interest in the codes. Ofcom received 132 responses commenting on all aspects of the proposals in the consultation. Ofcom has additionally sought the views of children on the measures via a deliberative engagement project, the output of which is published on Ofcom’s website. Ofcom has taken into account comments received in response to its November 2023 consultation and in response to its January 2023 call for evidence where they are also relevant to its proposals in relation to the protection of children.

7.3 There has been broad support for the package of measures from a variety of stakeholders, as well as concerns raised about some aspects of the package and/or the legislative framework. Stakeholders comments included views on Ofcom’s approach to:

• the ‘safe harbour’ in the OSA
• safety by design
• age groups and minimum age
• addictive design
• features and functionalities
• measures to tackle specific types of harmful content
• non-designated content harmful to children

7.4 The issues raised and Ofcom’s response to them is included in detail in Ofcom’s regulatory Statement: Protecting children from harms online. Comments on Ofcom’s approach to developing the codes and on who they apply to are summarised and addressed in the sections “Overview of the Protection of Children Codes” and “Developing the Protection of Children Codes: Our framework”. Comments on each proposed measure are summarised and addressed in the chapter within Volume 4 setting out the reasoning for recommending that measure.

8. Applicable guidance

8.1 Ofcom has not published any guidance documents required to interpret the codes of practice. They are complete in their own right.

8.2 However, Ofcom has published a series of other guidance documents under the OSA, without which the online safety regulatory regime as it relates to the protection of children would not be complete. These documents are available on Ofcom’s website:

• Record Keeping and Review Guidance under section 52(3)(a)

• Children’s Access Assessments Guidance under section 52(3)(b)

• Guidance on Content Harmful to Children under section 53

• Children’s Register of Risk under section 98

• Children’s Risk Profiles under section 98

• Children’s Risk Assessment Guidance under section 99(3)

• Non-statutory Guidance on Highly Effective Age Assurance for Part 3 Services

Part 2: impact and the Better Regulation Framework

9. Impact assessment

9.1 Ofcom has a duty under section 7 of the Communications Act 2003 to carry out impact assessments when preparing a code of practice under section 41 of the OSA. The assessment must include an assessment of the likely impact of implementing the proposal on small businesses and micro businesses.

9.2 Ofcom has discretion as to the substance and form of an impact assessment. The impact assessments for these codes of practice are included in Volume 4 and Annex 5 of Ofcom’s regulatory Statement (i.e. the document published on its website which sets out its reasoning in full).

9.3 Ofcom has considered how each measure will reduce the risk of harm it has identified and how effectively it will do this. While Ofcom has sought to quantify impacts where feasible, there is a lack of robust quantitative evidence. It is even more challenging to put certain benefits in monetary terms. For example, it is difficult to quantify the social and psychological impacts of children’s exposure to harmful content and damage to physical and mental health. While Ofcom has not generally quantified these benefits in monetary terms, it has placed significant weight on such impacts in its decisions. As required by section 98 of the OSA, it has published a comprehensive assessment of the causes and impacts of harms to children in the Children’s Register of Risks.

Impact on businesses, charities and voluntary bodies

9.4 The impact on businesses is that if businesses providing online user-to-user services and search services comply with the measures in the codes of practice then they are considered to be compliant with the relevant child safety duties to which the measure applies. Service providers can take alternative measures to comply and must keep a record of the measures and explain how the relevant safety duties have been met.

9.5 The impact on business, charities or voluntary bodies will vary depending on whether they provide services within scope of the OSA and are likely to be accessed by children, and whether they identify risks to children on those services. For providers of smaller services that assess their service as negligible or low risk of all kinds of harm to children, the measures largely relate to explicit requirements in the OSA. Very few measures are recommended beyond that and the incremental cost of those extra measures is small. For service providers that identify medium or high risks of harm to children in their children’s risk assessments, the impact may be significant. Ofcom has taken this into account and considers the measures warranted given the scale of the potential harm to children posed by services with medium or high risks. There are also additional measures for providers of large and medium- or high-risk services, which are expected to do more. Many measures allow providers some flexibility in how they are implemented, so providers can tailor to their service which tends to reduce the cost. Ofcom has assessed the impact of these measures and found them proportionate.

9.6 The codes of practice do impact small or micro businesses, but the approach taken does not include measures that are specifically designed to impact small or micro businesses disproportionately. The OSA confers duties on regulated “user-to-user services” and “search services”, regardless of their size. The impact on businesses of any size depends on whether they assess as having risks on their services, as described in the previous paragraph, as well as other relevant criteria, such as having certain functionalities. The decision to not exempt small and micro businesses was taken because of the importance of protecting children on these services.

9.7 There is no, or no significant, impact on the public sector because 9 and 10 of Schedule 1 to the OSA exempt services provided by public bodies and services provided by persons providing education or childcare from being regulated.

9.8 The breadth and complexity of this new regime means the codes cover many areas. Ofcom has taken steps in its regulatory Statement to make the regime as accessible as possible, including:

• A summary of Ofcom’s decisions and the user-to-user and search services to which they apply.
• A summary of each chapter, setting out what it is about, a summary of stakeholder feedback received, and the decisions Ofcom has taken.
• The introductory chapter to Ofcom’s Statement includes suggestions to signpost stakeholders towards the documentation and tools they might find most helpful (e.g. a digital support service for small and medium sized services).

These resources have been developed with individuals and small or medium-sized enterprises in mind and based on their feedback and input. Ofcom will continue to collect feedback to iterate and improve the support on offer.

9.9 Moving forward, Ofcom will continue to meet with interested parties and explain its decisions through meetings, conferences, and webinars.

10. Monitoring and review

What is the approach to monitoring and reviewing this legislation?

10.1 The approach to monitoring this legislation is that, pursuant to section 47 of the OSA, Ofcom must keep the codes of practice under review. Ofcom will evaluate compliance with the regime and the impact of its guidance and codes of practice. Ofcom’s monitoring and evaluation work includes assessing whether its interventions are leading to changes in services’ systems and processes, a safer online life for users, particularly children, and unintended consequences that need mitigation.

10.2 Ofcom has said that given the breadth and the depth of the OSA, its evaluation strategy will cover several key strands of work. These include assessing the overall impact of the introduction of the OSA in priority areas, as set out in Ofcom’s publication Implementing the Online Safety Act: progress update. Ofcom has said it wants to evaluate whether service providers are assessing the risk of harm on their services and putting in place measures to address the areas of greatest risk to people, especially children. To do this, it will engage directly with a sample of services and is also planning to use a business survey to reach out to a larger group of services. Ofcom also intends to track children’s experiences online, using evidence from its own research, such as Ofcom’s new Children’s Online Safety Tracker and Children’s Agile Research Solution, and more broadly, including from government and civil society.

10.3 It is also important that Ofcom understands the impact of its policies in specific areas. This could include, for example, the impact of regulation on businesses’ costs, particularly for small and micro businesses.

10.4 Additionally, Ofcom aims to understand the impact of discrete changes made by regulated services on safety outcomes, and will work with services to incentivise them to embed evaluation into their product development. Its economics discussion paper Evaluating online safety measures sets out how a widely used evaluation framework could be applied to assess the impact and effectiveness of online services’ safety measures.

10.5 The instrument does not include a statutory review clause; section 47 of the OSA requires Ofcom to keep the Codes of Practice under review and section 178 requires the Secretary of State to review the operation of the regulatory framework in this Act.

Part 3: statements and matters of particular interest to Parliament

11. Matters of special interest to Parliament

11.1 None

12. European Convention on Human Rights

12.1 As the codes of practice are not primary legislation a human rights statement is not required.

13. The Relevant European Union Acts

13.1 The codes of practice are not made under the European Union (Withdrawal) Act 2018, the European Union (Future Relationship) Act 2020 or the Retained EU Law (Revocation and Reform) Act 2023 (“relevant European Union Acts”).