The UK Online Safety Act 2023

MartinJD

Hi all, has anyone with a UK based forum come across this?

Apparently the people that run message boards are going to be legally on the hook for the content people post and / or legally need to be able to prove 24/7/365 moderation is in effect and the forum complies with a stack of other rules and regulations (e.g. terms and conditions of use legally drafted up).

Is there anything currently underway within the flarum community to help mitigate against having to shut small forums down? Or any other thoughts on the impact of this?

luceos

I've not heard of this, but how does a small community guarantee 24/7/365 moderation? Do you have references to this law?

Umutcan

luceos Speaking of legal, wouldn't it be better for GDPR communities to ask for a preference-based cookie consent with FoF Cookie Consent?

For example, specific cookie headers that Flarum uses, provider previews, etc.

MartinJD

So lots of talk on various small forums of them having to close: good thread here: https://www.lfgss.com/conversations/401475/

GreXXL

Just did a quick search (https://en.wikipedia.org/wiki/Online_Safety_Act_2023). I think it was meant to target bigger networks - but was not written that way. Some little message boards got also shocked and closed (https://www.theregister.com/2025/01/14/online_safety_act/#:~:text=%22Every%20single%20service%20will%20have,that%20Parliament%20designed%20the%20act.).

I think the only official advise we can give - is seek legal councel in the UK. This is not something any software can solve for you and no small forum can easily comply with. I would assume that if it's not for profit things are more relaxed but I am certainly no expert.

MartinJD

GreXXL UK. This is not something any software can solve for you

Whilst it can’t solve it, I can think of ways in which the software can help with compliance. For example the current post flagging system and the T&Cs plug in should help.

GreXXL

GDPR does not enforce 24/7 moderation requirements on small community forums. So that's totally different pair of shoes.

MartinJD if there are certain suggestions for extensions needed to better cope you can always post them inProposals.

MartinJD

GreXXL if there are certain suggestions for extensions needed to better cope you can always post them inProposals.

I don't have anything yet, but if we collectivity think of anything in this discussion i'll be more than happy to propose it.

averixus

(I'm not a lawyer, this isn't legal advice, etc)

The Online Safety Act (which is distinct from GDPR - some people are getting those mixed up) does not require you to prove you have 24/7 moderation, or put you legally on the hook for the content members post. It requires you to:

Do a few simple but tedious risk assessment procedures thinking about how likely illegal content is on your service and what you'll do to mitigate the harm from it,
Keep records of those procedures in case you ever need to prove that you did them,
Tell your users (in your terms of service) that you've done those procedures and how they can complain if there's a problem.

For a small forum the requirements are not very drastic, but because the law is new there's not a lot of clear guidance yet and people are understandably worried about it. Larger forums are expected to be higher risk, and to to have correspondingly more protections in place than smaller services.

Some resources:

Ofcom are responsible for enforcing the act and have tons of official guidance on their website, although it's not all that easy to understand.
This independent site is managed by someone who's been doing a lot of research into how the OSA affects small services with a focus on mastodon/fediverse instances, and they've written some template and example policies to refer to.

Wellwisher

I am from the UK, London. I host a celebrity forum.

Here's my two pennies ole chap.

I'm not a lawyer, this isn't legal advice, etc but I am a certified G.

The narrative here is that the new law is intended to keep people safe. We should applaud the UK government for safeguarding us online. It's a great law. The UK is finally prioritizing our online well-being—though the same level of concern is yet to be seen on our streets.

Unfortunately, you're correct. In it's adolescent form, this law does not safe-guard smaller websites owners from prosecution. This has inadvertently resulted in smaller forums from closing (or thinking of closing #lfgss). I would even go as far as saying this law has killed off newer British communities from forming online.

Some may even argue, that this law (in its current form) has ultimately supressed our 'freedom of expression' and impeded our 'freedom of speech'.

I'd like to think that a responsible website owner looks after their community and stops harmful, unlawful content from being published. I will continue to do this. I don't need a law dictating 40 safety measures telling me this.

With that said, I do enjoy the thought of humouring this law.

Source Theregister - Tue 14 Jan 2025 // 12:15 UTC

Who has to publish a summary risk assessment on their website? Sites with 34 million or more monthly active UK users. The threshold is lower for services that allow users to forward or reshare user-generated content and use a content recommender system: 7 million or more UK users. Organizations with a smaller number of users will simply have to have the document ready should Ofcom request it.

As GreXXL mentioned it's mostly for large websites. However if you're a small fish, it's important that you're prepared as can be.

How to comply (the essentials of what you need to do):

My forum falls under <7m users. So I've just completed the Ofcoms checker tool (as some websites are exempt from this law) and completed Ofcom's Website risk assessment form.

Firstly, complete the Online Safety Act checker tool to see if this law applies to your website.
If it results in "Yes, you must comply" - Complete Illegal content duties record-keeping template (DOCX, 3.02 MB) located on this page (just in case the hotlink to the docx file dies).
Keep a record of this and review it annually.
The new law is being phased in tranches, so it's worth subscribing to Ofcoms Email update. Just choose that you only want updates regarding "online safety law". 😉

That's 'really' all there is to it ...for now.
Worse case scenario: Ofcom may ask you for a copy of your website's "Risk Assessment".

What made the form filling even quicker is I used Deepseek's and OpenAI's deep-thinking ability and I was done in like a few hrs. To save you time I've added an AI prompt template below:

I need help. UK has passed a law. The UK Online Safety Act 2023. So i need to complete risk assessment which outlines 17 critera's for asssessment. [✏️ EDIT THIS PART: My forum is called, it's located at "URL address", and add very detailed description of your forum]. It uses a flarum forum CMS system.

The criteria is a risk assessment against "✏️EDIT THIS PART: E.G "Hate" (CHANGE ACCORDING TO VARIOUS CRITERIA THE FORM IS ASKING YOU TO ASSESS, THERE'S LIKE 17 ON THE FORM)". The risk management enforceable by law by uk governing body Ofcom. help me write a risk assessment for first criteria.

Example:

Risk level:
[Evaluate the likelihood and impact of each kind of priority illegal content to assign a risk level (high, medium, low, negligible). Consider the relevant evidence to inform this judgement. You may consult the risk level tables found in Ofcom’s Risk Assessment Guidance (this is also covered in Step 2 of our Check how to comply with the illegal content rules)]
Risk factors considered:
[List any relevant and specific risk factors which relate to this kind of illegal harm (such as “messaging services”, “child users (under-18s)”, “user groups” etc.) from Ofcom’s Risk Profiles. Our ‘Check how to comply with the illegal content rules’ tool presents the associated kinds of illegal harm for each risk factor you select, or you can consult table 9.1 in the Risk Assessment Guidance.]
Additional characteristics considered:
[List any additional characteristics of your service which may be relevant (including user base, business models, functionalities, governance, and systems and processes) you have considered alongside the risk factors identified in Ofcom’s Risk Profiles.]
Existing controls considered:
[If you have considered the role of any existing controls already in operation on your service at the time of the risk assessment, you should record what these controls are, what risks they are intended to mitigate and how they do this, and how the consideration of the existing controls has impacted the risk level you have assigned to a kind of illegal content.]
Evidence:
[A list of the evidence, and summary of the reasoning, that has informed the assessment of likelihood and impact of this kind of priority illegal content, including any core and enhanced types of evidence.]

Footnotes

Deepseek was the best but the results often took me 40 secs to generate, most of the times it returned "sever is busy".
I could only use deepthink twice on two different accounts. It cud be for censorship reasons as topics are riske. but open AI was just dishing it out like the crap it is. Be sure to use OpenAI's reasoning model.

Regarding the Risk Assessment form, it was hilarious to read. Honestly, I've never had so much fun filling this form out. I couldn't stop laughing. It was asking how I'd stop things like 😂 (Used an image so discuss doesn't run into censorship issues):

To which my responses could have been "If I find any offences of this serious nature, I will solve it by reporting it to the police. 😂 That's why I pay my taxes. I am just an average joe, doing my 9-to-5 and on the weekends, I crack open a can of beer and browse the internet in my stained underpants. I am not MI5, Border force Patrol, Vet, Therapist or a Medical professional. I take this form as seriously as UK does with its immigration policy... 100% seriously."

Ofc I could have wrote that but I kept a professional tone using AI. 😉

MartinJD

Wellwisher Thanks for this, really useful. I've noticed that the register article mentions

"Ofcom, which will enforce the Act, said all services falling under it will have to comply, for example, by naming an individual accountable for online safety compliance "

Does this mean all forums will need to have said individual's details published? I've also read (can't remember where) that OFcom need a way of getting in touch with you to ask for the risk assessment. Would an email address for general info which is published as part of Ts & Cs suffice?

Wellwisher

MartinJD Does this mean all forums will need to have said individual's details published?

Yes, it's a possibility. Even with the U.S. Safe Harbor law —which shields platforms like YouTube, X, and Facebook from copyright litigation over user-posted content are legally required to provide the name and address of the individual handling copyright claims. In most cases this is the website owner.

The U.S. has established an online registry for this purpose, allowing owners to sign up. UK may adopt a similar routeway. Nothing is confirmed.

The new law is being phased in tranches, so it's worth subscribing to Ofcoms Email update. Just choose that you only want updates regarding "online safety law". 😉

MartinJD Does this mean all forums will need to have said individual's details published?

It doesn't need to be your details. It could be a representative or a solicitor who's willing to take on this responsibility. I will most likely hire a solicitor. It's not like they will need to take on any action. Reading the Risk Assessment, the chances my website breaking any of the Ofcoms criteria's are slim to none.

If Ofcom plans to take any action against webmasters now, they will contact their domain registrar. Hence why I say, you're better off just completing the Checker tool & Risk Assessment form.