By 16 April 2025, all platforms, sites, and apps in scope of Part 3 of the UK's Online Safety Act 2023 (OSA) must assess, by completing a Children's Access Assessment (CAA), whether it is possible for children to access the service they provide. Ofcom, the online safety regulator, has reminded in-scope providers (both user-to-user services and search engines) of their obligations to complete such CAAs in order to determine whether they then will need to complete Children's Risk Assessments (CRAs) and implement protection measures in order to comply fully with their duties under Part 3 of the OSA.
What services are in scope?
All Part 3 services are in scope of the requirement to complete a CAA under the OSA. Part 3 services are services which are either:
- User-to-user services: services where content is generated, uploaded to, or shared on the service by a user, and may be encountered by another user or users of the service; or
- Search services: services that are or include a search engine, or have the ability to search websites, databases or other aspects of a service.
If more than one Part 3 service is provided by a platform, site, or app, separate CAAs must be carried out for each service. If only part of a service is within scope, a CAA must still be carried out.
What needs to be assessed?
The requirement for a CAA is set out in the OSA. However, the process and form of the assessment are dictated by guidance issued by Ofcom on 16 January 2025. Ofcom's guidance defines two stages of assessment in a CAA, though both stages may not always need to be carried out. The first stage is to consider whether it is possible for children to normally access the service. The second stage is to assess whether the "child user condition" is met.
Stage 1: Possible for children to access the service?
Ofcom says that, where no highly effective age assurance (HEAA) is in place, it must be concluded that it is possible for children normally to access the service. HEAA is a form of age assurance where robust checks are completed to ensure users are over 18 years of age (or another appropriate age). Ofcom has also issued guidance about HEAA for Part 3 Services, including how to identify whether age assurance methods meet the criteria to be classified as HEAA and other considerations such as data protection compliance.
If no HEAA is identified as being in place, services must conclude that children can normally access the service and go on to complete stage 2 of the CAA.
Stage 2: The child user condition
This stage contains two parts. If the first part concludes positively that there is a significant number of children who access the service, the second part, which asks whether the service is likely to attract children, does not need to be completed.
Part 1: Significant number of children
In this part of the CAA, platforms must determine if a significant number of children are accessing their service. This involves analysing user data to identify the proportion of users who are under 18 and assess whether this is a significant number. The number of children who access the service will be significant if either:
- The number of children reflects a significant number in proportion to the total userbase of the service; or
- The number of children is inherently significant.
If the data indicates that a significant number of users are children, the service must proceed to complete a CRA and consider whether protection measures need to be implemented. Factors such as user demographics, content type, and marketing strategies should be considered to make an informed determination.
Part 2: Likely to attract children
If the first part of stage 2 concludes that a significant number of children do not access the service, the second part must be completed. This involves assessing whether the service is likely to attract children. Considerations that should be made include the nature of the content, the design and functionality of the service, and any marketing or promotional activities that may appeal to children. Services that are designed in a way that is appealing to children, or that feature content popular with younger audiences, are more likely to meet this condition.
When must CAAs be completed?
For services that are already in operation and in scope of the obligation to complete a CAA, the assessment must be completed by 16 April 2025. Providers have been encouraged to begin the assessment process well in advance of the deadline to allow sufficient time for any required changes to be made.
For services that, in the future, come into scope of the obligation to complete a CAA (whether due to a change in the service or due to the launch of a new service), a CAA must be completed within the first three months of operation.
Once a CAA is completed, it will need to be re-assessed on an annual basis, or where there is a significant change to the service which could impact the CAA that has already been carried out. Significant changes include adjustments to the service's design or operation, new evidence regarding the efficacy of age assurance or new evidence of an increase in the number of children using the service.
When must CRAs be completed?
If a CRA is needed, it must be completed within three months of the release of Ofcom's final guidance about completing CRAs. This guidance is expected to be released in April 2025. Ofcom's draft guidance provides insight into the expected requirements and should be used by services to prepare for when the final guidance is released.
What is the penalty for non-compliance?
If an appropriate CAA has not been carried out, Ofcom may use its powers to investigate and could impose a penalty of up to 10% of qualifying worldwide revenue or £18 million, whichever is greater. Ofcom may also require remedial action to be taken.
Ofcom recently set out its plans for enforcement under the OSA, and it is expected that it will continue to actively enforce compliance. Mishcon continues to advise multiple clients on compliance with the OSA, as well as the commercial and practical implications that it poses.