Online Safety Act 2023: Enforcement Powers and Penalties

Enforcement Powers and Penalties [Sections 130-151]

Rule: OFCOM can issue confirmation decisions finding providers in breach, impose penalties up to £18 million or 10% of global turnover (whichever is higher), and seek business disruption orders requiring app stores/ISPs to block non-compliant services.

Effective: March 2024

Section 130: Provisional Notice of Contravention

130.1 — What Is a Provisional Notice?

First step in OFCOM enforcement:

Notice issued when OFCOM has reasonable grounds to believe a provider has breached enforceable requirements.

“Reasonable grounds” standard:

Evidence Level	Sufficient?
Confirmed breach (definitive evidence)	✅ YES
Strong evidence (multiple indicators)	✅ YES
Reasonable suspicion (some indicators)	✅ YES
Mere allegation (unverified complaint)	❌ NO

Not a finding of guilt: Provisional = preliminary determination, provider can challenge.

130.2 — Notice Contents

Provisional notice must specify:

Element	Details
Alleged breach	Which enforceable requirement violated
Evidence	Basis for OFCOM’s belief (data, reports, investigations)
Proposed penalty	Amount OFCOM is considering (if any)
Remedial steps	What provider must do to come into compliance
Representation period	Timeline for provider to respond (typically 28 days)
Appeal rights	How provider can challenge

130.3 — Provider’s Right to Make Representations

Provider has opportunity to:

✅ Challenge factual findings (“We didn’t breach requirement X”)
✅ Provide evidence of compliance (“Here’s data showing we met duty”)
✅ Argue mitigating circumstances (“Breach was due to unforeseen technical failure”)
✅ Propose alternative remedies (“We’ll fix this way instead”)
✅ Contest proposed penalty amount (“Penalty is disproportionate”)

Format:

Written submissions
Supporting evidence (data, expert opinions, technical documentation)
Meetings with OFCOM if requested

Timeline: Minimum 28 days to submit representations (OFCOM may extend if complex case).

Section 131: Enforceable Requirements

131.1 — What Are Enforceable Requirements?

All duties under the Act that OFCOM can enforce:

Part	Requirements	Examples
Part 3 — Duties of Care	Illegal content duties, children’s protection, user empowerment	Risk assessments, safety systems, age verification
Part 4 — Other Duties	CSEA reporting, terms of service, transparency reporting	NCA reports, terms compliance, annual reports
Part 5 — Pornographic Content	Age verification for pornography	Age estimation/verification systems
Part 7 — Information Requests	Respond to OFCOM information notices	Provide data, access systems
Codes of Practice	Recommended measures (if following code)	Deploy tech as code recommends

Not enforceable:

General guidance (advisory only)
Provisions not yet in force
Duties owed to entities other than OFCOM (e.g., consumer contracts)

131.2 — Categories of Enforceable Requirements

High-priority (severe penalties for breach):

Requirement	Max Penalty
Children’s protection duties	Criminal liability + civil penalties
CSEA reporting	Criminal liability + civil penalties
Terrorism content removal	Up to £18M or 10% turnover
Age verification	Up to £18M or 10% turnover

Medium-priority (civil penalties):

Requirement	Max Penalty
Illegal content duties (non-terrorism)	Up to £18M or 10% turnover
Terms of service compliance	Up to £18M or 10% turnover
Information requests	Up to £18M or 10% turnover

Lower-priority (smaller penalties):

Requirement	Typical Penalty
Transparency reporting	Up to £100k
Record-keeping	Up to £100k

Section 132: Confirmation Decision

132.1 — Final Determination of Breach

After considering provider’s representations, OFCOM issues confirmation decision:

Outcome	When
Confirm breach	Provider’s representations not persuasive, breach occurred
Confirm breach with modifications	Some arguments valid, adjust findings/penalties
No breach	Provider demonstrated compliance, withdraw provisional notice

Confirmation decision is final (subject to appeal to Upper Tribunal).

132.2 — Confirmation Decision Contents

Must include:

Element	Details
Breach determination	Which requirements breached
Reasoning	Why OFCOM found breach (addressing provider’s arguments)
Required actions	What provider must do to remedy breach
Compliance deadline	When remedial actions must be completed
Penalty (if any)	Amount and payment deadline
Aggravating/mitigating factors	What affected penalty amount
Appeal rights	How to challenge decision

132.3 — Timing

OFCOM must issue confirmation decision:

After representation period expires
Typically within 60 days of provisional notice (unless complex case)

Sections 133-136: Senior Management Liability

133.1 — When Are Senior Managers Personally Liable?

Senior managers face criminal liability if:

Condition	Requirement
1. Provider breached duty	Service failed to comply with children’s protection or CSEA reporting
2. Breach due to senior management	Senior manager consented, connived, or was negligent
3. Manager’s role relevant	Manager had responsibility for compliance area

“Senior manager” defined:

Role	Covered?
CEO, CFO, COO	✅ YES
Directors	✅ YES
Compliance Officer	✅ YES
Product Leads (if responsible for safety features)	✅ YES
Junior engineers	❌ NO
Customer service reps	❌ NO

133.2 — Mental States for Liability

“Consented”:

Manager actively approved breach
Example: CEO instructs team to ignore CSEA reporting to save costs

“Connived”:

Manager knowingly allowed breach
Example: Director aware of CSEA content, took no action

“Negligence”:

Manager failed to exercise reasonable care
Example: VP didn’t implement systems to detect CSEA despite knowing risk

133.3 — Penalties for Senior Managers

Criminal penalties:

Conviction Type	Max Penalty
Summary conviction (magistrates’ court)	12 months imprisonment OR unlimited fine
Indictment (crown court)	2 years imprisonment OR unlimited fine

Practical impact:

Personal criminal record
Director disqualification
Reputational damage
Industry blacklisting

133.4 — Defenses

Manager can argue:

Defense	Example
No responsibility	”I wasn’t responsible for child safety — that was CSO’s role”
No knowledge	”I wasn’t aware of the breach despite reasonable oversight”
Reasonable steps taken	”I implemented all reasonable systems, breach was despite diligence”
Provider’s failure not due to manager	”Breach was due to technical failure beyond my control”

Burden of proof: Prosecution must prove manager consented/connived/was negligent.

Sections 137-141: Penalty Framework

137.1 — Types of Penalties

OFCOM can impose:

Penalty Type	When Used
Single amount	One-time payment for breach
Daily rate	Ongoing payment until compliance
Combined	Single amount + daily rate (for persistent breaches)

Example:

Provider failed to implement age verification
    ↓
OFCOM confirms breach
    ↓
Penalty imposed:
├─ Single amount: £5 million (for initial breach)
└─ Daily rate: £50,000/day until age verification deployed

137.2 — Maximum Penalty Amounts

Statutory maximum:

Greater of:

£18 million, OR
10% of global annual turnover

Global turnover defined:

Worldwide revenue (all jurisdictions)
All group companies (parent + subsidiaries)
Previous financial year

Examples:

Provider	Annual Turnover	10%	Max Penalty
Meta	£100 billion	£10 billion	£10 billion (10% > £18M)
Medium platform	£50 million	£5 million	£18 million (£18M > £5M)
Small startup	£1 million	£100k	£18 million (fixed minimum)

Practical effect: Large platforms face percentage-based penalties (potentially billions); smaller providers face fixed maximum (£18M).

137.3 — Determining Penalty Amount

OFCOM considers:

Aggravating factors (increase penalty):

Factor	Impact
Repeated breach	Prior violations of same duty
Deliberate breach	Intentional non-compliance
Significant harm	Breach caused serious harm to users
Large user base	Millions affected
Non-cooperation	Provider obstructed OFCOM investigation
Delay in compliance	Slow to remedy after notice

Mitigating factors (decrease penalty):

Factor	Impact
First-time breach	No prior violations
Technical failure	Unintentional breach due to system error
Limited harm	Few users affected
Swift remediation	Quickly fixed after notice
Cooperation	Assisted OFCOM investigation
Financial constraints	Genuine inability to afford full penalty

Example calculation:

Initial penalty assessment: £10 million
    ↓
Aggravating factors:
+ Repeated breach: +30% → £13 million
+ Large user base (10M UK users): +20% → £15.6 million
    ↓
Mitigating factors:
- Swift remediation (fixed within 1 month): -10% → £14.04 million
- Cooperation with investigation: -5% → £13.34 million
    ↓
Final penalty: £13.34 million

137.4 — Payment Timelines

Minimum payment period:

28 days from confirmation decision for single amount
Ongoing for daily rate (until compliance achieved)

Non-payment consequences:

Civil debt enforcement (county court)
Additional penalties for non-payment

Section 138: Children’s Safety Offences

138.1 — Criminal Liability for Children’s Duty Breaches

It is a criminal offence to:

Fail to comply with confirmation decision regarding:

Children’s protection duties (Sections 11-13), OR

CSEA reporting (Sections 66-70)

Who commits offence:

The provider (company)
Senior managers (if consented/connived/negligent)

138.2 — Penalties

Company penalties:

Conviction Type	Max Penalty
Summary conviction	Unlimited fine
Indictment	Unlimited fine

No imprisonment for company (only fines), but see senior management liability above for individual criminal penalties.

138.3 — Why Criminal vs Civil?

Criminal liability reserved for:

Children’s safety (highest harm)
CSEA (most serious illegal content)

Other breaches:

Civil penalties only (fines, not criminal record)

Practical impact:

Criminal conviction = serious reputational damage
May affect ability to operate in some jurisdictions
Director disqualification possible

Sections 139-143: Penalty Procedures

139.1 — Penalty Notice Requirements

Before imposing penalty, OFCOM must:

Issue provisional penalty notice
- Proposed penalty amount
- Aggravating/mitigating factors considered
- Basis for amount
Provide representation period
- Minimum 28 days
- Provider can challenge amount
Consider representations
- Review provider’s arguments
- Adjust penalty if appropriate
Issue final penalty notice
- Confirm final amount
- Payment deadline (minimum 28 days)
- Appeal rights

139.2 — Challenging Penalty Amount

Provider can argue:

Argument	Example
Disproportionate	”£10M penalty for small breach is excessive”
Financial hardship	”We can’t pay this amount — would bankrupt us”
Miscalculation	”OFCOM incorrectly calculated our turnover”
Mitigating factors overlooked	”OFCOM didn’t consider we fixed this immediately”

OFCOM must:

Genuinely consider arguments
Explain why penalty maintained or adjusted
Apply consistent approach across providers

Sections 144-147: Business Disruption Measures

144.1 — What Are Business Disruption Orders?

Court orders requiring third parties to disrupt provider’s UK business:

Order Type	Who It Targets	What It Requires
Access restriction order	ISPs (internet service providers)	Block UK users from accessing service
Ancillary service order	Payment processors, app stores	Stop providing services to provider

Purpose: When fines alone insufficient to compel compliance.

144.2 — When Can OFCOM Seek These Orders?

Three requirements:

Provider failed enforceable requirement (confirmed breach)
Failure is persistent (ongoing, despite warnings)
Significant harm risk to UK users

“Persistent” means:

Evidence	Persistent?
Breach continues 6+ months after confirmation decision	✅ YES
Provider refuses to comply	✅ YES
Multiple related breaches	✅ YES
Single short-term breach, quickly fixed	❌ NO

144.3 — Access Restriction Orders

Targets: UK ISPs

Requires ISPs to:

Block DNS resolution for provider’s domain
Prevent UK users accessing service
Use reasonable technical measures

Example:

Pornography site refuses to implement age verification
    ↓
OFCOM confirms breach, issues penalty
    ↓
Site continues operating without age verification (6+ months)
    ↓
OFCOM applies for access restriction order
    ↓
Court grants order
    ↓
UK ISPs (BT, Virgin Media, Sky, etc.) must block site
    ↓
UK users can't access site

Exceptions:

VPN use may circumvent (but provider’s UK business still disrupted)
International users unaffected

144.4 — Ancillary Service Orders

Targets: Payment processors, app stores, hosting providers

Examples:

Service	Order Requires
Apple App Store	Remove provider’s app from UK App Store
Google Play Store	Remove provider’s app
Stripe	Stop processing payments for provider
PayPal	Terminate provider’s account
AWS	Stop hosting provider’s service

Practical impact:

Provider can’t monetize UK users
Provider can’t distribute via app stores
Provider may have to shut down UK operations entirely

144.5 — Court Approval Required

OFCOM can’t impose these directly — must seek court order.

Court considers:

Factor	Question
Proportionality	Is order necessary? Less intrusive alternatives?
Effectiveness	Will order actually achieve compliance?
Harm level	How serious is risk to UK users?
Third-party impact	Will order harm innocent parties (e.g., ISP customers)?

Court can:

✅ Grant order as requested
✅ Grant with modifications
❌ Refuse order (if disproportionate)

144.6 — Interim Orders

OFCOM can seek interim business disruption orders pending full hearing.

Requirements:

Urgent harm to UK users
Likelihood OFCOM will succeed at full hearing
Balance of convenience favors interim order

Example:

Major CSEA content platform refuses to take down content
    ↓
Immediate harm to children
    ↓
OFCOM seeks interim access restriction order
    ↓
Court grants within days (pending full hearing in 3 months)
    ↓
ISPs block site immediately

Sections 148-150: Publication and Transparency

148.1 — OFCOM Must Publish Enforcement Actions

OFCOM publishes:

Information	Details
Provider identity	Name of non-compliant service
Breach details	Which requirements violated
Penalty amount	Fine imposed (if any)
Remedial actions	What provider must do

Purpose:

Public accountability
Deterrence (reputational damage)
User awareness

148.2 — Exceptions to Publication

OFCOM won’t publish if:

Exception	Why
Commercially sensitive	Trade secrets, proprietary info
National security	Would harm UK security interests
Ongoing investigation	Would prejudice criminal proceedings
Confidential information	Protected by law or professional privilege

Balance: Public interest in transparency vs privacy/confidentiality.

148.3 — Provider-Required Notifications

After appeals expire, OFCOM may require provider to:

Notify UK users about enforcement action.

Notification requirements:

Method	Details
In-app notice	Prominent banner on service
Email to users	If provider has user email addresses
Website posting	On provider’s homepage

Content:

Nature of breach
Penalty imposed
Remedial actions taken
Link to OFCOM’s full decision

Example:

“OFCOM found that [Service Name] failed to protect children from harmful content. We have been fined £5 million and are now implementing age verification. Read OFCOM’s full decision here: [link]“

Section 151: Enforcement Guidance

151.1 — OFCOM’s Enforcement Policy

OFCOM must publish guidance on:

How it decides to take enforcement action
Factors affecting penalty amounts
Typical penalties for different breach types
Procedure for investigations
Provider rights during enforcement

Status: OFCOM published comprehensive enforcement guidance in 2024.

151.2 — Consultation Requirement

Before issuing guidance, OFCOM must consult:

Service providers
User representatives
Children’s advocates
Affected persons
Legal experts

Purpose: Ensure guidance is fair, clear, and consistently applied.

Practical Application for AI Agents

Risk Assessment: Will OFCOM Enforce Against You?

High-risk indicators:

Factor	Why High Risk
Children’s safety failures	Highest priority for OFCOM
CSEA content present	Criminal liability
Large UK user base	Significant harm potential
Prior warnings ignored	Demonstrates non-compliance
Public complaints	Media/NGO pressure on OFCOM

Lower-risk:

Factor	Why Lower Risk
First-time minor breach	OFCOM often gives warnings first
Proactive compliance efforts	Good faith demonstrated
Small user base	Lower harm potential
Quick remediation	Shows willingness to comply

Responding to Provisional Notice

If you receive provisional notice:

Step 1: Don’t panic

Provisional ≠ final determination
Opportunity to challenge

Step 2: Review notice carefully

Understand alleged breach
Assess evidence strength
Identify factual errors

Step 3: Gather evidence

Data showing compliance
Expert opinions supporting your position
Documentation of efforts made

Step 4: Prepare representations

Strategy	When Appropriate
Challenge facts	OFCOM’s evidence is incorrect
Argue compliance	You DID meet requirement (different interpretation)
Mitigating circumstances	Breach was unintentional/unavoidable
Dispute penalty amount	Amount is disproportionate
Propose remediation	Commit to fixes, request reduced penalty

Step 5: Submit within 28 days

Don’t miss deadline
Include all evidence
Be thorough but concise

Step 6: Engage with OFCOM

Meetings to discuss
Demonstrate good faith
Negotiate compliance timeline if needed

Compliance After Confirmation Decision

If OFCOM confirms breach:

Immediate actions:

Review confirmation decision thoroughly
Understand required remedial actions
Note compliance deadline
Assess whether to appeal

Remediation:

Implement required measures
Document compliance efforts
Report to OFCOM as required
Monitor effectiveness

If appealing:

File appeal within 28 days
Continue compliance efforts (appeal doesn’t suspend obligation)
Engage legal counsel

Financial planning:

Budget for penalty payment
Arrange payment within deadline (28 days minimum)
Request installment plan if needed (OFCOM may allow)

Avoiding Business Disruption Orders

To prevent OFCOM seeking access restriction/ancillary service orders:

Critical steps:

Comply with confirmation decisions promptly
- Don’t ignore OFCOM orders
- Fix issues within deadlines
Maintain communication with OFCOM
- Explain any delays
- Request extensions if needed (with justification)
- Demonstrate progress
Prioritize high-harm breaches
- Children’s safety
- CSEA removal
- Terrorism content

If business disruption order threatened:

✅ Engage senior leadership (CEO level)
✅ Commit to urgent remediation
✅ Provide detailed implementation plan
✅ Consider interim measures while building full compliance

Compliance Checklist

Ongoing risk management:

Prevention:

Implement all Part 3 duties (illegal content, children’s safety)
Conduct regular compliance audits
Train staff on Online Safety Act requirements
Document compliance efforts
Monitor OFCOM guidance updates

If investigation suspected:

Review information requests carefully
Respond fully and on time
Cooperate with skilled person assessments
Preserve relevant evidence

If provisional notice received:

If confirmation decision issued:

Assess whether to appeal (28 days)
Implement remedial actions immediately
Pay penalty within deadline
Report compliance to OFCOM
Update internal policies to prevent recurrence

Key Takeaways

Two-stage process — Provisional notice → Confirmation decision
Right to representations — Provider can challenge before final determination
Massive penalties — Up to £18M or 10% global turnover (whichever higher)
Criminal liability — For children’s safety and CSEA breaches
Senior managers at risk — Personal criminal liability if consented/connived/negligent
Business disruption orders — OFCOM can require ISPs to block, app stores to remove apps
Publication — Enforcement actions made public (reputational damage)
Appeals available — Can challenge to Upper Tribunal within 28 days
Proportionality required — OFCOM must consider aggravating/mitigating factors
Compliance deadline minimum 28 days — Reasonable time to remedy

Citation

Part 7, Chapter 6 — Enforcement Powers, Online Safety Act 2023

Related: