Who: The Advertising Standards Authority (ASA)
Where: United Kingdom
When: 31 August 2023
Law stated as at: 14 September 2023
The legislation is designed to protect children and adults online by imposing “duties of care” on providers of in-scope online services. The duties require these providers to take steps to protect users from certain types of illegal and harmful content. Ofcom has been tasked with enforcing the Online Safety Act and will have extensive powers to investigate providers and sanction them for breaches, including the imposition of fines of up to £18 million or 10 per cent of the provider’s worldwide annual revenue (whichever is higher).
The duties of care focus on the systems and processes used by providers to operate online services and present content to users. The duties set out are wide ranging, and the scope of a provider’s duties will depend on their categorisation. The categories will be defined by “threshold conditions” which will be set out in secondary legislation.
Services categorised as 1, 2A or 2B will be subject to more onerous obligations on the basis that they disseminate the highest risk content. Category 1 services will be subject to particularly onerous obligations and it can be assumed that the largest social media platforms will be designated as such.
Tackling fraudulent advertising
One of the content types the act is concerned with is fraudulent adverts. What are the related duties that are imposed on providers of category 1 and category 2A services?
While the UK government’s Online Advertising Programme (see the government’s response to the initial consultation here) is expected to involve a wider overhaul of UK advertising regulation, the act contains standalone fraudulent advertising-related duties as a result of the urgency of the problems these adverts present.
Category 1 services
To comply with the act, designated category 1 services (user-to-user services with the largest number of users), will be required to implement proportionate systems and processes to:
- prevent users from encountering fraudulent adverts;
- minimise the length of time for which fraudulent adverts are present; and
- swiftly take fraudulent adverts down where they have either been alerted to their presence or become aware of them in another way.
Category 1 services must provide information about any proactive technology they use to comply with their obligations in their terms of service, including the kind of technology, when it is used, and how it works.
In relation to category 1 services, an advertisement is considered fraudulent if it:
- is a paid-for advertisement (if the provider receives consideration for the advert and its placement is determined by systems or processes);
- breaches certain provisions of financial services, fraud or serious crime legislation; and
- is not a type of “regulated user-generated content” (for example, email, SMS message, news publisher content).
Category 2A services
To comply, designated category 2A services (regulated search services and combined services) will be required to implement proportionate systems and processes to:
- prevent users from encountering fraudulent adverts in or via search results of the service;
- minimise the length of time for which fraudulent adverts encountered in or via search results are present; and
- swiftly ensure that fraudulent adverts can’t be encountered where they have either been alerted to the fact that they can be encountered or become aware of them in another way.
Category 2A services must provide a publicly available statement about any proactive technology they use to comply with their obligations, including the kind of technology, when it is used, and how it works.
In relation to category 2A services, an advertisement is considered fraudulent if it:
- is a paid-for advertisement; and
- breaches certain provisions of financial services, fraud or serious crime legislation.
The act states that in determining what is proportionate in relation to the obligations, providers of both category 1 and category 2A services should consider the nature and severity of the potential harm posed by the adverts as well as the degree of control the service has over the placement of the adverts. The explanatory notes to the bill explain that the reference to control recognises that providers may rely on third party intermediaries to display paid advertisements on their service, and will therefore have less control over measures to prevent posting of fraudulent adverts.
Ofcom is required to prepare and issue a code of practice describing measures recommended to comply with the new fraudulent advertising related obligations. The bill explained that compliance with the measures recommended by the code would be treated as satisfying the relevant duties. Services are also free to comply by taking alternative measures, but these will be assessed by Ofcom against certain criteria (for example, whether they incorporate sufficient safeguards).
Why this matters:
Generally, the Online Safety Act seeks to make the UK the safest place to be online. Fraudulent advertising and scams have been an ongoing issue in the UK to the extent that the Advertising Standards Authority (ASA) launched a Scam Ad Alert system to help protect consumers. The act seeks to provide further protection for consumers in this space, especially at a time when consumers are increasingly vulnerable (for example, there are scams relating to the cost of living crisis).
While most of the substantive detail is expected to be in codes of practice issued by Ofcom, the act signals that additional processes and systems may be required to tackle fraudulent advertising. In-scope service providers will need to review and potentially update their systems and processes for onboarding advertisers or receiving advertisements on its service(s), and also ensure that appropriate reporting tools are in place so that any potentially fraudulent advertisements are swifty reviewed and removed. Brands, agencies and others involved in the online advertising ecosystem may also see changes when advertising on such in-scope services.
In-scope services are required to establish processes to demonstrate compliance – and Ofcom can check these processes. Ofcom will also have a range of enforcement powers, including the ability to issue fines against in-scope services of up to £18 million or 10% of annual global turnover, whichever is greater.