What does the Online Safety Act mean for fraudulent advertising?

The Online Safety Act (OSA) is the UK’s new comprehensive legislation intended to ensure the safety of online users. It places specific obligations upon various online service providers to this end. The OSA received Royal Assent on 26 October 2023, following a number of revisions. The majority of its provisions are expected to come into effect within the next two months.

OFCOM, the UK authority for broadcasting, telecommunications and postal industries, is tasked with enforcement of the OSA and ensuring safety online. One of the ways OFCOM intends to do that is by tackling fraudulent advertising online.

Who will need to comply with these requirements?

The OSA imposes duties in this area on providers of category 1 and category 2A services. The impact on online services will differ according to how that particular service is categorised. The following categories are still due to be outlined definitively in secondary legislation, but currently:

• Category 1 services are user-to-user services that will meet certain thresholds (due to be confirmed in secondary legislation) relating to user quantity, service functionality and other factors.
• Category 2A will be search services that will meet certain threshold conditions due to be defined in secondary legislation.
• Category 2B will be user-to-user services that will meet certain threshold conditions, which are also due to be defined in secondary legislation.

More onerous obligations will be applicable to Category 1 services owing to their higher potential as sources of online harm for users.

Category 1 services

Under the OSA, category 1 services will be required to implement proportionate systems and processes to:

• prevent users from encountering fraudulent adverts on the service;
• minimise the length of time for which fraudulent adverts are present; and
• swiftly take fraudulent adverts down where they have become aware of them or have been alerted to their presence.

Category 1 services must provide clear and accessible information about any proactive technology they use to comply with their obligations in their terms of service, including a description of that technology, when it is used, and how it works.

In relation to category 1 services, an advertisement will be considered fraudulent if it:

• is a paid-for advertisement (if the provider receives consideration for the advert and its placement is determined by systems or processes);
• it amounts to an offence (as in it breaches certain provisions of financial services, fraud or serious crime legislation); and
• it is not “regulated user-generated content” (for example, email, SMS message, news publisher content).

Category 2A services

Under the OSA, category 2A services will be required to implement proportionate systems and processes to:

• prevent users from encountering fraudulent adverts in or via search results of the service;
• minimise the length of time for which fraudulent adverts are encountered in or via search results; and
• swiftly ensure that fraudulent adverts can’t be encountered where they have either been alerted to the fact that they can be encountered or become aware of them in another way.

Category 2A services must also provide a clear and accessible publicly available statement about any proactive technology they use to comply with these obligations. This could also be via their terms of service if they choose. An advertisement is considered fraudulent in relation to category 2A services if it is a paid-for advertisement and amounts to an offence.

The OSA explains that in determining what is proportionate for the Act, providers of both category 1 and category 2A services should consider the nature and severity of the potential harm presented by those adverts as well as the degree of control the service has over the placement of the adverts. The explanatory notes for the OSA provide that the degree of control caveat recognises that providers may rely on third party intermediaries to display paid advertisements on their service, and will therefore have less control over, and ability to prevent, the posting of fraudulent adverts.

Next steps

OFCOM will now prepare and issue a code of practice describing the measures needed to comply with the new fraudulent advertising obligations. Based on the current OFCOM October 2023 roadmap this is expected to be in early 2025. OFCOM has advised that compliance with the measures recommended by the code would be treated as satisfying the relevant duties under the OSA. Services are also free to comply by taking alternative measures, which will be assessed by OFCOM to determine sufficiency.

Whilst much substantive detail is expected to be in the codes of practice issued by OFCOM the OSA makes clear that as a minimum, updates to providers’ terms of service will be needed. Additional processes and systems may also be required to tackle fraudulent advertising. In-scope service providers should consider the need to review and update their processes for onboarding advertisers or receiving advertisements, and also ensure that appropriate reporting tools are in place for users.

OFCOM has a range of enforcement powers under the Act, including the ability to issue fines against in-scope services of up to £18 million or 10% of annual global turnover, whichever is greater. This will incentivise and ensure that services comply with the OSA.

The wider picture

Fraudulent advertising and scams are an ongoing issue in the UK and worldwide. In 2020, the Advertising Standards Authority (ASA) launched a Scam Ad Alert system to help protect consumers (see their update here). Beyond the OSA, the UK government’s Online Advertising Programme is likely to involve a wider overhaul of UK advertising regulation.

This article was written by Abbie McGregor.