On November 8, 2024, the UK’s communications regulator, the Office of Communications (“Ofcom”) published an open letter to online service providers operating in the UK regarding the Online Safety Act (“OSA”) and generative AI (the “Open Letter”). In the Open Letter, Ofcom reminds online service providers that generative AI tools, such as chatbots and search assistants may fall within the scope of regulated services under the OSA. More recently, Ofcom also published several pieces of guidance (some of which are under consultation) that include further commentary on how the OSA applies to generative AI services.
Application of the OSA to generative AI chatbot tools and platforms
The Open Letter gives the following examples of when and how Ofcom considers the OSA will apply to generative AI and chatbots:
- Generative AI chatbots that enable users to share text, images or videos generated by the chatbot with other users will be deemed “user-to-user services” subject to the OSA. This includes functions that enable multiple users to interact with a chatbot at the same time.
- If a platform enables a user to generate their own generative AI chatbot (for example a bot that mimics personas of real or fictional people) and makes it available for others to use and interact with, any text, images or videos created by this user-generated chatbot will be regulated as a “user-to-user service” under the OSA.
- Generative AI tools that search multiple sites or databases will be deemed “search services” regulated by the OSA. This includes generative AI tools that (i) modify, augment or facilitate the delivery of search results on an existing search engine or (ii) provide ‘live’ internet results on a standalone platform.
- Sites and apps that include generative AI tools capable of generating pornographic material could be considered services providing pornographic content. Such services could therefore subject to the obligations under Part 5 of the OSA, including the requirement to implement highly effective age assurance. Providers could implementing certain safeguards, such as using keyword blockers to prevent the generation of pornographic content, to exclude their services from the scope of Part 5 (See section 3.21 of Ofcom’s Guidance on highly effective age assurance).
Next Steps
The OSA obligations have started to apply in phases throughout 2025. Below is a timeline of the upcoming deadlines for compliance with certain OSA obligations:
- Providers of pornographic content must implement highly effective age assurance measures by January 17, 2025.
- Providers of user-to-user services and search services must complete (i) illegal content risk assessment by March 16, 2025, and (ii) children’s access assessment by April 16, 2025.
- Providers of services likely to be accessed by children must complete children’s risk assessments by July 2025.
The Covington team continues to closely monitor developments in online safety, including the implementation of the Online Safety Act. Please reach out to a member of the team if you have any questions.