Here’s why your project is in scope of the Online Safety Bill

Estimated reading time: 3 minutes
UK policy

A quick follow-up to this week’s magnum opus. Many of you who read that post, as well as the one which preceded it, will be wondering why your work falls into the scope of the Online Safety Bill’s likely compliance requirements. After all, you’re just you, and your team, doing your thing. You’re not a social media site, you’re not a major platform, you’re not doing anything wrong, and you’re not hurting anyone.

So why are you being treated like you are, and why are you facing compliance burdens and costs which punish you for the sins of others?

I can offer a little bit of insight, if not a definitive answer, into the thinking that has gone into the breathtaking sweep of this Bill’s scope. It doesn’t explain why things are the way they are. But it might help you to understand the logic behind it.

It’s just an anecdote, not a sound fact that could be referenced in law or policy. But it’s a packed one all the same.

At some point in the past three years – I couldn’t tell you exactly when, because the pandemic has eaten up my sense of time, folks – I was in a crowded meeting about the Bill which included one of its creators.

A question was put to that person, and it’s the same question you’ve asked yourself this week: why is the scope so broad? Why is there no threshold, such as a minimum turnover or number of users, before the Bill’s provisions kick in? And for the split that there is, between the Bill’s “Category 1” (meaning Big Tech) requirements and “everybody else” requirements, why is it “everybody else” in the first place?

The policymaker’s answer was firm and immediate, and what they said was, tl:dr:

we have to include all smaller businesses in scope because OnlyFans has less than thirty employees.

Now think about that for a minute.

Because in that instant response, that policymaker revealed three very clear facts about their thinking, and how that thinking has shaped this Bill.

The first is that this Bill, whatever DCMS and its ministers may claim, is not a “fixing” Bill, one which has been designed to be constructive and positive in order to fix problems. It is a “getting” Bill, once which has been designed to be vindictive and negative in order to get specific companies. OnlyFans in this particular example, the usual suspects in others.

The second is that this Bill has been designed by people who are so out of touch that OnlyFans is their idea of the average small digital business.

And the third is that this Bill has been designed by people who are so out of touch that they think the harms issues raised by OnlyFans are the harms issues in the average small digital business.

Is it possible for a business with less than thirty employees to cause severe online harms? Absolutely. (Cambridge Analytica, after all, had a fraction of that.)

Should smaller businesses have to take some common-sense and proportionate steps to prevent online harms from arising on their services? Absolutely.

Is that how this Bill approaches things? Absolutely not.

Because its scope, proportionality, and compliance requirements for “everyone else” have been shaped by using the most extreme outlier of a small digital business – specifically, a consensual adult marketplace – as the starting point.

That really is what they think you do, and what you get up to with your time, and what sort of damage you cause.

That really is what they think of you.

Meanwhile, you’re just trying to keep the lights on and your sanity intact and your users safe: not from the nonexistent online harms in your project, but from the sort of people who claim to be the solutions to them.

Now get back to work, you filthy smut peddlers.

The Author

I’m a UK tech policy wonk based in Glasgow. I work for an open web built around international standards of human rights, privacy, accessibility, and freedom of expression. The content and opinions on this site are mine alone and do not reflect the opinions of any current or previous team.


  1. Woah, that’s insane.

    They couldn’t have just had Category 1 (big tech), Category 2 (adult services), Category 3 (tech companies with turn over above £10m/year) and then everyone else?!

    If they do resurect it without massive changes that’ll be the death of the solo developer tech business.

    • Well, the death of smaller businesses is part of the plan. The only smaller tech businesses that two (and shortly three) successive Conservative governments have been interested in supporting are those engaged in “safety tech“, which is the cuddly marketing name for domestic stalkerware and surveillance (e.g. content screening, proactive monitoring, age verification), in order to create a “healthy” marketplace for the rest of the nation’s tech businesses to choose from for all their privatised surveillance, monitoring, and filtering obligations under the OSB.

      I ranted a bit about that here, but it deserves another post one of these days.

      The erosion of the UK’s privacy frameworks is very much part of the plan; those pesky European rights-based privacy standards are obstacles to the domestic surveillance business model, as is the prohibition on a general monitoring obligation, which also came from the EU and therefore must go.

Comments are closed.