Ofcom publishes draft guidance on safeguarding women and girls from online harms

The Online Safety Act 2023 (the “Act”) established a regulatory framework for online service providers (defined under the Act to include technology companies such as dating apps, search engines, social media platforms and pornography platforms) to address illegal content and protect users from online harms (see our blog post here).

The Act stipulated that Ofcom, as the online safety regulator, must produce specific guidance to help service providers comply with their duties under the Act. On 25 February 2025, under phase 2 of it roadmap for implementation, Ofcom published draft guidance for the protection of women and girls online (the “Draft Guidance”).

The Draft Guidance focuses on four categories of online based harms which evidence suggests disproportionately affect women and girls:-

1. Online misogyny,
2. ‘Pile-ons’ and coordinated harassment,
3. Online domestic abuse, and
4. Intimate image-based abuse and cyberflashing (sending explicit images to someone without their consent).

Pile-ons and coordinated harassment cover behaviours that involve many users targeting an individual victim or group of victims with abusive, hateful or threatening content, often repetitively or at scale. The two groups most at risk of pile-ons and online harassment are women and girls from marginalised groups and women and girls in the public eye.

Image-based abuse (sometimes referred to as revenge-porn) refers to the taking, creating, sharing, or threatening to share intimate images without consent.

It is important to recognise that any gender can find themselves the victim of online based harms, including image-based abuse. The practical effect of this guidance, if adhered to, will be a safer internet for all users, irrespective of gender.

Action required by service providers under the draft Guidance

The Guidance specifies nine compliance ‘actions’ where Ofcom says technology companies need to do more to protect users from online harms. Each action has accompanying ‘foundational steps’, drawn from the measures set out in Ofcom’s Codes and guidance on Illegal Harms, Protection of Children and Transparency.

Service providers implementing these foundational steps will be deemed compliant with the Act’s relevant duties. A summary of the full suite of foundational steps can be found here.

To adhere to the nine actions, service providers must:

1. Ensure the governance and accountability processes address women and girls’ online safety by, amongst other things, conducting an annual review of risk management activities.
2. Conduct risk assessments that focus on harms to women and girls and ensure internal content policies are set in accordance with the risk assessment.
3. Be transparent about women and girls’ online safety by adhering to their duty to publish transparency reports based on requirements laid out in any transparency notices issued by Ofcom.
4. Conduct ‘abusability evaluations’ and product testing to ensure a safety by design approach.
5. Set safer defaults particularly for services that are accessed by child users.
6. Reduce the circulation of content depicting, promoting or encouraging online gender-based harm, for example, by having a search moderation function designed to identify illegal content.
7. Give users better control over their experiences such as by implementing better blocking or muting options and the ability to disable comments.
8. Enable users who experience online gender-based harms to make reports by having easy to find, easy to access, and easy to use complaints systems and processes.
9. Take appropriate action when online gender-based harm occurs by having a content moderation function that allows for the swift take down of illegal content.

Failure to implement the foundational steps could expose service providers to potential legal challenges, particularly in cases where their platforms are being used to facilitate online gender-based harm.

The Act allows service providers to adopt alternative measures, provided they keep a record of what they have done and explain how they think the relevant safety duties have been met.

The Guidance also goes further by encouraging service providers to implement “good practice” steps – including suggested features, tools and processes – designed to further improve the safety of women and girls online.

While the good practice steps are not legally enforceable, they provide a benchmark against which service providers’ efforts to protect women and girls online may be evaluated by the regulator.

Ofcom’s summary of the good practice steps can be found here.

Enforcement at Ofcom’s Disposal

Significantly for victims, the Act treats intimate image offences as a ‘priority offence’.  In practice, this raises the seriousness of such offences to be on the same footing as offences such as the sale of weapons and drugs online. A failure by service providers to adequately protect against these types of offences is likely to attract the harsher enforcement measures from Ofcom.

Ofcom possesses substantial enforcement powers under the Act, including the authority to:

• Issue notices of contravention to service providers detailing specific legal requirements, potential penalties, and, in some cases, mandating proactive technology. This process involves an initial provisional notice followed by a confirmation decision if the issue remains unresolved.
• Conduct audits of service providers’ online safety practices and procedures.
• Impose financial penalties on service providers that fail to comply with their statutory duties, up to a maximum of 10% of their qualifying worldwide revenue or £18 million, whichever is greater.
• Issue compliance notices directing service providers to take specific actions to remedy deficiencies in their online safety practices.
• Suspend or restrict services in extreme cases, Ofcom may Ofcom may apply to the court for a service restriction order to suspend or restrict access to online services that pose a significant risk of harm to users.
• Criminal liability for senior managers in certain situations, including if a service provider fails to comply with Ofcom’s requests for information.

Alongside their statutory enforcement mechanisms, Ofcom’s Chief Executive, Dame Melanie Dawes promised that the regulator would “absolutely” name and shame companies that fail to comply with their guidance, thereby informing the public which companies are “not taking [user’s safety] seriously”.

The Draft Guidance is open for public consultation until 25 May 2025. The final version of the guidance is expected by the end of 2025.