The key change was reducing the “deadlock” period - the period before residential and small business consumers can access ADR if their dispute is not resolved - from eight to six weeks.

This was captured as a change to the Ofcom approved complaints code of practice for customer service and complaints handling, which sits under GC C4.2.

Paragraph 12 now reads:

The Regulated Provider must immediately issue an ADR Letter to the Complainant if the Complaint remains unresolved after six weeks have passed since the date on which the Complaint was first received, unless the Regulated Provider has already sent an ADR Letter in accordance with paragraph 11 above.

This change applies to complaints raised on 8 April 2026 or later.

If you run a telco or ISP, and you have not already factored this in to your processes for handling complaints, now would be the time to do so.

A service has “links with the United Kingdom” if:

• the service has a significant number of United Kingdom users, or
• United Kingdom users form one of the target markets for the service (or the only target market), or
• if the following conditions are met:
  • the service is capable of being used in the United Kingdom by individuals, and
  • there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the United Kingdom presented by user-generated content present on the service

If a service does not have “links with the United Kingdom”, it falls outside the scope of Part 3 of the OSA, meaning no need for risk assessments etc.

In this blogpost, I am focussing solely on the first test, which is whether the service has a significant number of United Kingdom users.

Summary

Ofcom seems to regard a service as having a “significant” number of UK users if it has more than 855 monthly active users and fewer than 11,000 monthly active users, but exactly where the boundary is remains unclear.

Ofcom also asserts that “significance” means significant in the context of the service, rather than being large or substantial.

Does a service have a significant number of United Kingdom users?

This is unhelpful, but not overly surprising; the GDPR, for instance, does not define what it means by processing “on a large scale”.

No statutory definition

There is no definition of “significant number” in the OSA.

No express regulatory position

Ofcom’s guidance, at paragraph 1.11, says:

The Act does not define what is meant by a ‘significant number’ of UK users for the purposes of considering the ‘UK links’ test. Service providers should be able to explain their judgement, especially if they think they do not have a significant number of UK users. Note that interpretative provisions contained in the Act apply when determining whether someone is a user for these purposes, and we briefly cover these points in this chapter.

This is not particularly helpful, especially since, in the context of the GDPR, the EU has provided at least some measure of guidance (paragraph 3) on what “large scale” means.

Ofcom has noted (here, for example), that:

Ofcom considers “significant number of UK users” to mean UK user numbers that are material in the context of the service, rather than necessarily large or substantial. Providers should therefore err on the side of caution when assessing whether they have a significant number of UK users.

Even the scope of users to be considered is unclear.

Ofcom’s regulation checker says:

You should count only those users who have actually engaged with the service. For a search service this would be such users who have submitted a search query.

What “engaged” means is unclear, to me anyway. Does a mere site visitor, who accesses a user-to-user service through their browser, but never posts, searches, or does anything other thanread, count as a “user”, for example?

Ofcom’s risk assessment guidance, at page 79, has some examples which contain numbers.

The guidance describes “large” services with 10 million monthly active users (MAU) in the UK, and medium services with 200,000 MAU in the UK.

It also includes, as examples of risk, a small gaming service with 15,000 MAU in the UK, a health charity website with 10,000 MAU in the UK, a “small size” publishing service with 5,000 MAU in the UK, and a sporting website (focussed on a particular town and thus potentially with the UK as a target audience, which is a separate limb of the “has links with the United Kingdom” test) with 5,000 MAU in the UK.

However, Ofcom does not explain why a service is in scope, and there may be reasons why a service is in scope beyond simply the number of users.

Similarly, these examples are intended to demonstrate a different element of the framework, about risk/harm, and whoever wrote them may not have had “significant number of users” (or “links with the UK” at all) in mind when writing them.

But - based on this guidance document - perhaps 5,000 users is, in itself, sufficient?

How Ofcom has approached “significant” in practice

Since it published its guidance, Ofcom has undertaken - with varying degrees of success - enforcement activity relating to the Online Safety Act 2023.

In some of these cases, it has published more detailed information about its findings, in the form of confirmation decisions.

The section is based on my review of the published Ofcom confirmation decisions, as at 2026-03-24.

We are awaiting publication of other confirmation decisions, and there are also numerous enforcement actions with only minimal published updates; these are out of scope for now, but I will check the confirmation decisions if/when they are published.

4Chan: “hundreds of thousands” is significant

In its 4Chan confirmation decision, at paragraph 4.16, Ofcom says:

We consider that a UK user base in the hundreds of thousands is, of itself, a significant number within the meaning of section 4(5)(a) of the Act

Itai Tech Ltd: 50,000 - 150,000 is significant

In its Itai Tech confirmation decision, at paragraphs 4.11 and 4.12, Ofcom says:

Data estimates … indicated that from December 2024 to April 2025 the number of unique monthly UK visitors that visited Undress ranged between 50,000 and 150,000. We have also taken into consideration the number of registered UK user numbers of [redacted] provided by Itai. … We consider that monthly unique visitors of this type of number and the registered UK user base is significant.

AVG Group: “under 50,000” is significant

In its AVG Group confirmation decision, at paragraph 3.30, Ofcom says:

Ofcom finds that each of the AVS Group Websites has monthly UK unique user numbers that are significant within the meaning of section 4(5)(a) of the Act.

It refers to an included table for the breakdown of this.

The table includes user numbers by banding, and the smallest band - which Ofcom still considers to be “significant” - is “Under 50,000”.

Since everything from 1 to 49,999 falls within this band, this is not particularly helpful.

The next band was 50,000 to 100,000 users.

We can, I think, take from this that, in Ofcom’s view, “significant” starts somewhere below 50,000 monthly active users, ~~ but quite how far below that number, we do not know.~~ Updste: seemingly around 11,000 users (see below).

Im.ge: 855 is (probably) not significant?

In its Im.ge confirmation decision, at paragraph 4.7, Ofcom says:

the Im.ge Service had an average of 855 monthly unique visitors from the United Kingdom

Now that is a small number of UK users.

In the context of Im.ge, Ofcom did not proceed on the basis of a “significant number of UK users”, but instead on the third limb of the test of whether a service has links with the United Kingdom, based on whether the service is capable of being used by people in the UK (855 users demonstrating that it is), and that there is a material risk of significant harm to people in the UK.

My interpretation - and it is just that, and so could be wrong - is that, since Ofcom concluded that the service was in scope because of the third limb (only), it perhaps suggests that Ofcom did not feel comfortable saying that 855 monthly unique visitors amounted to a “significant number”.

Kick: unsurprisingly, 700,000 - 1m users is “significant”

Here’s the confirmation decision, but, with these numbers, the conclusion is hardly surprising.

8579 LLC: “11k-12k” is significant

In its 8579 LLC confirmation decision, at the table in paragraph 3.39, Ofcom has concluded that “c.11k-12k” MAU is “significant” in its own right.

Conclusion

Ofcom seems to regard a service as having a “significant” number of UK users if it has more than 855 monthly active users and fewer than 11,000 monthly active users, but exactly where the boundary is remains unclear.

Presumably, the closer one is to 11,000, the greater the risk that Ofcom will consider the service to have a significant number of users.

I am hopeful that, in time, the threshold will become clearer, to give certainty and confidence to smaller sites - especially sites which are inherently low risk - as to whether they have obligations under the OSA or not.

If you run a service which is, or could be, subject to the Online Safety Act, and want a hand with an illegal content risk assessment or other compliance obligations, please do just get in touch.

Since then, Ofcom has launched an “enforcement programme to protect children from encountering pornographic content through the use of age assurance” and its most prolific enforcement activity has indeed related to pornographic content, so I thought that it was time for a brief update.

A focus on “porn sites”

As anticipated, Ofcom has focused so far on websites which offer video-based pornographic content, with seemingly quite high traffic volumes (although exactly how this is verified is not always clear to me), without highly effective age verification in place.

Think “typical tube site”, basically.

Oddly (or not?), none of the sites at issue are sites that I had heard about before. It still makes me smile that, if one wants a list of porn sites without age assurance in place, Ofcom’s website is a good source of information.

No exploration yet of what is “pornographic”

I have not carried out overly extensive research but, based on a quick skim of some of the sites, to my mind, there is no real question mark as to whether most of the content on the sites under investigation is “pornographic” or not.

There is none of the nuance that I have discussed before around educational resources, self-expression, works of art, burlesque content, the distinction between pornography and nudity, and so on, nor around audio-only content / someone reading aloud erotic stories.

Overseas sites and fines, but what next?

Ofcom has issued fines of roughly £3m so far, although, as far as I am aware, none of these have been (or are likely to be) paid.

Ofcom is somewhat playing this on hard mode, no pun intended, in the sense that it has gone after sites which are operated by companies outside the UK, where I imagine that the likelihood of securing payment, or receiving much in the way of cooperation, is incredibly low.

I imagine that there will be questions asked about the effectiveness of Ofcom’s enforcement activity, which, if anything, could lead to even more restrictive legislation, or more funding for Ofcom to engage in more enforcement work.

My feeling is that, sooner rather than later, Ofcom will use at least one of these as the test case for what the OSA terms “business disruption measures”, looking to payment providers, hosting providers, CDNs and the like to take action.

The final step would be seeking a court order to compel (some? all?) ISPs in the UK to block access to the sites in question. Although that would not stop VPNs (of which, see below).

(You might be aware that, in 2025, Ofcom fined MintStars £7,000, and OnlyFans (Fenix) just over £1m for failing to comply with information requests (rather than any underlying issue to do with access to pornography).)

VPNs

For now, VPN services are out of scope of the OSA.

You might have seen moves to amend the OSA, to prohibit VPN service providers from permitting child use of their VPNs or force age verification for VPN services.

Promoting VPNs on sites containing pornographic content remains high risk, IMHO, given Ofcom’s specific comments about this.

Taking money to advertise them would be high risk too, but since most VPN providers seem unwilling to work with pornographic sites, despite pornographic sites likely being responsible for much of their userbase), that’s probably not something to worry about.

Blocking the UK by IP address still seems to be an effective control

As far as I can tell, if a site operator blocks traffic from UK IP addresses, does this consistently / reliably, does not promote itself to people in the UK, and does not mention ways of circumventing this, Ofcom’s starting point will be that the site does not have “links with the United Kingdom” (and so would be out of scope of Part 5 OSA).

I’ve seen different approaches for this, some based on CDNs (although smaller sites likely do not need a CDN, so this could be extra cost / complexity), and some just using webserver-based configuration.

Personal sites / sex blogs, and erotica

In terms of sex blogs, text-only material is still out of scope. I have not seen any appetite to amend this.

My understanding is that an individual’s self-expression/discovery sex blogs are not an enforcement priority.

It still seems unlikely that the occasional saucy image on an otherwise text-based blog will attract regulatory scrutiny, but nor can I rule it out 100% (of course).

But it is worth remembering that, like most regulators, although Ofcom is independent, it is susceptible to pressure, and so if Ofcom received either a lot of complaints about a site, or else high profile complaints, or a site simply got a lot of publicity, Ofcom’s position might change rapidly.

Overall, things are proceeding predominantly as anticipated.

As always, should you have any questions, please do just let me know.

It is no longer aligned with the law in the EU, and it permits website operators and others to do more - not lots, but more - on an “opt-out” basis”.

This is a change to The Privacy and Electronic Communications (EC Directive) Regulations 2003, made by way of the Data (Use and Access) Act 2025.

(There is one exemption that I am not going to cover here, about emergency assistance; that is for a future blogpost.)

The general prohibition

The new law starts with a general prohibition:

a person must not store information, or gain access to information stored, in the terminal equipment of a subscriber or user.

The scope has not changed. While this law is often - erroneously - referred to as “the cookie law”, it covers (and always has covered) more than just cookies.

It applies to any technology that a person uses to store information in, or gain access to information stored in, someone’s terminal equipment.

The ICO’s guidance says that it:

includes, but is not limited to: * cookies; * tracking pixels; * link decoration and navigational tracking; * web storage; * fingerprinting techniques; and * scripts and tags.

For the first time, the law is explicit that:

a reference (however expressed) to gaining access to information stored in the terminal equipment of a subscriber or user includes a reference to collecting or monitoring information automatically emitted by the terminal equipment.

This, to my mind, brings (more clearly) in scope things like browser user agent strings, as well as Wi-Fi and Bluetooth MAC addresses. In my view, these have always been in scope of PECR, but this is not explicit.

The (current) exemptions

Schedule A1 contains the current list of exemptions to this prohibition.

Consent

The existing rules around consensual activity have been maintained, but they are now in a different place.

The general prohibition does does not prevent a person storing information, or gaining access to information stored, in someone’s terminal equipment of a subscriber or user if that subscriber or user:

1. is provided with clear and comprehensive information about the purpose of the storage or access, and

2. gives consent to the storage or access.

This is “I consent” not “I have failed to untick a box”. The law does, however, permit signifying consent by:

1. amending or setting controls on the internet browser which the subscriber or user uses;

2. using another application or programme.

I expect there to be arguments about a browser’s default settings.

(I do not know why this law says “programme” rather than “program”. I thought that we used “programme” for media and “program” for computer software, as per - for example - the Computer Misuse Act 1990 and the Investigatory Powers Act 2016. But this is not new; it has been there since 2011.)

Transmission of a communication over an electronic communications network

The general prohibition does not prevent access or storage:

for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Again, this is not a new exemption, but it has been moved into the schedule.

Access / storage which is “strictly necessary” to provide the service requested by the user

The new law also retains the exemption for storage and access which is “strictly necessary for the provision of an information society service requested by the subscriber or user”.

“Strictly necessary” is a high standard, and is assessed from the perspective of the subscriber/user, not the person providing the service.

The ICO says:

For example, you might view the use of advertising cookies as ‘strictly necessary’ because they bring in revenue that funds your service. However, they are not ‘strictly necessary’ from the user’s perspective.

The law has, however, been expanded, to include a list of examples of things which fall within the definition of “for the provision of the …service”.

These are just examples and it is explicit that the storage/access must still be “strictly necessary” for these things. But this might be helpful in dealing with a concern as to whether activities are capable of falling within this exemption or not.

The list is where the storage or access is strictly necessary:

1. to protect information provided in connection with, or relating to, the provision of the service requested,

2. to ensure that the security of the terminal equipment of the subscriber or user is not adversely affected by the provision of the service requested,

3. to prevent or detect fraud in connection with the provision of the service requested,

4. to prevent or detect technical faults in connection with the provision of the service requested, or

5. to enable either of the following things to be done where necessary for the provision of the service requested:

6. automatically authenticating the identity of the subscriber or user, or

2. maintaining a record of selections made on a website, or information put into a website, by the subscriber or user.

Collecting information for statistical purposes (opt-out)

There is a new exemption for collection of limited statistics.

This could be useful for anyone providing an information society service (e.g. operating a website), who wants to collect statistical information for analytics, to enable them improve their service.

This can now be done on an “opt-out” basis.

Note that this exemption is available only to people providing information society services, and it explicitly does not include collecting or monitoring information automatically emitted by the terminal equipment.

The first core requirement is that:

the sole purpose of the storage or access is to enable the person:

1. to collect information for statistical purposes about how the service is used with a view to making improvements to the service, or

2. to collect information for statistical purposes about how a website by means of which the service is provided is used with a view to making improvements to the website

The two key points to note are that the information must be used solely for “statistical purposes”, and there must be “a view to making improvements to the service”.

Using the data for any other purpose is not covered by this provision, meaning that the service provider requires consent, or else it is prohibited.

There is no definition of “statistical purposes” in the new framework.

Assuming - and it is an assumption - that “statistical purposes” has the same meaning here as in the UK GDPR, it means:

… processing for statistical surveys or for the production of statistical results where:

1. the information that results from the processing is aggregate data that is not personal data, and

2. the controller does not use the personal data processed, or the information that results from the processing, in support of measures or decisions with respect to a particular data subject to whom the personal data relates.

Because of this, this exemption cannot be used for individual tracking / targeting, and so it does not fit targeted advertising use cases.

If this activity entails the processing of personal data then it will also need to meet the requirements of the UK GDPR, which are out of scope of this blogpost.

The second core requirement is that:

any information that the storage or access enables the person to collect is not shared with any other person except for the purpose of enabling that other person to assist with making improvements to the service or website

In other words, sharing the information with a web / software developer, or with a UX consultancy, or similar, would be acceptable.

Someone who meets these conditions can carry out the activity on an opt-out basis.

This means that:

the subscriber or user is provided with clear and comprehensive information about the purpose of the storage or access, and

the subscriber or user is given a simple means of objecting, free of charge, to the storage or access and does not object.

They must be given the means of objecting, along with the requisite information, before the collection takes place, meaning - annoyingly - probably yet more complexity to the already-infuriating “cookie banners”.

For service providers, this might entail maintaining different “cookie banners” for different services / different audiences, depending on whether they fall within the scope of the UK’s framework or the EU’s framework.

Website appearance (opt-out)

The second new exemption is for website appearance purposes.

Again, this is on an opt-out basis.

This exemption applies where:

the sole purpose of the storage or access is:

1. to enable the way the website appears or functions when displayed on, or accessed by, the terminal equipment to adapt to the preferences of the subscriber or user, or

2. to otherwise enable an enhancement of the appearance or functionality of the website when displayed on, or accessed by, the terminal equipment.

As with the statistical purposes exemption, this requires clear information to the user, and giving the user the right to object (i.e. opt-out) before this activity takes place.

This exemption somewhat baffles me, I must admit.

The ICO gives examples of what it considers to fall within this exception.

These include:

The use of an external font library to display your chosen font on the service.

Now, I wrote about GDPR / PECR issues with externally-hosted fonts back in 2022 and… absolutely nothing happened about it. I don’t think that anyone cared, or noticed.

So it seems like a pretty significant thing to say now that, if you use an externally-hosted font, you need to inform users about this before they download that font, and give them the chance to decline.

If you use an externally-hosted font library, are you doing this?

I also do not understand why - from a PECR point of view - the same logic does not apply also to locally-hosted fonts. If a third party hosted font is not “strictly necessary” (because if it was, then this exemption would not be relevant), is a locally-hosted font “strictly necessary” (and if so, why)?

And if a locally-hosted font is not strictly necessary, it would need to satisfy this exemption too - including the right to object.

I note that the ICO says that:

You should ensure the font provider uses this information for the purposes of serving the font that you’ve selected and not for other purposes (eg advertising and profiling).

In other words, the possibility of a third party font host doing profiling based on fonts cannot, in itself, be the reason why third party fonts are in scope of this exemption.

A second example is:

Detecting preferences indicated on the subscriber’s or user’s operating system, such as themes and colour schemes, and displaying the service using a similar theme, if available.

This website offers “dark mode”, using the CSS @media (prefers-color-scheme: dark). This works because the user’s browser applies the CSS based on the user’s settings.

This is a pretty common thing to do and, to my mind, has zero degree of privacy intrusion: it works solely based on a user’s choice of settings, and it happens entirely locally, on the user’s device.

I am not, as the service provider, accessing any information stored on the user’s computer, and I receive no information back as to whether someone is using dark mode, light more, or their own custom CSS. But the CSS is stored on the user’s device, as part of their browsing.

So is this what the ICO has in mind here?

Is it Parliament’s intention that the fact that I use CSS, which gets (temporarily) stored / cached in the browser, to offer “dark mode”, enough to bring that CSS in scope of PECR, requiring me to give clear information and the opportunity to opt-out?

And does it mean that all other CSS can be served/stored only on the basis of consent (because otherwise it would be prohibited)? I’m struggling to see that it is “strictly necessary”…

That would seem to be a huge change in law, for absolutely no benefit.

To my mind, showing a banner/warning makes for a considerably worse, intrusive, user experience, than offering CSS.

And if this example really is only about signals being sent from the client back to the server, it would help if the ICO set this out explicitly. Although I’m not sure how often that actually happens…

What to do about this?

If you want a hand thinking through the implications of this, please do just get in touch.

For some sites, I imagine that the benefits potentially afforded here will not justify the cost / nuisance of trying to shoehorn more into a “cookie banner”, or to have different banners for different countries.

For sites focussed on the UK, it might be worth exploring the possibility of taking advantage of these exemptions.

But I imagine that plenty of sites will simply wait to see if/how the ICO is going to approach enforcement.

And I’m still intending to use css to let visitors switch between light mode and dark mode as they wish.

It focusses on the data protection obligations of the operator of an online marketplace, in terms of the personal data contained in ads placed by its users.

Although it is an EU decision, and so not directly binding on courts in the UK, it is still of interest.

I am writing about it because it goes right to the heart of running online services, and - to my mind, anyway - seems to impose very restrictive, challenging obligations / conditions on operating a service.

(It has taken me a while to finish writing this. My apologies.)

The gist of the case

The facts of the case are unpleasant, with a content warning for violence against women and image-based abuse.

Russmedia, a Romanian company, runs an online marketplace, on which users can post adverts.

Someone abused this service.

The complaint about it was set out by the court in the following terms:

an unidentified third party published on that website an untrue and harmful advertisement presenting [a woman] as offering sexual services. That advertisement contained photographs of that [woman], which had been used without her consent, along with her telephone number. The advertisement was subsequently reproduced identically on other websites containing advertising content, where it was posted online with the indication of the original source.

Russmedia removed the advert once the woman had contacted it.

The court said:

The same advertisement nevertheless remains available on other websites which have reproduced it.

Why does this case matter?

Clearly, to the individual whose details were posted in this way, this was a horrible situation.

I fear, though, that it is a challenging decision, in terms of the obligations which the court considers are to be imposed on the provider of such a service under data protection law.

It might be possible for a small-scale provider, with a low level of adverts being posted, to meet the requirements.

I am more sceptical about how it might be done at scale. And while some might argue that that is no bad thing, and that we are playing catch-up to a lack of trust and safety tooling, or responsible platform operation, I am surprised that a court decision could have such far-reaching effect.

Why the court said that Russmedia was responsible for personal data in users’ adverts

The court held that Russmedia was a controller in respect of (some of?) the personal data contained in adverts posted by its users.

The court noted that:

Russmedia clearly did not participate in the determination of the untrue and harmful purpose pursued by the user advertiser

Nevertheless, it held Russmedia to be a controller.

The court explicitly says that:

the operator of an online marketplace cannot avoid its liability, as controller of personal data, on the ground that it has not itself determined the content of the advertisement at issue …

The decision sets out a number of reasons why the court considered that Russmedia was a controller in respect of the personal data included in an advert by a user of the service:

• Russmedia “publishes advertisements on its online marketplace for its own commercial purposes”.

• Russmedia’s terms of service:

“general terms and conditions of use of that marketplace give Russmedia considerable freedom to exploit the information published on that marketplace. In particular, … Russmedia reserves the right to use published content, distribute it, transmit it, reproduce it, modify it, translate it, transfer it to partners and remove it at any time, without the need for any ‘valid’ reason for so doing.”

These, the court said, demonstrated that Russmedia “exerts a decisive influence” over the processing of personal data.

• “By having made its online marketplace … available to the user advertiser, Russmedia participated in the determination of the means of that publication.”

• Russmedia’s control over its website. Russmedia:

“sets the parameters for the dissemination of advertisements likely to contain personal data depending on the recipients concerned, determines the presentation and duration of that dissemination or the headings structuring the information published, or even organises the classification which will determine the arrangements for such dissemination, it participates in the determination of the essential elements of the publication of the personal data concerned, thereby exerting a decisive influence on the overall dissemination of those data.”

That’s… broad.

Could the website operator have avoided being a “controller”?

When I read this, I wondered what a website operator would need to do to avoid being a controller in respect of personal data contained in the content of adverts.

For instance:

• if a website was not operated “for commercial purposes”, but perhaps as part of a community initiative, or on a not-for-profit basis?

• if the terms of service did not contain terms which permit the provider to “exploit the information published”, or else limit its ability to do such things to circumstances in which the provider has a “valid” reason to do so (although the court provided no guidance as to what might be considered “valid”).

• if the website operator gave (sole?) control to the user advertiser as to the “dissemination” of the adverts, the time for which the ads were published, how the ad is presented, and how the ad is classified and any headings associated with it. I’m not sure how this would work in practice.

But the fact that the court held that simply by making the service available, Russmedia “participated in the determination of the means of [the publication of adverts]”, makes it at best questionable if these would be effective.

What a controller must do

At a high level, the court held that the website operator had to operate in a manner consistent with the GDPR.

The court said in particular that the website operator must be able to:

• demonstrate that the personal data contained in the advertisement concerned are lawfully published; and
• demonstrate that the personal data concerned are accurate

How they envisaged a website operator being able to tell if the content of a post - at least, personal data contained in a post - is “accurate” is not documented. If (as I discuss below) this decision extends to all website operators, not just classified ad providers, this would seem to be to an impossible obligation.

In terms of adverts containing special category data, the obligations that the court anticipates are more onerous.

First, they say that they website operator must:

implement appropriate technical and organisational measures in order to identify such advertisements before their publication and thus to be in a position to verify whether the sensitive data that they contain are published in compliance with the [GDPR]”

In other words, to determine whether an advert contains special category data.

It might be possible to do this automatically, but potentially not in a particularly reliable fashion.

For smaller services, such as individual Flohmarkt instances, this might be achievable by changing the process, to require prior approval of each advert by a moderator / trust and safety staff member, trained to identify special category data (or, indeed, all personal data).

Second, the court says that:

the operator of the marketplace is required to verify, prior to the publication of such an advertisement, whether the user advertiser preparing to place the advertisement is the person whose sensitive data appear in that advertisement, which presupposes that the identity of that user advertiser is collected

Okay, so if Neil Brown posts the advert, and the special category data relates to the same Neil Brown, then this could be permitted.

That last bit - “which presupposes that the identity of that user advertiser is collected” - is, unfortunately, unclear.

Does it mean that this obligation applies only if the website operator already ascertains the identity of the user advertiser?

Or that, to fulfil this obligation, the website operator must collect the identity of the user advertise, since otherwise how could the website operator ascertain whether or not the special category data related to that person or not.

I suspect - contextually - that the court means the latter, which introduces a backdoor identity requirement, at least in the context of adverts which contain special category data.

If so, then I am struggling to reconcile it with Article 11 GDPR:

If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

The court’s requirement does not necessarily mean that a user’s screen name must be identifiable - it could be a pseudonym - but that the user must provide identification information, and the website operator must validate that.

From a data minimisation perspective, the website operator might be able to delay doing this for a user unless/until that user attempted to post an advert containing special category data. At that point, the review process would flag the advert, and either require the user to verify their identity, or else modify the advert so that it does not contain special category data.

Third, the court said that:

unless that user advertiser can demonstrate to the requisite legal standard that the data subject has given his or her explicit consent to the data in question being published on that online marketplace, … or that one of the other exceptions provided for in Article 9(2)(b) to (j) is satisfied, the operator of that online marketplace must refuse publication of the advertisement in question, which it must ensure by implementing appropriate technical and organisational measures.

To get explicit consent, the website operator would need some separate, specific, consent collection mechanism.

In practice, this probably means that, if a website operator cannot identify the user, and cannot be confident that the special category data in the advert relates to the user, the website operator cannot publish the advert.

And if the user has validated their identity, and the website operator can determine that the content of the advert relates to that user, then the website operator will need to present a mechanism by which the user can give their explicit consent to the publication of that advert.

The fourth requirement rather baffles me. It is that:

the data controller must consider in particular all technical measures available in the current state of technical knowledge that are apt to block the copying and reproduction of online content.”

I do not know how the court envisaged a website operator complying with this.

Some JavaScript to block the “copy” function (capable of circumvention by preventing JavaScript)?

Trying to block scrapers?

Some kind of DRM?

I am really not sure how a website operator might go about this, which leads me to think that either a website operator will need to have deep pockets, to be willing to deal with regulatory investigations or litigation about this, or else they determine that they cannot approve any adverts which contain special category data, irrespective of the person to whom those data relate.

What about intermediary liability?

The principle of intermediary liability shields - that a website operator should not be responsible for what people post on their service, but may need to take action upon becoming aware of unlawful content - seems to be under constant pressure.

Laws like the UK’s Online Safety Act 2023, for instance.

And interpretations of the data protection framework, like the one in this case.

On the one hand, the law says that a website operator is not responsible for what users post on their service. And yet, on the other hand, they absolutely are responsible, with data protection obligations precisely because of what users post on their service. Not in terms of their users, but in terms of what their users post.

I do not know how to reconcile these tensions. But I certainly fear for the future of a free and open web.

Is this limited to operators of “online marketplaces” / “classified ads”?

Although the facts of this case, and the judgement, refer specifically to online marketplaces, I find it hard to see why the reasoning would be limited to such services.

To my mind, the reasoning in terms of the controllership analysis would seem to apply to the operator of any online service, which enabled a user to post anything publicly, or - perhaps - simply which could be seen by another user.

I am struggling to see, at this stage anyway, why the same logic would not apply to many, if not most, social media services, forums, and comments sections.

And I am struggling even more to see how they might comply with the things which the court said here that Russmedia would be required to do - assessing every post to see if contains special category data, seeking identify verification of the user, checking if the special category data relates to that user, denying publication if it does not, and if taking steps to prevent others copying and redistributing the post if it does?

For tiny-scale services (perhaps a blog’s individual comments section), this might be achievable, in the sense of not permitting anything containing special category data). Although I think of my friends with sex-related blogs, and just how many comments and interactions that might preclude.

But for even a small fedi instance (e.g. a Mastodon instance run by friends, for a small group of users), this seems impractical, and would require considerable design changes anyway.

At scale, I have no idea how this might work if this principle was indeed extended beyond the scope of online classified ad services.

Perhaps I am worrying too much. I am not playing the “this is the end of the web as we know it” card, but it certainly seems to impose some challenging requirements with potentially significant, far-reaching, consequences.

Background

Here is key information about the UK Internet services sanctions regime.

Here is more information, including a letter from Ofcom.

I’ve yet to see any enforcement action from Ofcom (or anyone else) in respect of these.

What do we need to do?

As a reminder, the sanction which ISPs must apply to users in the UK is:

A person who provides an internet access service must take reasonable steps to prevent a user of the service in the United Kingdom from accessing, by means of that service, an internet service provided by a designated person.

New Internet services sanctions were added in December 2025 so, if you are not keeping an eye on the UK sanctions list, you may have missed these.

Working out what, if anything, you need to do, is a bit of a faff.

To see what URLs a specified as part of the sanction, you need to click through to the details of the individual sanction, looking both on the UK sanctions list (via the Unique ID) and the OFSI sanctions list.

However, if a sanctioned person provided an Internet service, the sanction covers it, even if that service is not listed in the sanctions list. Quite what “reasonable steps” a UK ISP can take to work out what these are though is a different matter.

Annoyingly, it looks like the OFSI search engine will only display results if you have gone through the search engine, rather than going to the linked result directly. So, while I’ve linked to the OFSI page for the OFSI reference under “OFSI Group ID”, I’ve yet to make this work.

Domains which I think are sanctioned

I’ve been through the UK list, and added domains/URLs where I have spotted them, but I make no promises that this is correct or complete:

• aeza.net
• afrinz.ru
• euromore.eu
• golos.eu
• pravfond.ru
• rybar.ru
• restmedia.io
• rossiyasegodnya.com
• rt.com
• sputniknews.com

These three are not currently on the UK lists, but I have seen them previously, so I would assume that they are still covered (since the obligation relates to the sanctioned entity, not to specific listed URLs):

• www.anodialog.ru
• sp-agency.ru
• structura.pro

The sanction relates to Internet services provided by the sanctioned person - that probably means someone’s Gmail address is irrelevant (and I have not included email addresses here anyway), but it is less clear whether a sanctioned person’s YouTube channel is in scope, for instance. Not that there is much that a UK ISP can do about someone’s YouTube channel, short of blocking the whole of YouTube (which would be entirely disproportionate, IMHO).

The 37 Internet services sanctions, as at 2026-01-07

To monitor this list yourself, go to the UK sanctions list, and filter by “Sanctions Imposed”, to set this to “Internet Services Sanctions”.

Sandra and I have been running our own tiny law firm, decoded.legal, for ten whole years.

We had no idea how - or, indeed, if - this was going to work when we started out, but we gave it a go anyway.

And, so far, so good. We are still in business, we still enjoy it, and we are still married.

We have learned a lot, and we have tried to improve continuously what we do and how we do it, while staying true to our original goal of offering prompt, friendly, risk-aware, plain English, pragmatic legal advice.

A genuine, heartfelt “thank you” to everyone who has made this possible, especially our amazing clients - particularly those of you who have worked with us from the very beginning - and everyone who has recommended us or referred work to us. I really appreciate it.

(Art by the wonderful Jennie Gyllblad.)

Wishing you all happy holidays! I have greatly enjoyed working with you all this year, and look forward to doing it again in 2026. I’m lucky to have such amazing clients.

We will be back again on 5th January 2026.

If you have a genuine emergency - a life at risk situation, an urgent court order / disclosure requirement, or something like that - you can still give us a call or send us a message on Signal.

“regulated user-to-user services” shall have the meaning given to it in the Online Safety Act 2023, subject to any modification, addition or exclusionas the Secretary of State may specify in regulations made by statutory instrument under this subsection.”

Earlier this week, I wrote about a proposed legislative amendment to attempt to compel VPN services providers to prevent anyone under 18 in the UK from using their VPNs.

There’s a second amendment, by the same authors, to prevent under 16s in the UK from, well, doing an awful lot of things online.

For this blogpost, I am working from the running list of amendments from 16 December 2025. The clause in question is on page 25 of that PDF.

Action to promote the wellbeing of children in relation to social media

The aim of this clause is, amongst other things, “introducing regulations to prevent under 16s from accessing social media”.

The term “social media” is an interesting one here, because that it is not what the actual amendment says…

The amendment itself

1. Within 12 months of the day on which this Act is passed, the Secretary of State must, for the purposes of promoting the wellbeing of children—

…

2. by regulations made my statutory instrument require all regulated user-to-user services to use highly-effective age assurance measures to prevent children under the age of 16 from becoming or being users.

There are a couple of key points here.

The scope of services caught by this is incredibly broad

“[All] regulated user-to-user services” is massively broad.

It is much broader than “social media”, and covers a huge number of every day online services, including self-hosted services.

This is one of a number of key flaws with the UK’s Online Safety Act 2023.

Want to use Signal, or even a closed user group, family-only, self-hosted XMPP service like Snikket, for messaging your children? This would be prohibited. (SMS is not in scope, and nor is email, so you could probably still run a DeltaChat relay and let your children use it.)

A shared chores list or family shopping list? Prohibited. You would have to ban your own under 16 children from your service. A paper list is fine, but a more convenient online one would not be allowed.

Family photo sharing service? Prohibited.

A game with an integrated messaging service? Prohibited. You can play a board game at home and talk with your children, but you could not run a private game server for your children and you, and play games and chat with them over the Internet.

Viewing a forum, or a user-generated content resource like Wikipedia? Quite possibly prohibited too, if the Online Safety Act’s definition of “users” encompasses “mere viewers” (and it might; this point is not settled, which is a dreadful situation).

You get the gist.

This measure, if it were passed, would impact a huge number of online services.

Noting that the aim is about “social media”, I suspect that the authors might not appreciate just how excessively broad the scope of the Online Safety Act really is.

Age assurance for under sixteens means age assurance for everyone

If this amendment were to be passed, all in-scope services would be required to introduce “highly effective age assurance”, to ensure that they banned under sixteens.

This means age assurance for everyone, as one cannot apply age assurance only to children under sixteen.

And, because - as above - the scope of in-scope sites is so incredibly broad, it seems likely that this amendment would lead to a “papers, please” approach to many, many common online services.

This would represent a massive expansion of the scope of age assurance online (kerching, age assurance industry…), and would be fundamentally disproportionate for so many smaller operators.

If you thought that the malicious compliance “cookie banners” were a nuisance, you ain’t seen nothing yet…

The privacy implications of having to hand over one’s identity documents, or otherwise prove one’s age/identify, to so many, many sites would be just staggering.

I really hope that this is a non-starter.

But Neil, why not propose an alternative?

I am not in a position to propose an alternative, because I do not know the problem that this is trying to tackle.

Or, indeed, the underlying causes of the problem.

If there was a clear problem statement, that would be a start.

A couple of proposed amendments have caught my eye.

This blogpost focusses on the proposed amendment to stop under 18s from using VPNs.

A future blogpost will focuss on the proposed amendment to prohibit under 18s from… well, lots and lots of stuff online.

Action to prohibit the provision of VPN services to children in the United Kingdom

I am using the running list of amendments on report, from 12 December (PDF), and this particualr proposed amendment is on page 22 of the PDF.

The aim of this proposed amendment is, according to its proponents, as follows:

This new clause would require the Secretary of State to take action to promote and protect children’s wellbeing, and to further support child protective measures in the Online Safety Act, by prohibiting the provision to children in the United Kingdom of VPN services which can facilitate evasion of OSA age-gating processes.

In other words, bringing providers of “VPN services” within the scope of the Online Safety Act 2023.

But not prohibiting children from using VPNs to “facilitate evasion” of the OSA.

The amendment itself

Here is a clause-by-clause look at the proposed amendment.

It is unclear to what the age assurance obligation applies

1. Within 12 months of the day on which this Act is passed the Secretary of State must, for the purpose of furthering the protection and wellbeing of children, make regulations which prohibit the provision to UK children of a Relevant VPN Service (the “child VPN prohibition”).

2. Regulations under subsection (1)—

1. may make provision for the provider of a Relevant VPN Service to apply to any person seeking to access its service in or from the UK age assurance which is highly effective at correctly determining whether or not that person is a child;

This clause is hard to parse; at the very least, a few more commas would help.

This is a “may”, so the Secretary of State would not be obliged to do this (although I imagine that they would be under pressure to do so).

In terms of substance, it is unclear whether “seeking to access its service” means “at point of buying / provisioning the service” or “each and every use of the service”.

The former means that, when someone goes to sign up with a VPN service, or generate a configuration file etc., the VPN service provider would be obliged to conduct age verification, if that person is doing so “in or from the UK”.

If so, this legislation would permit an adult to configure a VPN service, and apply it to their devices (or at network level), and then let a child use those devices / that network: this would not be an issue of non-compliance for the VPN service provider. The provider has done age assurance at point of service sign-up / credential creation, and determined that it was adult doing so.

The latter means that, if someone is trying to connect to the VPN service in or from the UK, the VPN service provider needs to do age assurance.

I have no idea how the authors envisage this working on a per-connection basis, if that is the correct interpretation, as no VPN protocol (that I know of, anyway), supports this. Similarly, a VPN operated at network level (e.g. configured on the user’s router, so that all of the traffic from their home is sent to the VPN concentrator) would be challenging under this interpretation, given multiple users of the same connection whose packets are indistiguishable.

If this proposed amendment gets any traction at all, this bit really needs resolving.

The proposal is even broader than the OSA’s approach to in-scope services

2. must apply the child VPN prohibition to the provider of any Relevant VPN Service which is, or is likely to be—

1. offered or marketed to persons in the United Kingdom;

This is broader than the OSA’s existing “links to the United Kingdom” test.

Under the OSA, one of the tests for “links to the United Kingdom” is whether “United Kingdom users for one of the target markets for the service (or the only target market)”.

While “target market” is vague, with plenty of scope for argument as to exactly what constitutes “targeting” (and there is plenty of case law on this, in different contexts), it does at least hint towards the notion that the supplier must be intending to sell to people in the UK, or to be doing something to draw the attention of people in the UK to their product or service.

The inclusion of “offered” in the proposed amendment circumvents even this weakest of controls, as, to my mind, “offered” simply means that someone in the UK is able to buy it.

In any case, it is unclear why there needs to be a separate test for VPN providers.

2. provided to a significant number of persons.

Again, this is broader than the OSA’s existing language.

A user-to-user service has “links with the UK” if “the service has a significant number of United Kingdom users”.

Even putting to one side the difficulties arising from the inherent vagueness of “significant number”, at least the OSA’s test is focussed on “United Kingdom users”.

The language of the proposed amendment would appear to bring any reasonably popular VPN service in scope, simply because that service is provided to a “significant number of persons”, irrespective of the number in the UK.

3. must make provision for the monitoring and effective enforcement of the child VPN prohibition.

5. For the purposes of this section—

“child” means a person under the age of 18.

“consumer” means a person acting otherwise than in the course of a business.

It is unclear even what services are actually in scope

“Relevant VPN Service” means a service of providing, in the course of a business, to a consumer, a virtual private network for accessing the internet.

The proposed amendment does not define “virtual private network”. Perhaps, like pornography email, we all know it when we see it.

Does it include SOCKS5 proxies? SSH tunnelling? I don’t know.

It does, however, appear to exclude general purposes hosting, or shell access, even if a user might then simply configure a proxy or VPN of their own choosing.

“In the course of a business” might render Tor out of scope, as Tor is a (USA) 501(c)(3) nonprofit. It also brings self-hosted VPNs, which one person provides to their friends or family members, out of scope.

The language of “access the internet” has come up before, and to me, one uses one’s Internet Access Provider to access the Internet. Having accessed the Internet via one’s provider(s), one might choose to route one’s traffic in various ways, but that routing is done over the Internet which the user has already accessed. I suspect that this is most pedantry. In other words, the VPN services at issue here are not for “accessing the Internet”, but for making use of access which the user has already obtained. Pedantry?

“UK child” means any child who is in the United Kingdom.

Well, today, there has been an update, in the form of the catchily-named The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025.

The title is almost longer than the content, which sets out conditions for deemed compliance with the requirement to have a relevant connectable product accompanied by a statement of compliance.

For now, those conditions are that the product is currently assigned a (non-expired) conformance label under either Japan JC-STAR STAR-1 or any level of the Singapore Cybersecurity Labelling Scheme.

Once again, we’d love to post you a physical, handwritten, holiday card, if you want one.

And, once again, this year’s card was drawn by the talented Jennie Gyllblad.

This year’s card has a slight Christmas motif, but is more cyberpunk / Internet nostalgia than anything.

We just need your address

If you would like a card, please complete this form.

I have expanded the list of fields this year, to cater for a wider range of people with different needs, but the only thing I absolutely need is a postal address.

For information on how we (decoded.legal) process your personal data relating to this, please see our privacy notice.

Posting outside the UK? Fine!

We’re happy to post outside the UK, but whether you will receive it in time for this Christmas is questionable. That’s probably true of the UK too, to be honest…

If we run out of cards

I’ve no idea how many requests we will get, so I will do my best, but please accept my apologies if I run out of cards. I’ll shut down the form as soon as that looks likely.

What’s the catch…?

There isn’t one. It’s just something we like to do.

A hype cycle in which the claimed or perceived value of AI is significantly higher than its actual value.

Organisations rushing to spend money to adopt “AI” in their own systems and processes, and rebranding their own services as “AI-powered” and similar, to attract other organisations looking to spend money on AI. And so it goes round.

The problem with bubbles is that they are prone to popping.

This blogpost sets out high level considerations for companies which have adopted some or more AI tools, against the day that the bubble pops (or, more specifically, if services on which they are reliant cease to be available). Most of the considerations are relevant to third party dependencies more broadly, and are just good business continuity planning.

These are practical things, at the level of individual businesses, rather than “how to avoid or solve the potential widescale economic implications” considerations.

(Obviously, if you are confident that there is no AI bubble - and that’s absolutely fine - this is probably not the blogpost for you.)

Assess your dependency on AI

Do you have a clear, documented overview of how your business uses AI? What processes are linked to which AI tools/services? Who provides those services?

If there’s a possibility of “shadow AI” - people using their corporate payment cards to procure AI tools, or their own personal accounts, rather than going through whatever the formal procurement process is - you will probably want to get on top this for other reasons (including data protection and information security), but now’s as good a time as any.

Which of your processes have inate / constant dependencies on third parties, and which would continue to run, or you could run yourself (e.g. locally, with offline models), if the third party provider ceased to operate?

Check your contracts with AI providers

If you think that you might want to, or need to, exit contracts, what’s your position?

• What are the exit / termination provisions? Do you know how to give notice?
• Do you have a minimum term commitment, or a minimum spend commitment?

On the flip side, what rights do you have if a provider goes into liquidation? Or simply stops providing services?

Of course, if a provider has ceased to operate, or has no money, even if you have contractual rights or are entitled to remedies, your realistic, short term, options could be very limited unless you are rich enough to afford injunctive relief (and even then, possibly still very limited).

Could you meet your own contractual commitments (e.g. to customers) and legal / regulatory requirements?

Do you have a good overview of your contracts with your customers (which may or may not be on your own terms, and may have been negotiated / varied)?

Which of your own contractual commitments depend on you being able to use AI tools?

What about legal/regulatory obligations (noting that some organisations are using AI to support in handling subject access requests, for example)?

Would you be delayed in meeting your obligations, while you rapidly recruited and trained humans? Would you be able to meet them only in part?

Do you have service level commitments, or notification obligations?

What is your exposure, in terms of financial implications (e.g. compensation / liquidated damages, customers having the right to suspend or termination contracts, regulatory fines), non-compliance risks (e.g. regulatory complaints or investigations), or reputational risk?

What are your remedies if your customers fail to pay?

A problem with a bubble bursting is the extent of its impact. If you have customers which are dependent on AI services which cease to be available, or on selling “AI” branded stuff to customers who cease buying it, how might that impact you?

Do you keep track of customer payments, and chase, promptly, non-payment? Or do you let customers run up debts, because you don’t want to upset them by asking for your money?

Do you bill in advance, or in arrears? And if it is in arrears, what is your credit control process? For how long are you willing to do work / provide services without receiving a payment?

Does your contract clearly set out the circumstances in which you can suspend, or terminate, services? Do you know the process you need to follow to do that? Do you have to give notice and wait for a cure period, or can you suspend immediately?

Where are your customers located? Securing, or enforcing, any court-related debt action against overseas-based customers might be trickier, or more expensive, than for local customers.

Practically, what would you do?

Now is as good a time as any to dust off the business continuity plan than you prepared ages ago and never revisited. (Perhaps I’m being unfair; perhaps you review it regularly, keep it updated, make sure everyone who needs to know about it has been informed and is prepared, and so on.)

Do you have fall-back plans? Are there alternative services that you can use (and what it would take to get them up and running)? Do you have people that you could throwrapidly at a problem area - and are they equipped and trained to do so?

And what if I am wrong…?

I could be wrong about all this.

But doing the kind of thinking and preparation set out in this blogpost might be a good thing to do anyway.

To do this:

• install a gopher client on your computer or phone
• access the gopherhole using gopher decoded.legal

Why?

I felt like it.

As of 20 August 2025, some of the bits of the Data (Use and Access) Act 2025 relevant to the UK/USA Data Access Agreement were commenced.

The SI doing the commencement is the snappily-named The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025.

This is about the processing of personal data, and UK GDPR compliance, in relation to UK/USA DAA orders and requests for subscriber information.

The gist is that s72 DUAA is in mostly, but not entirely, in force, making some changes to both the UK GDPR and the Data Protection Act 2018.

This means that:

• From a lawful basis point of view, the basis of the processing of a task in the public interest in Art 6(1)(e) UK GDPR can now derive from either domestic law or relevant international law.

• Relevant international law, per s9A and Schedule A1 Data Protection Act 2018, includes “processing … necessary for the purposes of responding to a request made in accordance with the [UK/USA DAA]”, covering both DAA orders and also requests for subscriber information.

As such, if a telecoms operator in receipt of an order or request for subscriber information in accordance with the UK/USA DAA considers that their response is a “task” falling within Art 6(1)(e) UK GDPR, the operator can now point to the UK/USA DAA as the basis of that task. Assistance is still voluntary, from a UK law point of view, but this might help ease one of the UK GDPR hurdles/risks.

s71 DUAA is not yet in force, so the changes in terms of purpose limitation are not yet in force. That should be happening towards the end of this year / early next year.