The introduction of the UK’s Online Safety Act marks a significant regulatory milestone, placing new legal obligations on tech companies to protect users, particularly children, from harmful online content. With enforcement beginning in March 2025, many are looking to past regulatory frameworks—such as the GDPR—for clues about how fines might be imposed under this new legislation.
Just as the General Data Protection Regulation (GDPR) created a seismic shift in data privacy, the Online Safety Act is poised to do the same for online safety. By examining the trajectory of GDPR fines since its enforcement in 2018, businesses can gain valuable insight into how the Online Safety Act fines may unfold in the coming years.
1. Gradual Start: The Learning Phase
When the GDPR came into effect in 2018, initial enforcement was measured. Regulators focused on educating businesses and ensuring compliance rather than issuing significant fines. The ICO began with smaller penalties and provided guidance to help organisations understand their obligations.
Similarly, the Online Safety Act will likely follow a similar approach during its early months. Ofcom, the regulator for the Act, is already engaging with businesses to provide clarity on its codes of practice and safety measures. While the legislation grants Ofcom the power to issue fines of up to £18 million or 10% of global revenue, whichever is greater, early enforcement may target smaller, more manageable cases to set precedent and provide guidance.
2. The Peak of High-Value Fines
The GDPR saw a surge in high-value fines after its initial phase, with landmark cases such as British Airways (£20 million) and Marriott International (£18.4 million). These fines were not just punitive but also served as a strong deterrent, sending a clear message to businesses about the consequences of non-compliance.
For the Online Safety Act, we can anticipate a similar peak in enforcement, particularly against major tech platforms that fail to address illegal content or protect children effectively.
Platforms hosting harmful content, including deepfake pornography or enabling child exploitation, could face some of the highest penalties as Ofcom seeks to establish its authority and create an industry-wide shift.
3. Enforcement Adjustments and Contextual Fines
During the COVID-19 pandemic, GDPR enforcement adapted to the economic pressures businesses faced. The ICO reduced proposed fines for British Airways and Marriott, balancing enforcement with the realities of the pandemic.
Ofcom is also likely to consider proportionality when issuing fines under the Online Safety Act. For example, smaller platforms like MintStars, which was fined £7,000 under existing laws, could receive penalties that reflect their size, revenue, and capacity to implement safeguards. However, larger platforms with global reach and significant resources will likely face fines closer to the upper thresholds of the law.
4. Stabilisation and Broader Enforcement
Over time, GDPR enforcement expanded to target a wider range of organisations, not just large corporations. The ICO began issuing mid-sized fines to smaller companies, charities, and public sector organisations for failing to meet compliance standards. This created a more consistent enforcement landscape.
Under the Online Safety Act, we can expect a similar trajectory. Once the high-profile cases have been dealt with, Ofcom’s focus will likely broaden to include smaller platforms, online forums, and niche apps that still pose risks to users. Tools like automated age assurance, content moderation systems, and transparency reporting will become non-negotiable for businesses of all sizes.
How Streamshield Can Help
One critical lesson from GDPR enforcement is the value of investing in proactive compliance solutions. Businesses that implemented robust data protection systems early avoided fines and reputational damage. Similarly, platforms can mitigate their risk under the Online Safety Act by adopting tools like www.streamshield.ai.
Streamshield offers an affordable, user-friendly solution for online platforms to:
- Identify harmful content in real time: Using AI-powered moderation tools to detect and block illegal or harmful material, including deepfake pornography or child exploitation content.
- Generate transparency reports: Automatically creating compliance-ready documentation for audits or regulatory reporting, saving time and ensuring platforms meet Ofcom’s standards.
With Ofcom recruiting over 350 enforcement officers and preparing for widespread audits, adopting Streamshield could mean the difference between achieving compliance and facing costly fines.
Conclusion
The curve of Online Safety Act fines is likely to echo the trajectory of GDPR enforcement: a cautious start, high-profile penalties to set precedents, and a gradual broadening of focus to smaller platforms. Businesses should act now to safeguard their platforms and users, learning from the lessons of GDPR.
By investing in compliance tools like www.streamshield.ai, businesses can not only avoid the financial and reputational risks of non-compliance but also demonstrate their commitment to creating safer online environments. The time to act is now—before enforcement begins in earnest.
Back
