With intense public and political scrutiny falling on online safety enforcement, triggered by X’s Grok AI chatbot, enforcement action under the UK’s Online Safety Act (OSA) has been gathering momentum. In recent weeks, Ofcom has announced an investigation into X and a fine of £800,000 to Kick Online Entertainment (Kick) in connection with age assurance failings. The fine against Kick is the regulator’s fifth OSA fine to date. Against this backdrop, Ofcom has now published the Confirmation Decisions for its first four fines (issued against AVS Group Ltd (AVS), Itai Tech Ltd (Itai), 4chan and Im.ge), which provide useful insights for in-scope organisations into Ofcom’s fining approach.
Ofcom’s approach is aligned with its Penalty Guidance
The Confirmation Decisions show that Ofcom is following the approach set out in its Penalty Guidance in determining OSA fines. As the OSA provides little guidance on the factors Ofcom should consider in calculating penalties beyond requiring fines to be ‘appropriate’ and ‘proportionate’ to the failure(s), Ofcom’s Penalty Guidelines (issued under the Communications Act 2003 but cross-referred to within the OSA) take on central importance.
The Penalty Guidelines state that the ‘central objective’ for Ofcom in imposing a penalty is deterrence. Other core considerations for Ofcom when determining penalty amounts, include:
- the seriousness and duration of the contravention;
- the degree of harm caused;
- any financial or other gain made by the regulated body;
- whether appropriate preventative steps were taken;
- whether the contravention was deliberate or reckless (including when senior management knew);
- whether the regulated body has a history of contraventions;
- the extent of cooperation with Ofcom; and
- any precedent set by previous cases (although Ofcom may depart from them).
Ofcom may impose higher penalties where children are exposed to harmful content
Protecting children from harm online is a core aim of the OSA, and Ofcom’s Online Safety Enforcement Guidance indicates that harm to children (or risk of harm) will ‘inform’ the regulator’s approach to applying the Penalty Guidelines. Ofcom’s Confirmation Decision against Itai provides more clarity on what this means: “It may be appropriate [for Ofcom] to impose higher penalties for infringements that expose children to risks of harmful content than contraventions of other duties, but this will necessarily be considered on a case-by-case basis”.
The fine against Itai exemplifies this case-by-case approach. Despite the risks posed to children by the service, the fine issued to Itai (£50,000 for age-assurance failures) is low in comparison to Ofcom’s other OSA fines for age assurance failings (£1 million to AVS (discussed here) and £800,000 to Kick). In setting the penalty at this level, a key consideration for Ofcom appears to have been the fact that the site was made unavailable to UK users shortly after the regulator’s investigation was opened – as highlighted in Ofcom’s fine announcement.
Service size and user base matter but must be weighed against other factors
The Penalty Guidelines set out that size and turnover inform penalty amounts but are not determinative, and smaller services may face proportionally higher fines in light of all the circumstances and the objective of deterrence. This is reflected in the Confirmation Decisions for 4chan and Im.ge, which were both treated as “small to medium” services and given identical fixed penalties of £20,000, even though Im.ge has far fewer UK users monthly than 4chan (855 vs ‘hundreds of thousands’). As Ofcom was not provided with user numbers for these services, it estimated using third-party information. While Im.ge is a smaller operation, Ofcom’s Confirmation Decision emphasises the risks it poses, with several child protection organisations having identified child sexual abuse material (CSAM) on the service. Ofcom concludes that the service presents a material risk of significant harm to UK individuals.
Notably, Ofcom’s OSA penalties have not yet come close to the maximum level (£18 million or 10% of worldwide revenue (whichever is greater)) with the £1 million fine issued to AVS being the highest so far (see this blog). This may be in part because no fines have yet been issued to major household-name platforms or services, meaning that larger fines – proportionate to the size of those platforms – may yet follow.
Cooperation pays (and non-engagement aggravates)
Early and constructive engagement with Ofcom appears to be given significant weight in penalty calculations. Itai’s cooperation, including geo-blocking UK users and providing requested information (albeit after Ofcom’s deadline), appears to have contributed to a lower fine despite Ofcom noting a lack of timely cooperation as an aggravating factor. Persistent non-engagement by 4chan and AVS was treated as an important aggravating factor in those cases.
Commentary
The Confirmation Decisions show Ofcom is applying OSA penalties in line with its Penalty Guidelines. Given the regulator must consider past decisions as precedents, the Confirmation Decisions and Penalty Guidelines are important reading. With Ofcom raising the bar for compliance going into 2026 (as we discuss in this blog), organisations in scope should take notice – and for those contacted by Ofcom about OSA compliance, early engagement and cooperation should be prioritised.
With thanks to Kate Sparrow for her assistance in preparing this post.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-02-18-15-18-47-604-6995d857b56f40119c97e795.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-02-13-15-42-31-096-698f466793629fb6669ad654.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-02-13-08-33-03-708-698ee1bfaf5bf7dc43be7326.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-02-05-13-55-08-021-6984a13cdb300c6e5a2287f0.jpg)