Part 4B Communications Act 2003 established the framework for the regulation of video sharing platforms services (VSPs) by Ofcom and continues to apply pursuant to the transitional regime under Schedule 17 Online Safety Act 2023. VSPs are obliged  by section 368Y Communications Act 2003 not only to ensure that their service is compliant, but to comply with requirements imposed by section 368Z10 Communications Act 2003 and to co-operate fully with Ofcom in carrying out its functions under Part 4B.

Section 368Z10 Communications Act 2003 grants Ofcom the power to issue a demand against a VSP provider for “all such information relating to that service” as the authority may reasonably require for carrying out its functions.  

Failure to comply with such a notice renders the provider liable to the imposition of an enforcement notice and/or a financial penalty in accordance with s.368Z2 Communications Act 2003 upon Ofcom making a determination of non-compliance having given the VSP provider the opportunity to make representations.  Section 368Z4 Communications Act 2003 permits the penalty to be set at an amount deemed to be appropriate and proportionate, in accordance with Ofcom’s Penalty Guidelines issued pursuant to s.392 Communications Act 2003, and up to the greater of 5% of the provider’s applicable qualifying revenue or £250,000.

Ofcom’s Penalty Guidelines provide that it will have regard to various factors when determining the appropriate amount of a penalty including the degree of harm caused, any gain from non-compliance, the existence of preventive measures, the extent to which the contravention was deliberate or reckless, the length of the contravention, steps taken to address the contravention and remediate its consequences, any prior history of contraventions and, the fact and extent of co-operation. Furthermore, discounts of up to 30% may be available upon the settlement of a regulatory case.

On 27 March 2025, Ofcom announced that it had imposed a fine of £1.05m on Fenix International Limited, provider of OnlyFans, over its failure to comply with statutory information notices issued against it in its capacity as a video-sharing platform provider pursuant to s.368Z10 Communications Act 2003 by providing accurate and/or incomplete information.

Specifically, on 06 June 2022 and again 23 June 2023 Ofcom sought information from Fenix in relation to its implementation of age assurance measures to ascertain what age checks it had in place and to understand the effectiveness of Yoti’s age estimation technology that was being deployed.

In responding to those statutory information requests, Fenix had advised Ofcom that it had set a ‘challenge age’ for its facial age estimation technology at 23 years old, such that anyone whose age was estimated to under 23 would have to provide proof to verify that they were in fact over 18. In its October 2022 report ‘Ofcom’s first year of video-sharing platform regulation’, Ofcom explicitly referenced OnlyFans’ age assurance methods, “by setting its Yoti age estimation 'pass' age as 23, OnlyFans is able to ensure that there is only a very small probability (0.35%) that under 18s will be able to pass through the check” (based on Yoti’s own published information on its efficacy) and even praised Fenix stating “Ofcom is pleased to see a VSP provider taking steps to implement age verification processes that appear more robust than the traditional and much more prevalent self-declaration of date of birth”. Ofcom stated that Fenix’s engagement with Ofcom had been “constructive” and that on the whole the information provided had been “detailed”.

However, the information provided by Fenix was false. Since 01 November 2021, Fenix’s age estimation technology had been set to 21 years of age. Fenix stated that it realised its error on 04 January 2024 and informed Ofcom about the error some 18 days later on 22 January.

On 01 May 2024 Ofcom opened an investigation into Fenix’s compliance with sections 368Y(3)(b) and (c) and 368Z10(6) Communications Act 2003 and also  section 368Z1(2) Communications Act 2003, which is the obligation to take appropriate measures to prevent under 18s from restricted or harmful material.

On 16 January 2025, more than a year after learning of the error and almost a year after informing Ofcom and still in the midst of Ofcom’s investigation, Fenix determined to raise the age estimation threshold to 23, but just three days later lowered it to 21.

Despite this, and presumably as a result of negotiations with Fenix, on 04 February 2025 Ofcom indicated it was narrowing the scope of its investigation to drop ‘without prejudice’ its consideration of Fenix’s compliance with section 368Z1(2) Communications Act 2003, i.e. whether Fenix had complied with its obligation to implement measures taken in such a way as to carry out the purpose of protecting persons under the age of 18 from encountering restricted material such as pornography, and also in relation to Fenix’s compliance with its duty to co-operate under section 368Y(3)(c) Communications Act 2003.

On 26 March 2025, Ofcom issued its final decision against Fenix concluding that it had breached its information duties under sections 368Y(3)(b) and 368Z10.

In setting the penalty at £1.05m, Ofcom took into account that: the data inaccuracies had directly impacted its regulatory work; the inaccurate data was published in its report; the breach persisted for over 16 months; Fenix’s size and resources; the 18 days before Ofcom was notified; and, Fenix’s self-reporting. The maximum 30% discount was also granted based on Fenix’s acceptance of Ofcom’s findings and its settling of the case. This is in the context of OnlyFans having revenues of £238m in 2019 and £5.3bn by 2023.

Ofcom’s action against the OnlyFans provider follows the £1.875m fine Ofcom imposed on TikTok in July 2024 over its failure to provide accurate information in response to an information notice issued pursuant to the same provision.

In that case Ofcom opened an investigation into TikTok on 14 December 2023 under s.368Z10 Communications Act 2003 in relation to TikTok’s response to an information request issued on 06 July 2023 seeking information regarding TikTok’s compliance with Schedule 15A Communications Act 2003, in particular its parental control systems and measures to protect under 18s from harmful material.

On 02 June 2023, Ofcom had been provided with a draft version of Ofcom’s proposed notice and given an opportunity to comment, which it availed itself of. The information notice dictated different dates for compliance in respect of different categories of information and TikTok sought, and was partially granted, extensions to comply. TikTok responded to the notice late, on 04 September 2023, and, as part of its response, informed Ofcom that it monitored “the effectiveness of Family Pairing, principally by reference to its rate of adoption” and provided data detailing uptake between 01 April 2023 and 30 June 2023.

Intending to incorporate part of TikTok’s response in its forthcoming Child Safety Report, later published on 14 December 2023 as ‘How video-sharing platforms (VSPs) protect children from encountering harmful videos’, Ofcom wrote to TikTok on 31 October 2023 asking TikTok to confirm the accuracy of the information and giving TikTok the opportunity to comment on its proposals in so far as the data proposed to be disclosed was confidential. No accuracy issues were raised in TikTok’s response of 13 November, but on 01 December 2023 TikTok informed Ofcom that “it had identified that certain Family Pairing update data provided previously to Ofcom was inaccurate, and that it expected that it would need to provide Ofcom with updated data”. Consequently, on 12 December 2023, Ofcom advised TikTok that the issue of its compliance with  s.368Z10 Communications Act 2003 had been passed to its enforcement team. On 13 December 2023 TikTok advised Ofcom that one of its teams had become aware of “certain anomalies in the data produced by our Family Pairing event tracking system” on 10 November 2023, 21 days prior to Ofcom being informed, and had advised another internal team of this on 18 November 2023, some 13 days before Ofcom was notified. It was not until 28 March 2024, almost seven months after the data had been due, and after various chasers from Ofcom, that Tiktok confirmed to Ofcom that the data previously provided wad inaccurate and accurate data for the relevant period could not be obtained, and instead providing data relating to the period 01 February to 29 February 2024.

Consequently, Ofcom determined that TikTok had contravened sections 368Z10(6), 368Y(3)(b) and 368Y(3)(c) Communications Act 2003 due to the failure to provide information that was “accurate and complete” and its failure to “take all reasonable steps to facilitate Ofcom” in the fulfilment of its role, having regard to Ofcom’s expectation that “appropriate and robust systems and checks are in place to ensure information is properly interrogated, crosschecked, and reviewed through appropriate governance channels prior to it being submitted in response to a formal information request” and that it will be “made aware of any inaccurate information provided at the very earliest opportunity, to prevent delay or obstruction to our work”.

In determining the penalty against Ofcom, the deterrent effect of a penalty both to Ofcom and to other VSPs was a significant factor (and one which wasn’t referenced in Ofcom’s penalty against OnlyFans, despite the infractions occurring within a similar time period), as well as TikTok’s size and turnover, noting TikTok’s UK and EU turnover was approximately £1.62 billion as at 26 February 2024 (Ofcom reserved its position as to whether the applicable revenue was TikTok’s UK or UK and EU income, in the face of TikTok’s argument that it should be the former). As to severity, Ofcom considered that “a contravention of a requirement to provide information is inherently serious” and was increased in this instance by the lack of appropriate mechanisms to ensure accurate information was provided and the delay in notification. Other factors taken into account included the harm to Ofcom’s regulatory functions, Ofcom’s findings of “carelessness” and that TikTok had failed to take its “regulatory obligations appropriately seriously”, that this was TikTok’s first contravention, TikTok’s co-operation with Ofcom’s investigation and proactive measures to remediate the failings, and TikTok’s self-reporting albeit that it was “disappointed” by the 22 days that elapsed in reporting the matter, reiterating that “we strongly encourage regulated entities to self-report concerns or potential compliance failures”. Ofcom concluded that a £2.5m penalty was appropriate but then applied a 25% discount as a consequence of TikTok admitting liability and entering into the settlement.

Each of these decisions has been taken during the transition period pending the full implementation of the Online Safety Act 2023, when the penalties for failing to comply with an information notice issued under section 100 Online Safety Act 2023 will significantly increase, with criminal liability under section 109 Online Safety Act 2023 for both the entity and under section 110 Online Safety Act 2023 for individuals named as a senior manager of an entity who have failed to take all reasonable steps to prevent that offence from being committed, with sentencing powers including terms of imprisonment, and power to impose financial penalties of up to £18m or 10% of qualifying worldwide revenue under s.143 and Schedule 13 Online Safety Act 2023.  

As Ofcom has announced that it has already launched enforcement programmes under the Online Safety Act 2023, issuing or giving notice of intention to issue information notices pursuant to section 100 Online Safety Act 2023, for copies of illegal content risk assessments and in respect of measures being taken or due to be taken by file-sharing and file-storage services to prevent users from encountering or sharing CSAM, services need to ensure that information notices are given appropriate priority, that care is taken to ensure that the response is accurate, that responses receive appropriate sign off and, that in the event that a potential concern regarding the accuracy of provided information arises, Ofcom is alerted within days rather than weeks.

At Handley Gill, we have experience in advising on and drafting responses to information notices from regulators and in responding to regulatory investigations and enforcement actions, including Ofcom. If your organisation requires support in complying with the VSP regime or the Online Safety Act 2023, request a free 30 minute initial consultation with our Principal Consultant.

Find out more about our Online Safety, Online Harms, Content Moderation and Content Regulation services.

Our Online Safety & Online Harms Resources page has links to relevant documents regarding the passage and implementation of the Online Safety Act 2023.