High stakes, higher standards: What the Online Safety Act means for gambling operators

The UK’s Online Safety Act 2023 (“OSA”) is gradually coming into force. Whilst headlines have focused on social media platforms and pornography sites, the rules extend further. Any online service that (i) allows user-generated content (“UGC”) to be encountered by others and (ii) targets UK users could be caught, including gambling operators whose products often blend real-money play with chat, streaming and influencer activity.  

The OSA in brief

The OSA introduces duties of care on three broad service types: search services, pornographic content services, and user-to-user (“U2U”) services. In essence, a U2U service is one that enables users to encounter content generated or uploaded by another. This not only includes obvious features like chat functions, forums, or livestreams, but also extends to multiplayer lobbies, avatar-based environments, and any interactive space where players can connect, compete, or collaborate.

When is a gambling service a “U2U” service?

The key question is whether a product contains functionality that lets users interact. The necessary “interaction” is not defined under the OSA, but the OSA provides a number of non-exhaustive examples of functionality that enables interaction. This includes:

• Creating a user profile (including an anonymous or pseudonymous profile);
• Searching within the service for UGC or other users of the service;
• Forwarding content to, or sharing content with, other users of the service;
• Sending direct messages to or speaking to other users of the service, or interacting with them in another way (for example by playing a game);
• Expressing a view on content, including, for example by applying a “like”/“dislike” button or other similar button, applying an emoji or symbol of any kind;
• Engaging in yes/no voting or rating or scoring content;
• Following or subscribing to particular kinds of content or particular users of the service;
• Applying or changing a setting on the service which affect the presentation of user-generated content on the service; or
• Tagging or labelling content present on the service.

The definition is broad, but a number of exemptions apply.

Limited-functionality exemption

Schedule 1, Part 1 of the OSA sets out U2U services which are exempt from the OSA. This includes limited functionality services where users are able to communicate only through:

• posting comments or reviews relating to content published by the provider of the service;
• sharing, liking, voting or rating that content;
• producing “identifying” content (e.g.  a username) in connection with the above limited activities.

Many traditional sportsbook or casino sites without chat functionalities, multiplayer environments, or social features, will likely fall outside of the scope of the rules.

Where might gambling operators fall in scope?

The following features may trigger U2U status under the OSA:

1. Bingo and community chat rooms e.g. featuring discussions, emoji reactions, and virtual gifts;
2. Poker tables e.g. that allow in-client chat and the ability to send virtual items or emotes to other players at the table;
3. Streaming and influencer content embedded within a site or app e.g. where players can comment, react in real time, participate in polls, or join live games hosted by streamers;
4. Peer-to-peer betting exchanges e.g. enabling direct messaging, forum discussion, sharing tips, and collaborative betting strategies;
5. Tournaments and leaderboards e.g. where users can not only see each other’s progress but also interact, challenge, or congratulate one another.

Ofcom, the regulator that is responsible for implementing the OSA, has recently published OSA implementation guidance aimed at the online video games industry, available here: The Online Safety Act and gaming: know the risks, the rules, and how to comply. Although this guidance isn’t specifically applicable to the gambling industry, there are some areas that overlap. For example, Ofcom makes clear that services which include player profiles, avatars, voice and text chat would all be regarded as U2U services. It also states that where services enable livestreaming, online safety rules will apply to such content. These are all features which may also be present in online gambling services.

What do gambling operators need to do if they fall in scope?

If a gambling operator were to fall in scope of the rules, it would need to consider a number of key duties. This includes assessing the likelihood of “illegal harms” on the service that fall within the scope of the categories identified by Ofcom, such as offences related to the Proceeds of Crime Act. For gambling platforms this could include unlicensed gambling promotions, inducements to underage or self-excluded individuals, or the facilitation of money-laundering. Proportionate measures would need to be implemented to mitigate those identified risks. This could require a suite of tools such as content moderation, keyword and image filters, and identity verification, abuse-reporting mechanisms, and where necessary, swift removal of harmful or illegal content. For further information on duties and enforcement under the OSA, see our previous articles here: The Online Safety Act: Outlook for 2025 and Online Safety Act 2023: Ofcom Begins Enforcement Actions.

Next steps

For many gambling operators, the OSA will not be a significant compliance shift – a platform that operates a transactional environment with minimal user interaction is unlikely to trigger the requirements. However, innovation in the gambling sector, from virtual-reality poker rooms to NFT-based games, is blurring the line between gambling and social media. Even where operators currently fall outside of the OSA, future upgrades could tip them into scope.

A compliance gap analysis will assist operators to understand whether they fall within scope now, and what changes could bring them under the OSA in future. For operators that determine they are in scope, we recommend taking the following practical steps:

1. Audit your products. Catalogue every feature through which users can create, share, or interact with content. This could include chat functions, leaderboards, tournaments, user profiles, and even in-game gifting. Map whether the limited-functionality exemption applies.
2. Conduct an illegal harms risk assessment. This should have been completed by 16 March 2025, or within three months of the service first having user-to-user functionality, but it is better late than never. This future-proofs against product evolution, demonstrates governance to Ofcom, and helps identify emerging risks as new features are added.
3. Conduct a Children's Access Assessment. This is often straightforward for gambling operators who already use robust age verification measures, assuming any user-to-user features are only available to registered, age-verified players.
4. Implement proportionate mitigation measures. Ofcom's codes of practice recommend measures based on the risk level of different illegal harms. Following these codes provides a "safe harbour." Alternatively, operators can implement different measures but must demonstrate they are equally effective.
5. Design with the mitigation measures in the codes of practice in mind: where chat, streaming, or social features are offered, build robust moderation, reporting buttons, the ability to block or mute users, and clear escalation paths for serious incidents. Consider combining automated tools with human oversight.
6. Adopt a 'safety by design' approach. Where chat, streaming, or social features are offered, build in robust moderation, reporting buttons, the ability to block or mute users, and clear escalation paths for serious incidents. Consider combining automated tools with human oversight.
7. Seek expert advice if you believe some of your features/functionalities may bring you within scope.

If you are keen to find out more about how to implement OSA compliance in your business, please contact one of the CMS team.