Does the UK Online Safety Act Apply to Your Shopify Store?

The UK Online Safety Act (OSA, or the Act) is now being implemented, with key duties already in force and others rolling out in phases. Its reach also extends far beyond British borders. If your Shopify store has UK users or actively targets UK customers, this law may apply to you regardless of where your business is based.

For large platforms with dedicated legal teams, compliance is largely an administrative exercise. For small and medium-sized ecommerce businesses, however, it can feel more like an unfunded regulatory mandate with serious financial consequences attached.

Here's what the law actually requires, why critics say it goes too far, and what you can do to protect your store.

What is the Online Safety Act?

The Online Safety Act received Royal Assent on October 26, 2023, and has been progressively coming into force since then. Ofcom began enforcing the illegal content codes of practice on March 17, 2025, and the age verification measures took effect on July 25, 2025.

The government's stated goal was to make the UK “the safest place in the world to be online,” with a particular focus on protecting children and vulnerable adults from harmful content.

In practical terms, the Act places new legal duties on any service that hosts user-generated content (UGC) or allows users to interact with each other online.

That includes social media platforms, forums, review sections, and comment sections. It requires platforms to proactively assess risks, remove illegal content quickly, implement age assurance measures for adult content, and give users tools to report harmful material.

Ofcom, the UK's communications regulator, is responsible for enforcement. It has broad powers to audit platforms, issue fines, and compel compliance.

Does it apply to your Shopify store?

This is where things get complicated for ecommerce merchants.

The Act has extraterritorial reach. A service does not need to be based in the UK to fall within its scope. If your store has a meaningful number of UK users, targets the UK market, or creates a material risk of harm to UK users, the law may apply to you.

The key question is whether your store qualifies as a “user-to-user service” under the Act. This means any platform that allows content created by one user to be seen by another. Think product reviews, Q&A sections, community forums, or any app that lets customers post photos or comments publicly.

If your Shopify store is a straightforward product catalog with no UGC features, your obligations are significantly lighter. But if you have reviews enabled, a community section, or any third-party app that allows customer-submitted content, your store may fall within the scope of the Act.

Why critics say the law goes too far

The Online Safety Act has attracted sustained criticism from civil liberties organizations, privacy advocates, and parts of the technology industry on both sides of the Atlantic.

Big Brother Watch warned from the outset that the Act would function as a “censor's charter,” creating pressure on platforms to over-remove legal content rather than risk fines. Their concerns proved well-founded: shortly after age verification measures came into effect in late July 2025, UK users found themselves blocked from accessing content ranging from classical paintings to satirical political commentary.

The Electronic Frontier Foundation (EFF), alongside Open Rights Group and Index on Censorship, went further, calling on the UK government to repeal the legislation entirely. Their briefing to Parliament pointed to the public backlash: within days of the age checks going live, VPN apps became the most downloaded on the UK App Store, and a petition calling for repeal gathered 550,137 signatures before closing.

The EFF has consistently argued that the Act's content moderation requirements and encryption-scanning provisions represent a fundamental threat to online privacy and free speech. Social media companies are now in the position of either censoring lawful content or paying severe fines, with civil liberties groups warning this chills everyone's right to free expression.

For small businesses, the concern is more immediate: the compliance burden is disproportionate. The law was designed with large platforms in mind, but its obligations fall on any service that meets the technical definition, regardless of size.

What the fines actually look like

Ofcom can impose fines of up to £18 million or 10% of a provider's qualifying worldwide revenue, whichever is higher. Fees are calculated based on global revenue, not just UK revenue, which means even a small international store could face a significant penalty.

Beyond fines, Ofcom has the power to conduct audits and, in serious cases, require internet service providers to block non-compliant services entirely. For a Shopify merchant, that could mean your store becomes inaccessible to UK customers overnight.

Ofcom is already actively enforcing the Act. Since June 2025, it has issued multiple fines under the OSA, including a £20,000 penalty against an image-hosting service for failing to respond to legally binding information requests and a further £20,000 fine against 4chan in October 2025 for the same type of failure. The fines are modest, but they signal that Ofcom is willing to act against smaller services, not just the major platforms.

The real cost of compliance for small businesses

The financial impact goes beyond potential fines. Businesses in scope need to invest in moderation systems, develop compliance documentation, and potentially hire additional staff. Larger companies can absorb these costs. Smaller merchants often cannot.

Ofcom's guidance recommends that regulated services designate a named person accountable for compliance with the Act. Note that the statutory senior management liability provisions apply primarily to Category 1 services (the largest platforms), but Ofcom considers having a clear compliance contact to be best practice for all in-scope services. For a solo founder or a small team, that is still a significant operational addition.

The compliance checklist for a typical in-scope service includes:

• Conducting a formal risk assessment
• Implementing systems to detect and remove illegal content quickly
• Providing clear user reporting tools
• Publishing transparent safety documentation
• Applying special protections for child users

Each of these steps takes time and money, and none of them come with a Shopify app that does it all for you.

What Shopify merchants should do right now

The good news is that many Shopify stores can significantly reduce their compliance burden by auditing what UGC features they actually have enabled.

Step 1: Audit your user-generated content

Go through your store and every installed app. Ask yourself: Can a customer post anything that another customer can see? Common sources of UGC on Shopify include:

• Product reviews (via apps like Yotpo, Okendo, Stamped, or Shopify's native reviews)
• Q&A sections on product pages
• Community or forum apps
• Photo or video submission features
• Loyalty program apps with social sharing components

If you have any of these and UK users can interact with them, your store may be operating a user-to-user service under the Act.

Step 2: Disable or restrict UGC features you don't need

If reviews or Q&A sections are not critical to your conversion rate, the simplest compliance move is to turn them off for now. This removes the UGC element entirely and may take you out of scope for the most demanding obligations.

If reviews are important to your business, consider switching to a moderated-only model where no review goes live without manual approval. This is more work, but it gives you control.

Step 3: Implement age checks where required

If your store hosts or allows access to content that could be considered harmful to children, such as explicit adult content, the OSA may require “highly effective” age assurance measures. Retailers selling age‑restricted goods like alcohol, vapes, or similar products may still need age checks under other UK laws, but those obligations do not automatically arise from the Online Safety Act itself.

Ofcom has published detailed guidance on what counts as “highly effective age assurance.” Methods discussed include photo ID matching, facial age estimation, and credit card checks, among others. Ofcom has not endorsed any single method; the requirement is that the approach used must be “highly effective,” and the specifics of what meets that standard are still evolving as the regulator refines its guidance.

The Shopify App Store has a dedicated category for security and legal compliance apps, several of which are built specifically for age verification. It's worth reviewing your options there and choosing one that aligns with Ofcom's definition of a robust age check.

Ofcom's own guidance pages are the best place to stay up to date on exactly what's required:

• Age assurance duties under the Online Safety Act: what services must do
• Age checks to protect children online: Ofcom's published industry guidance
• Online Safety Act compliance guide for providers: the full compliance checklist
• Important dates for Online Safety compliance: key deadlines

Step 4: Understand the limits of AI moderation

If you've kept your UGC features running and are looking for a more automated solution, it's worth being upfront about where the tooling currently stands: no purpose-built AI moderation solution exists on the Shopify App Store today that can reliably handle OSA compliance on its own.

The broader AI moderation space does have established platforms built for large-scale use, but they are designed for platforms processing millions of pieces of content. The cost and integration overhead rarely make sense for a Shopify store with a few hundred reviews a month.

On the Shopify App Store itself, a handful of review apps include some AI-assisted features, but they are primarily focused on generating reply suggestions or filtering spam rather than meeting the specific harm detection requirements the OSA demands.

That may change as the OSA matures and compliance tooling catches up with the regulation. For now, though, manual pre-approval, as covered in step 2, remains the most defensible approach and the one Ofcom is most likely to recognize as a genuine compliance effort.

Step 5: Designate a compliance contact

Even if you are a small team, you should designate someone internally as the named person responsible for online safety compliance. This does not need to be a full-time role, but it should be documented. If Ofcom ever comes knocking, having a clear point of contact and a paper trail of your compliance efforts will matter.

Step 6: Document everything

Write up a basic safety policy for your store. Describe what content is and is not allowed, how users can report harmful content, and how you handle takedown requests. Publish it somewhere accessible. This transparency is one of the Act's core requirements, and it is also one of the easiest to fulfill.

The bottom line

The Online Safety Act was built for platforms like Facebook and YouTube. The problem is that its legal definition is broad enough to catch a Shopify store with a reviews section.

The compliance costs are real, the fines are serious, and the law's critics are right that the burden falls disproportionately on smaller businesses. But burying your head in the sand is not an option if you have UK customers.

The most practical path forward for most Shopify merchants is to reduce your UGC footprint where possible, implement appropriate age checks where required, and document your compliance efforts.

The law is imperfect, and the surrounding debate is far from over. For now, a few hours of housekeeping on your store could save you from a very expensive conversation with Ofcom.