Online Safety Regulation: The Duty of Care Framework and Implementation Blind Spots
Author: Emma Hatheway
From Tragedy to Regulation: The Rise of Duty of Care
Over the past several years, online safety regulation has shifted from debate between policy practitioners to the center of public concern. Tragic cases of youth suicide, from Molly Russell in the UK to Adam Raine and Sewell Setzer III in the United States, and recent personal liability claims against social media companies have forced governments to confront the consequences of digital platforms optimized for engagement rather than wellbeing. In response, lawmakers on both sides of the Atlantic have rallied around an important legal concept: duty of care.
Duty of care refers to technology companies’ responsibility to build guardrails that protect users from harm, ultimately holding the platform responsible if this standard is not met. This framework helps to reframe online harms not as isolated incidents or user failures, but as risks created by platform design and incentives. From a trust and safety perspective, duty of care represents a major shift. It migrates from reactive content moderation to proactive risk assessment and critical evaluation of design choices.
This blog post introduces two online safety frameworks: the UK’s Online Safety Act (OSA), signed into law in 2023, and the most recent version of the U.S. Kids Online Safety Act (KOSA), reintroduced to Congress in 2025 and currently under review. While these acts differ in structure and legal context, they share a common duty-of-care foundation. Although well-intentioned, this approach has been implemented through vague obligations and a tendency to conflate safety with restriction. The result is a regulatory landscape that may incentivize extreme moderation that challenges personal freedoms, limit access to critical mental health resources, and push platforms toward simple compliance strategies rather than meaningful harm reduction.
Why “Duty of Care”?
Duty of care has emerged as a solution to a challenging problem to solve. After decades of little to no regulation, governments face growing evidence that online platforms can exacerbate risk of self-harm, eating disorders, cyberbullying, and social isolation among youth. At the same time, free speech protections in the U.S. constrain lawmakers’ ability to require direct content moderation. This differs from the UK’s human‑rights framework, which accounts for certain restrictions on harmful speech.
Duty of care helps to impose obligations on design and systems, rather than treating platforms as publishers, therefore attempting to navigate limitations in Section 230. Section 230 of the 1996 Communications Decency Act outlines that platforms do not have a legal responsibility for information or content shared by users on their platforms. While duty of care is a creative and flexible solution to ensuring liability sits with platforms and providers, it also risks obscuring the limitations of existing online safety regulation.
Duty of care ultimately supports both countries’ attempt at regulation. Rather than dictating what speech must be allowed or removed, it places responsibility on platforms to anticipate and mitigate harms, especially for minors. This framing has become central to both OSA and KOSA, as well as to international cooperation on online child safety.
OSA and KOSA: One Standard, Two Approaches
The UK’s Online Safety Act, enacted in 2023, takes a sweeping approach to online safety. It requires covered platforms, such as user-to-user services and search engines, to implement solutions to reduce exposure or prevent minors from encountering unlawful and harmful content, including material related to suicide and self-harm. Platforms must implement age assurance, conduct risk assessments, and proactively moderate harmful content for minors. Ofcom, the UK regulator, is expected to monitor implementation and impose fines against platforms for noncompliance.
Distinctly, KOSA reflects U.S. constitutional constraints that make content removal and moderation difficult. The bill aims to align youth online safety with First Amendment considerations by focusing on design choices rather than content itself. KOSA emphasizes safe-by-design principles, requiring platforms to mitigate harms associated with features like infinite scroll, autoplay, push notifications, and algorithmic personalization. The primary enforcement body for KOSA would be the Federal Trade Commission, with State Attorneys Generals afforded the power to bring civil cases on behalf of affected individuals in their states.
At a high level, the distinction appears clear: OSA regulates content, KOSA regulates design. In practice, the line is blurrier.
Duty of Care as a Compliance Problem
In trust and safety, vagueness is not neutral, but rather opens up opportunities for different motivations and applications. With ambiguous obligations, or duty-of-care operating as a catch-all, platforms may default to the interpretation that mitigates risk.
Under OSA, this has already raised concerns that platforms may remove or restrict broad categories of content to avoid liability. Smaller companies, nonprofits, or public-interest services may lack the resources to conduct risk assessments or challenge regulatory interpretations. At smaller organizations, T&S teams may face pressure to over-restrict content if unable to invest in robust classification systems. Meanwhile, major platforms may be able to pay fines or lobby against proposed policies without addressing underlying harms.
KOSA presents similar risks despite its safety-by-design framing. Although it does not explicitly mandate age verification or content removal, its requirement to have platforms “know or reasonably know” when a minor is active may lead platforms to introduce restrictive age gating or content takedowns to avoid legal exposure. This issue is heightened in the legal landscape post Free Speech Coalition v. Paxton, in which age-assurance mandates were upheld for sexually explicit sites. This may result in other courts showing greater willingness to uphold age-based access restrictions in the future.
In both cases, duty of care risks becoming less about improving safety outcomes and more about managing liability for the platforms and providers.
The Overlooked Cost: Access to Mental Health Resources
One of the most significant risks of current online safety approaches is their impact on access to mental health resources and communities of shared values and backgrounds, particularly for vulnerable youth.
Platforms may struggle to distinguish between content that promotes self-harm and content that discusses recovery or prevention. Under heightened regulatory pressure, the safest option for Trust & Safety teams may be to restrict both rather than risk misclassification. New policies introduced by Meta in May 2025 state that recovery content for suicide, self-harm, and eating disorders will be restricted to adults, which could limit minors’ access to critical mental health resources. This ultimately places the responsibility of classification and access in corporate hands, and limits access to potentially life-saving resources for adolescents.
For LGBTQ youth, who face disproportionately high rates of suicide and often rely on online communities for support, these restrictions could be especially harmful. Content moderation decisions may inadvertently cut off access to community support networks, medical resources, or crisis information.
Depending on implementation and enforcement, laws designed to protect youth mental health could reduce access to help at moments of need for vulnerable communities.
Implementation as the Real Test
Both OSA and KOSA are motivated by legitimate concerns and respond to years of regulatory inaction. Despite many debates over the efficacy of each framework, neither will result in a reduction of online and real-world harm if they aren’t implemented thoughtfully. How duty of care is interpreted and enforced will shape whether these laws meaningfully reduce harm or simply act as a bandaid solution.
OfCom has outlined their enforcement and measurement guidelines, requiring risk assessments and records to increase transparency, and provide evidence of implementation of moderation tools, age assurance, and safety-by-design practices. While OfCom has started to fine organizations that have not met information requests and age‑assurance requirements, such as OnlyFans and 4chan, enforcement is not automatic. Rather, it is targeted based on where companies’ failure to meet the requirements present the highest risk (ie, seriousness of harm, prevalence of issues, history of compliance, etc).
Time will tell whether KOSA passes through Congress and is enacted into law. Recent personal liability lawsuits brought against major tech companies (Meta, ByteDance, Snap, and Google) will likely put pressure on Congress to pass the bill. However, how the FTC and state AGs enforce it will matter significantly. The FTC will likely be responsible for determining what qualifies as harmful content, and without precise legal definitions, this could result in subjective enforcement or cases of the commission operating as a de facto content moderator.
In Trust and Safety, policy is often easy, while enforcement is hard. Solutions to meet these regulations will likely be implemented by T&S teams making hundreds of decisions daily about content classification and feature design. How those decisions get made, and whether they get made with a human-in-the-loop, matters just as much as what the law states.
A trust-and-safety lens highlights several questions regarding these attempts at online safety regulation:
How will regulators evaluate whether platforms have met the duty of care standard?
How will smaller organizations and public-interest services be protected from compliance pressures?
What safeguards exist to ensure youth retain access to mental health resources and peer support?
How will success be measured: by reduced exposure, reduced use, or improved wellbeing? Do the right institutions exist to measure the efficacy of these policies?
As online safety regulation continues to evolve, shifting the conversation from political debates to implementation realities is critical. This post is the first in a series examining where today’s online safety frameworks succeed, where they fall short, and what remains unexamined. Future posts will explore device-level age verification, risk of youth migration to less visible online spaces, how T&S teams are approaching these new requirements, and how these regulatory frameworks apply to AI companions and chatbots.
Protecting young people online requires more than good intentions. It requires distinguishing between compliance and safety, measuring success by wellbeing rather than restriction, and ensuring adolescents have equitable access to information.
Emma Hatheway is a master’s student at Columbia SIPA studying technology policy and innovation. Her research focuses on trust and safety and responsible AI implementation. She is currently a graduate intern at All Tech Is Human, where she works on trust and safety research and partnerships. Previously, Emma worked in Product Strategy at an AI-driven ad tech company.
Be on the lookout for additional articles, livestreams, and panel conversations on this topic by All Tech Is Human. This will also be discussed at our Responsible Tech Summit being held on October 29, 2026 at The Times Center for 375 Responsible Tech leaders, and streaming to a global audience.

