Out-Law / Your Daily Need-To-Know

OUT-LAW ANALYSIS 4 min. read

Why sports organisations must prepare for new era of online safety regulation

Scotland fans celebrating while watching the national team - SEOSocialEditorial image

Younger fan engagement can be a huge regulatory challenge as well as a commercial benefit for sports organisations. Photo by Jeff J Mitchell/Getty Images


Sports organisations can no longer treat online fan engagement as a purely communications activity.

Official apps, livestream chats, fan forums and esports communities can all become youth-facing, user-to-user spaces that attract online safety obligations and enforcement risk.

Attracting and retaining a young audience is key to how modern clubs, leagues and franchises build long-term fandom – with a view to cultivating loyalty early, growing audiences and securing the next generation of lifelong fans.
However, whilst having a digital presence has become the primary arena for that effort, any digital product provider in sport should be aware that their service is likely to be in scope of content regulation such as the Online Safety Act 2023 in the UK.

What does the legislation do?

The Online Safety Act specifically captures services defined as user-to-user services – that is, services where users can upload and share content that other users can see – as well as search services.

Regulated user-to-user services are required to take proportionate steps to mitigate and manage the risks of users encountering illegal content on their service, which includes completing an illegal content risk assessment.

Separately, where a service is likely to be accessed by children – determined by reference to a children's access assessment – providers must also carry out a children's risk assessment and take steps to protect children from content that is harmful to them. Such harmful content includes content promoting or facilitating self-harm or suicide, eating disorders, violent content, and other categories set out in Ofcom's Codes of Practice.

Where a service is likely to be accessed by children, providers must either prevent children from encountering content harmful to them or put highly effective age assurance in place to prevent children from accessing the platform altogether.

Ofcom is the regulator responsible for enforcing the Online Safety Act in the UK and it has significant powers to act against non-compliant providers. These include the ability to impose financial penalties of up to £18 million or 10% of a provider’s qualifying worldwide revenue, whichever is greater, and, in the most serious cases, pursue criminal sanctions against senior managers personally. 

A common misconception of the Online Safety Act in the UK is that it only applies to big tech companies. However, in reality, any online service which falls within the definitions of a user-to-user service or search service is in scope of the Online Safety Act and must comply with the obligations of the Act as Ofcom's Codes of Practice come into force.

Ofcom is an active regulator and has made clear that enforcement is not limited to the largest platforms. Indeed, having initially pursued high-profile enforcement action against pornographic services that failed to implement age assurance, Ofcom is now actively broadening its focus to investigations and enforcement action against a wider range of platforms, a clear signal that no in-scope service should treat compliance as optional.

These risks are not hypothetical and have recently been recognised by Ofcom in the context of the World Cup.

This means clubs, leagues, broadcasters, fantasy platforms and ticketing businesses should not assume they fall outside scope without proper analysis.

Global issue for global fanbases

A club with fans in the UK, Australia, the EU and the US is simultaneously subject to multiple overlapping online safety regimes, each with its own definitions, obligations and penalties.

For sporting organisations that have spent years gaining international fans, that global reach can now be as much of a compliance liability as it is a commercial asset.

United Kingdom
  • The Online Safety Act may apply to user-to-user features used by clubs, leagues, fan communities, ticketing apps, livestream chat and official forums.
  • Regulators increasingly expect risk assessments (including illegal content risk assessments and children access assessments), evidence packs and senior accountability from those operating digital fan spaces.
Australia
  • The Online Safety Amendment (Social Media Minimum Age) Act 2024 came into force in 2025 and carries civil penalties of up to AU$49.5 million per contravention.
  • Age-restricted platforms must take reasonable steps to prevent under-16s from holding accounts; there are no penalties for children or parents.
  • Under-16 social media account restrictions create uncertainty for sport platforms that include profiles, posting, user interaction, recommender tools or logged-in fan communities.
  • Sport organisations should not assume they are excluded from the Australian regime without proper analysis — official fan apps, livestream chat, fantasy and esports communities, forum-style club platforms and athlete-fan communities may all require scope assessment.
European Union
  • The Digital Services Act brings child protection expectations for platforms and intermediary services that host or amplify fan content, including sport-related community spaces.
United States
  • Compliance is fragmented, with the federal Children’s Online Privacy Protection Act (COPPA), state age-appropriate design laws, FTC enforcement and civil litigation all relevant to youth-facing sport services and fan data practices.
Elsewhere
  • Brazil, Canada and Singapore have emerging online safety regimes that reinforce the need for cross-border governance, takedown processes and clear accountability for group administrators or platforms.

What this means for you

Online safety compliance and data protection compliance are two sides of the same coin for sports organisations and should not be treated in isolation.

Age assurance and estimation tools - which regulators increasingly expect across youth-facing digital platforms - will frequently involve biometric, behavioural or profiling techniques that constitute high-risk processing under data protection law, triggering data protection impact assessments, strict data minimisation obligations and careful vendor due diligence.

The global nature of fan engagement adds further complexity. Where moderation, analytics or platform hosting sits outside the UK or EU, international transfer compliance risk arises alongside online safety obligations, and transfer impact assessments should be aligned with broader online safety risk assessments.

Sports organisations should make sure they are digitally fit by identifying every touchpoint where fans - particularly children and young people - can interact with content or with each other. From there, the focus should be on embedding safety-by-design principles, implementing effective moderation processes, governing the use of age assurance technologies and maintaining clear evidence of the decisions taken to manage risk.

They should also carefully scrutinise their supply chains, ensuring contracts with third-party providers clearly allocate responsibility for safety-related processing.

Online sport spaces carry real risks for children and young people: grooming and unsafe contact, harassment and abuse, hate and discrimination, image-based abuse, doxxing, fraud and harmful content.

As online safety regimes continue to develop globally, organisations that can demonstrate robust governance, documented risk assessments and clear accountability will be best placed to meet regulatory expectations while continuing to grow their digital fan communities.

Co-written by Sebastian Martin, Gemma Erskine and Dom White of Pinsent Masons

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.