If your retail business uses AI to power personalised shopping experiences, target ads or moderate user-generated content, the UK’s Online Safety Act (OSA) has just made your life more complicated.

The OSA is often seen as a law for tech platforms and social media companies. But if your business has a website or app with interactive features — product reviews, live chat, personalised recommendations, advertising or influencer content — you may now fall within scope.

This blog unpacks what in-house counsel in retail and e-commerce need to know about the OSA, why it matters, and what practical steps to take.

You might be in scope without realising

The OSA applies to services that allow user interaction or user-generated content. That includes comment sections, review features, chat functions, forums, livestreams, and more.

For example:

• A fashion brand that allows customers to review items.
• An e-commerce site with a live chat function.
• A beauty retailer working with influencers whose content appears on its platform.
• A homeware app using AI to personalise product recommendations or ads.

The Act is platform-agnostic. If you allow user-to-user interaction or host user content, you may be considered a "user-to-user service" under the OSA.

This means you could be subject to duties around preventing illegal content, managing risks of harm, and protecting children online.

Algorithms under scrutiny

One of the OSA’s more controversial features is its focus on algorithmic harm. If your business uses algorithms or AI to recommend products, content, or ads, you may need to assess how those tools could impact users — especially children.

Under the OSA:

• Services must conduct risk assessments on features that could present harm.
• There are specific duties around profiling, personalisation, and AI-driven recommendation systems.
• The focus isn’t just on content, but on systems that amplify, prioritise or promote content.

For example, an AI that consistently shows diet-related products to teenage users could be considered harmful. If your tech steers vulnerable users toward problematic content, regulators may take interest.

Compliance is not a checkbox exercise

Unlike traditional data protection compliance, the OSA demands ongoing risk management and governance. It’s not enough to write a policy and file it away.

In-house lawyers need to:

• Identify which parts of their site or app could bring them within scope.
• Work with product, tech and marketing teams to map out interactive and AI-driven features.
• Conduct and document risk assessments, especially for services likely to be accessed by children.
• Review contracts with tech providers to ensure you have the right controls in place.
• Stay across Ofcom’s codes of practice and implementation timelines.

What’s next from regulators?

Ofcom is rolling out the OSA in phases. Illegal content duties came into force in 2024, with further rules on child safety and content risks expected in late 2025.

For now:

• Ofcom has published draft risk profiles for different sectors.
• Consultation on codes of practice is ongoing.
• Larger platforms ("Category 1 services") face stricter requirements, but smaller businesses are not exempt.

Retail GCs should monitor these developments and prepare for implementation. Waiting until you're formally classified by Ofcom could be too late.

Final thought: The OSA isn’t just a legal issue

The Act will change how your business designs its digital experiences. Legal teams have a central role to play, but this is a cross-functional challenge.

In-house counsel should be convening conversations across tech, marketing, compliance, and leadership to ensure retail experiences are not only engaging — but safe and legally sound.

‍