UK's Online Safety Act: A Compliance Nightmare for Mid-Tier Dating Apps

Match Group and Bumble can afford the compliance teams. The question is whether the rest of the UK dating market can survive what's coming. Ofcom is sending a senior regulator to explain the UK Online Safety Act enforcement regime to dating industry operators at the Global Dating Insights Conference on 13 May, offering one of the few opportunities for platforms to hear directly what 'good enough' looks like before enforcement becomes aggressive.

According to the event listing, Marc Martorell, Senior Associate at Ofcom's Online Safety division, will lead a fireside chat covering what the legislation means for dating and social discovery platforms. The session promises details on new legal obligations, implementation timelines, and the penalty structure: fines reaching £18M or 10% of global revenue for serious breaches. This isn't a consultation.

The OSA entered force in October 2023, and Ofcom has been issuing codes of practice throughout 2024. Dating operators are now subject to enforceable safety duties with financial penalties calibrated to hurt.

Create a free account

Unlock unlimited access and get the weekly briefing delivered to your inbox.

Register free

No spam. No password. We'll send a one-time link to confirm your email.

What dating apps actually have to do

The OSA imposes three categories of duty on user-to-user services, which includes dating platforms. Illegal content duties require removing or preventing access to material that violates UK criminal law—child sexual abuse material, terrorism content, fraud, and harassment. These aren't new concerns, but they're now backed by statutory liability.

Child safety duties apply to services likely to be accessed by under-18s. Most dating apps restrict membership to adults, but Ofcom has made clear that age restriction policies don't exempt platforms if children can realistically access them. Verification becomes a compliance requirement, not a product feature.

Adult safety duties target what Ofcom terms 'priority harms': content or behaviour promoting self-harm, eating disorders, or illegal acts. For dating platforms, this extends to conduct that creates physical safety risks when members meet offline. The regulator expects platforms to assess risks specific to their service design and implement proportionate mitigation measures.

Verification sits at the centre of all three duties. Dating operators must have systems to assess user age, remove underage accounts, and—critically—demonstrate those systems work. Ofcom hasn't mandated specific technologies, but the enforcement model suggests that self-attestation won't satisfy the standard.

The penalty structure and who it hits hardest

The £18M or 10% of qualifying worldwide revenue formula mirrors the General Data Protection Regulation (GDPR) enforcement model that's been in place since 2018. For MTCH, which reported $3.19B in revenue for 2023, the theoretical maximum penalty would be $319M. For a bootstrapped niche platform doing £2M annually, the maximum would be £200K—less in absolute terms, but potentially terminal for the business.

Ofcom hasn't clarified whether the 10% threshold applies to all breaches or only the most egregious violations. The language around 'serious breaches' suggests tiering, but operators won't know the scale until the regulator issues its first penalties or publishes detailed enforcement guidance. That ambiguity is itself a compliance burden.

Smaller platforms face a structural disadvantage. Building age verification infrastructure, hiring content moderators, conducting algorithmic risk assessments, and maintaining audit trails costs roughly the same whether you have 50,000 members or 5 million. Bumble disclosed in its 2023 annual report that trust and safety headcount had grown to over 350 people across moderation, safety product, and policy teams.

A regional dating app with £3M in revenue cannot replicate that. The result will be market consolidation. Platforms that can't afford compliance will exit UK members or shut down entirely.

Those that remain will face margin compression as safety spending rises without corresponding revenue growth. MTCH and BMBL already carry the compliance infrastructure; their incremental cost is lower.

Ofcom's jurisdictional expansion and what comes next

Ofcom's traditional remit covered broadcast television, radio spectrum, and telecommunications networks. The OSA transforms it into a digital platform regulator with powers approaching those of the Information Commissioner's Office (ICO) under GDPR. This represents one of the most significant expansions of regulatory jurisdiction in the UK tech policy landscape since the Data Protection Act 2018.

Dating operators now face oversight from multiple regulators with overlapping mandates. The ICO enforces data protection and privacy requirements. Ofcom enforces online safety duties. The Competition and Markets Authority (CMA) monitors anti-competitive practices.

Each regulator operates on separate timelines, issues distinct guidance, and can levy independent penalties for the same underlying product decisions. Martorell's conference session will likely address enforcement priorities and how Ofcom intends to sequence its compliance expectations.

The regulator has indicated it will focus initial enforcement on the largest platforms and the most serious harms, but that sequencing offers no protection to smaller operators. A single high-profile safety incident on a niche platform could trigger enforcement regardless of its market position. The fireside chat format suggests Ofcom is still in dialogue mode, at least publicly.

That window will close. By mid-2025, the regulator will have issued most of its codes of practice and will begin moving from guidance to enforcement. Operators attending the conference should treat the session as an opportunity to ask specific questions about their own risk profiles, not to hear generalities about the legislation's intent.

The fundamental question isn't whether dating apps can technically comply with the OSA—most can, given sufficient resources. The question is whether the compliance cost structure will drive a wave of exits and acquisitions that leaves the UK market even more concentrated than it already is. Ofcom's enforcement approach over the next 18 months will determine whether mid-sized operators can survive or whether the only viable options are scale or shutdown.