Dating's Regulatory Reckoning: UK, EU, and U.S. Converge on Safety

The DII Take

The legislative convergence across the UK, EU, and U.S. represents the end of the dating industry's regulatory holiday. For two decades, dating platforms operated with minimal safety obligations beyond basic terms of service and voluntary self-regulation. The OSA, DSA, and emerging U.S. legislation collectively establish that dating platforms have legal responsibilities for user safety that go beyond what the industry has historically provided. The compliance cost is substantial but unavoidable, and the platforms that invest proactively in compliance infrastructure will face lower long-term costs than those that wait for enforcement to force their hand.

The UK Online Safety Act: Dating-Specific Impact

The Online Safety Act affects dating platforms through several specific provisions. Illegal content duties require platforms to assess the risk that their services are used for illegal activity—fraud, harassment, sharing of intimate images without consent, child sexual exploitation—and to implement proportionate measures to mitigate those risks. For dating platforms, this means robust content moderation, fraud detection, and reporting mechanisms.

Children's safety duties require platforms that are likely to be accessed by children to implement age assurance and content safety measures. Dating platforms are explicitly within scope because they host user-generated content that may include material harmful to children. The requirement for "highly effective" age assurance led to the July 2025 roll-out of age verification across major UK dating apps.

Cyberflashing provisions, effective January 2026, require platforms to prevent the sending of unsolicited intimate images, a prevalent problem on dating platforms. Platforms must implement detection and prevention measures, not merely respond to reports after the fact. Transparency reporting requires in-scope platforms to publish information about their safety measures, content moderation activity, and enforcement actions. The specific reporting requirements depend on the platform's categorisation by Ofcom.

The fees regime requires regulated platforms to pay fees to fund Ofcom's regulatory operations. While the individual fees for most dating platforms are modest, they represent a new recurring cost that did not exist before the Act.

The EU Digital Services Act: Dating-Specific Impact

The DSA imposes obligations that parallel the UK's OSA with some significant differences. Risk assessment requirements apply to all hosting services, including dating platforms. Platforms must assess systemic risks arising from their services and implement mitigation measures. For dating platforms, systemic risks include romance fraud, harassment, and the amplification of harmful content through recommendation algorithms.

Transparency obligations require annual reporting on content moderation, automated decision-making, and complaint handling. The reporting requirements are more standardised than the UK's, with specific metrics that all platforms must report. Notice-and-action mechanisms require platforms to establish clear processes for users to report illegal content and for platforms to respond within defined timeframes. The DSA specifies requirements for acknowledgement, investigation, and outcome communication that create a structured complaint-handling obligation.

Algorithmic transparency provisions, applicable to VLOPs but potentially influencing industry practice more broadly, require disclosure of how recommendation systems work and provide users with options to influence their recommendations. For dating platforms, this could mean disclosing how matching algorithms prioritise profiles and enabling users to adjust algorithmic parameters.

U.S. Legislative Developments

The U.S. regulatory landscape is evolving from the permissive Section 230 framework toward specific platform safety obligations. The Romance Scam Prevention Act, if enacted, would be the first federal legislation specifically targeting dating platform safety. Its requirements—alerting users who have communicated with potential scammers—are modest compared to the UK and EU frameworks but represent a significant shift in the U.S. regulatory direction.

State-level activity varies. California's age-appropriate design code, modelled partly on the UK's approach, imposes obligations on platforms likely to be accessed by children. Other states are considering specific dating platform safety legislation, creating a patchwork that may eventually drive demand for federal standardisation. Section 230 reform discussions continue, with various proposals to narrow the liability protection that has historically shielded dating platforms from responsibility for user-generated content. While comprehensive Section 230 reform remains politically difficult, incremental changes that carve out specific categories of harm from liability protection are more likely.

Compliance Strategy for Multi-Jurisdictional Operators

Dating platforms operating across the UK, EU, and U.S. face the challenge of simultaneous compliance with different and sometimes conflicting requirements. The highest-common-denominator approach applies the most stringent requirements—typically UK OSA or EU DSA—globally, ensuring compliance in all jurisdictions at the cost of potentially over-complying in less demanding markets. This approach simplifies operations and reduces the risk of compliance gaps.

The jurisdiction-specific approach tailors compliance to each market's requirements, optimising cost but increasing operational complexity. This approach requires dedicated compliance teams or counsel in each jurisdiction and robust systems for applying jurisdiction-specific rules to jurisdiction-specific users. The hybrid approach applies a global baseline—meeting the most stringent requirements for core safety obligations—with jurisdiction-specific adaptations for requirements that differ significantly across markets such as age verification methods, reporting formats, and data retention periods.

The Compliance Timeline in Detail

Understanding the compliance timeline across all three jurisdictions enables operators to plan their investment and implementation sequentially. The UK OSA timeline includes illegal content duties effective March 2025, children's access assessment in April 2025, children's safety measures in July 2025, cyberflashing provisions in January 2026, Phase 3 categorised services duties from 2026 onwards, and a super-complaints regime in early 2026. Enforcement is already active, with 21 investigations opened by October 2025.

The EU DSA timeline mandated intermediary service obligations from February 2024 for VLOPs and February 2025 for all in-scope services, with transparency reporting required annually beginning in 2025 and risk assessment obligations ongoing for VLOPs. Enforcement is distributed across member states through Digital Services Coordinators. The U.S. timeline remains less defined, with no federal dating-specific legislation currently enacted, though the Romance Scam Prevention Act is in progress. State-level requirements vary, CCPA/CPRA obligations are ongoing, and the direction of travel is toward increased obligation.

The Cost of Non-Compliance

The penalties for non-compliance with each legislative framework are substantial enough to represent existential risk for smaller platforms and material financial risk for larger ones. UK OSA penalties reach up to 10% of global annual revenue or £18 million, whichever is greater. Ofcom also has the power to require specific technical measures, demand information, and in extreme cases, require ISPs to block access to non-compliant services.

EU DSA penalties extend up to 6% of global annual turnover for general provisions violations, with additional penalties for providing incorrect, incomplete, or misleading information. U.S. penalties vary by legislation and jurisdiction. FTC enforcement actions can impose fines, consent decrees, and ongoing compliance monitoring, whilst state-level penalties vary but can be significant.

The penalties for non-compliance far exceed the cost of compliance. Ofcom has demonstrated willingness to penalise procedural failures alongside substantive safety failures.

The Practical Compliance Checklist

DII recommends that dating platform operators use the following checklist to assess their compliance posture across all three jurisdictions:

• Risk assessment: Have you completed illegal content risk assessments (UK OSA) and systemic risk assessments (EU DSA)? Are these documented and regularly updated?
• Age assurance: Have you implemented age verification that meets Ofcom's "highly effective" standard? Is your system scalable to additional jurisdictions?
• Content moderation: Do you have automated and human moderation covering profiles, photos, and messages? Do your systems address illegal content, harmful content, and platform-specific policy violations?
• Reporting and complaints: Do users have accessible mechanisms to report harmful content and behaviour? Do you acknowledge reports, investigate them, and communicate outcomes?
• Transparency: Can you generate the transparency reports that UK OSA and EU DSA require? Do you track the metrics that regulators will want to see?
• Data protection: Are you compliant with UK GDPR, EU GDPR, and CCPA/CPRA for the jurisdictions where you operate? Do you have DPIAs for high-risk processing activities?
• Incident response: Do you have documented procedures for safety incidents, data breaches, and regulatory inquiries? Have these been tested?

If any answer is "no," that item should be prioritised on the compliance roadmap.

The Enforcement Comparison

The three jurisdictions take different approaches to enforcement that affect how dating platforms experience regulatory pressure. UK enforcement through Ofcom is direct, specific, and already active. Ofcom has opened 21 investigations and issued fines within the first year of the OSA taking effect. The regulator has demonstrated willingness to penalise both substantive safety failures and procedural non-compliance, such as providing inaccurate information in response to information requests. For dating platforms, the message is clear: Ofcom is active, capable, and willing to enforce.

EU enforcement through member state Digital Services Coordinators is more distributed and less immediately active. The enforcement timeline lags the UK by approximately 12 to 18 months, reflecting the longer implementation timeline for the DSA across 27 member states. However, when enforcement does arrive, the penalties—up to 6% of global turnover—are comparable to the UK's. U.S. enforcement is currently minimal for dating-specific safety obligations, reflecting the absence of federal dating platform legislation. FTC enforcement actions and state attorney general actions provide some accountability, but the comprehensive framework of the UK and EU has no U.S. equivalent. This gap is narrowing as the Romance Scam Prevention Act and state-level legislation advance.

The Industry Engagement Strategy

Dating platforms should engage proactively with all three regulatory frameworks rather than waiting for enforcement to force compliance. In the UK, participation in Ofcom consultations, voluntary safety reporting, and proactive engagement with the ODDA roadmap demonstrate good faith that may influence enforcement decisions. Ofcom has indicated that it will take compliance effort and good faith into account when assessing enforcement responses.

In the EU, engagement with the relevant Digital Services Coordinator in each operating member state builds the local regulatory relationships needed for constructive compliance. The distributed nature of DSA enforcement means that regulatory relationships must be cultivated at the national level. In the U.S., engagement with congressional committees, the FTC, and state regulators positions dating platforms as responsible industry participants rather than adversarial targets. As federal legislation develops, platforms that have engaged constructively will have more influence over the final requirements than those that have been absent from the conversation.

The Small Platform Challenge

Small and mid-size dating platforms face a disproportionate compliance burden under all three frameworks because the core obligations apply regardless of platform size, whilst the resources available for compliance scale with revenue. A platform with 50,000 users and £500,000 in annual revenue faces the same obligation to assess illegal content risks, implement age verification, moderate content, handle user reports, and prepare transparency reports as a platform with 50 million users and £5 billion in revenue. The absolute cost of compliance is lower for smaller platforms—they can implement simpler systems with smaller teams—but the cost as a percentage of revenue is far higher.

This disparity creates strategic implications: consolidation, geographic retreat, and shared compliance infrastructure are emerging as responses to disproportionate regulatory burden on smaller platforms.

This disparity creates strategic implications. Consolidation occurs as smaller platforms are acquired by or merge with larger ones that can spread compliance costs. Geographic retreat happens when smaller platforms exit regulated markets to operate in less demanding jurisdictions. Shared compliance infrastructure develops as smaller platforms use shared moderation services, template policies, and pooled regulatory expertise to reduce individual costs. DII recommends that regulators consider proportionality mechanisms that reduce the compliance burden for smaller platforms without reducing the safety standard. Phased implementation timelines, simplified reporting requirements, and access to shared compliance resources would maintain safety whilst supporting market diversity.

The Convergence Trend

The UK and EU frameworks, whilst different in detail, reflect converging principles: platforms are responsible for user safety, must assess and mitigate risks, must moderate content, must verify user identity, and must report transparently on their safety activities. This convergence suggests that platforms building compliance for one jurisdiction will find the incremental cost of compliance with the other relatively modest. The U.S. is likely to converge toward similar principles over the next three to five years, creating a global baseline of safety expectations that all dating platforms will need to meet.

The Platform Response Strategy

Dating platforms should develop a unified compliance strategy that addresses all three legislative frameworks coherently rather than treating each as an independent project. The compliance audit should map every OSA, DSA, and relevant U.S. requirement to the platform's current capabilities, identifying gaps that need to be addressed. This mapping reveals the total compliance picture and enables prioritisation based on risk—highest-penalty requirements first—timeline—nearest-deadline requirements first—and synergy, meaning requirements that can be addressed through shared investments.

The technology roadmap should identify the specific systems needed for compliance: age verification, content moderation, reporting and complaints handling, transparency reporting, data protection, and incident response. Where a single technology investment serves multiple regulatory requirements—a moderation system that supports both OSA and DSA compliance—the shared investment reduces total compliance cost. The organisational investment should include dedicated compliance personnel who monitor regulatory developments, manage compliance programmes, and engage with regulators across all operating jurisdictions. The alternative, distributing compliance responsibility across multiple functions without dedicated ownership, creates coordination gaps that increase enforcement risk.

The platforms that view compliance as a strategic investment rather than a cost burden will be best positioned for the regulatory decade ahead.

More articles by DII Editorial