On 27 March 2025, Fenix International Limited, the provider of online site OnlyFans, was fined £1.05 million for failing to accurately respond to formal requests from Ofcom, the online safety regulator, for information about age assurance measures on the platform.
Under the Online Safety Act (OSA) Ofcom has certain powers of enforcement. While the Fenix fine was made under a predecessor regime, it is a helpful indicator for future enforcement action under the OSA and the wider picture of Ofcom's powers of enforcement.
Ofcom's enforcement powers
Ofcom's authority to impose the financial penalty on Fenix came from the Video-Sharing Platform regulation (VSP). VSP is a regulatory regime, similar to that of the OSA. While it is currently still in force, it is due to be repealed within the next year, at which point Ofcom's power of enforcement against regulated service providers will be contained solely within the OSA. During the current transition period, both regimes apply.
While the OSA and VSP are similar, the OSA has stricter requirements and larger penalties than the VSP. Under the VSP regime, penalties can be up to 5% of the provider's applicable qualifying revenue, or £250,000 (whichever is greater). Under the OSA, the level of potential fines has been substantially increased and is up to 10% of the provider's applicable qualifying revenue or £18 million (whichever is greater).
Key to the exercise of Ofcom's regulatory functions is its power to request information, a power under both the VSP and OSA. Under the OSA, Ofcom can use this power "for the purpose of exercising or deciding to exercise any of its online safety duties and functions". Online service providers have a legal duty to comply with statutory information notices issued by Ofcom under the OSA and VSP. When service providers reply, they must provide clear, complete and accurate responses within the deadline stipulated in the notice. Failure to comply, for example by not responding within the deadline, or providing inaccurate responses (as in the case of Fenix), may result in enforcement action.
In addition to its information powers and the potential financial penalties outlined above, Ofcom has other specific enforcement powers under the OSA including:
Notice of contravention and confirmation decisions
If Ofcom has reasonable grounds to believe that a provider has failed or is failing to comply with an enforceable requirement, it can issue a notice of contravention and confirmation decision.
These notices are issued following a formal investigation and set out issues that have arisen during this process. In response to a notice of contravention, parties may provide representations and take action to address Ofcom's concerns. Once these representations have been considered, Ofcom will publish a 'confirmation decision' which can include a penalty, requirements to use certain technologies, or business disruption measures (see below).
Business disruption measures
Ofcom can apply to courts for a service restriction order or an interim service restriction order to impose requirements on a regulated service provider or those acting to provide ancillary services to the regulated service.
These are invasive measures, which will likely only be exercised in the most serious cases of non-compliance. Restrictions can include requiring third parties, such as payment or advertising providers, to withdraw from or limit access to the regulated service provider that is in breach.
Background to the Fenix fine
Ofcom issued a request to Fenix for information about the age assurance used by Fenix on its "OnlyFans" service, exercising its powers under the VSP. Fenix had used a "challenge age" form of age assurance which used facial estimation to confirm that the user of OnlyFans was over a certain age limit, set by Fenix. Fenix confirmed to Ofcom in both June 2022 and 2023 that the OnlyFans' facial age estimation technology was set at 23 years old, and users below this age would be blocked from accessing the service. At the beginning of January 2024, however, Fenix learned that the age limit was actually set to 20 years old, and had been since November 2021.
On 22 January 2024, Fenix informed Ofcom of the error in the information that it had provided in 2022 and 2023. Ofcom launched an investigation in May 2024 to review whether the error meant that Fenix had failed to comply with its duties to respond to requests for information by Ofcom under the VSP by failing to provide complete and accurate information. Ultimately the investigation found that Fenix had failed to comply, which resulted in the £1.05 million fine.
Why Ofcom awarded the fine
In Ofcom's explanation of the appropriateness and proportionality of the financial penalty imposed on Fenix, it highlighted the following factors:
- The size, resourcing, and actual knowledge of Fenix. Given the sophistication of the company's operation, Ofcom took the view that Fenix was well aware of its regulatory obligations and should have therefore taken steps to ensure the data supplied was properly reviewed and verified through appropriate governance channels prior to submission.
- Impact on the regulator's credibility. In October 2022, Ofcom published its first report on the VSP regime, which included the inaccurate information provided by Fenix. This undermined Ofcom's ability to carry out its regulatory function and necessitated the issuing of a note of correction.
- Delay in reporting the error. Fenix learned of the issue on 4 January 2024, but it was not until two weeks later, on 22 January, that it informed Ofcom of the error. During this time Fenix initially elected to raise the age limit on OnlyFans to 23 years old, before dropping it again, this time to 21 years old.
Indicative of future enforcement action?
As outlined in our recent article, Ofcom has begun enforcement action under the OSA in relation to age-assurance measures in the adult sector, as well as in respect of dissemination of child sexual abuse material. Ofcom's push for industry compliance has been further highlighted by its announcement, on 9 April 2025, of the launch of an investigation into the provider of an online suicide forum to assess whether it has failed to comply with its duties under the OSA. This is the first investigation opened into an individual online service provider under the OSA.
As part of this wider drive for compliance, Ofcom has suggested that service providers engage with its compliance teams to understand what they need to do to comply with the new duties under the OSA. This emphasis on an expectation of proactiveness on the part of regulated service providers was underlined in Ofcom's explanation for the level of fine imposed at Fenix. While it recognised that Fenix had self-reported the error after it was discovered, and took this into account, Ofcom was also keen to emphasise its expectation that companies inform them of any possible contraventions as soon as possible. Service providers should be alive to this expectation and make sure to respond accordingly should such a situation arise.