Comment by wizzwizz4

Someone spams CSAM on the site. You report it to CEOP, as every forum mod knows to do (though most have never needed to do), and Ofcom let you off with a warning – but you're no longer low-risk, so there's a lot more paperwork.

Now someone copy-pastes the doxx of members of the military from a leaked Pastebin – something you have no practical way of detecting – and it's not your first strike, and there's some public attention and someone decides they need an Example, so now you're getting scary letters about potential criminal charges.

You don't hear anything about those charges, so you assume things are okay. But now someone's claiming to be the parent of one of your users, who hasn't been around for a while. They claim the user was 17, has tragically died, and you don't have a policy about giving parents access to information about this user's activity (but they claim it's a TTRPG forum, which is a children's game, so 35(1)(3)(b) says you should have had a children's access assessment), and they claim they can prove they're the user's parents (they have the password, even!) but haveibeenpwned says the associated email address was in a data breach. Do you provide the information, or not?

Fortunately, you got in context with the real parents of that child – they know nothing about this website you run, and the person contacting you is someone else. You let them know that photos of their identification documents have been stolen. (You later learn that the user isn't even dead: they tell you about a stalker ex, and you make a note to be extra careful about this user's data.)

One of the domains in your webring has expired, and now redirects to a cryptospam site. That counts as §38 "fraudulent advertising". In response, Ofcom decide (very reasonably) to make webrings illegal.