New Code of Practice for App Distribution Services to Protect Users from Harmful Content

Introduction

The Infocomm Media Development Authority (“IMDA“) has issued a Code of Practice for Online Safety for App Distribution Services (“Code“), which takes effect from 31 March 2025. The Code requires designated App Distribution Services (“ADSs“) to enhance online user safety, particularly for children, and curb the spread of harmful content on their service.

The Code recognises the prevalence of mobile device ownership amongst adults and children, and that there is a corresponding increased risk of exposure to harmful content, including age-inappropriate content for children. The Code thus marks the next significant step in enhancing online safety for Singapore users, by implementing regulation over ADSs, which will allow IMDA to direct ADSs to disable access by Singapore users to egregious content on their services.

IMDA had earlier implemented a similar Code of Practice for Online Safety for Social Media Services in July 2023. For more information on this, please see our earlier Legal Update here.

The Code establishes obligations for designated ADSs to put in place system-level measures against harmful content for users. The obligations fall under the following categories:

• User Safety – ADSs must put in place measures to protect users from harmful content. In particular, ADSs must implement age assurance measures to determine whether the users on their platforms are children and ensure better protection for them.
• User Reporting and Resolution – Individuals must be able to report harmful or inappropriate content on the ADS.
• Accountability – ADSs must provide users with information on the relevant safety measures and must submit annual online safety reports to IMDA.

This Update highlights the key elements of the Code, including the scope of applicability and details of the obligations that designated ADSs must comply with.

Scope of Applicability

IMDA will designate ADSs with significant reach or impact as regulated online communication services, which will be subject to the obligations in the Code. Currently, the designated ADSs are:

• Apple App Store;
• Google Play Store;
• Huawei App Gallery;
• Microsoft Store; and
• Samsung Galaxy Store.

The categories of harmful content targeted by the Code include the following:

• Sexual content;
• Violent content;
• Suicide and self-harm content;
• Cyberbullying content;
• Content endangering public health; and
• Content facilitating vice and organised crime.

User Safety

ADSs must put in place reasonable and proactive measures to protect users from harmful content, with specific measures to protect children from harmful or inappropriate content.

The Code sets out the following measures that must be included to protect all ADS users:

• Content guidelines and content moderation – Reasonable and proportionate measures must be put in place to minimise ADS users’ access or exposure to harmful content. This includes content guidelines and standards for app providers, and content moderation measures effected by ADS providers.
• Empower ADS users and improve safety – ADS users must be able to easily access information on the ADS regarding online safety, which includes: (i) content guidelines and standards; (ii) content moderation measures and, in particular, the actions that may be taken by the ADS provider to address breaches of its content guidelines and standards; and (iii) information on ADS users’ ability to report content on the ADS to the provider.
• Proactive detection and removal – ADSs must minimise users’ exposure to child sexual exploitation and abuse material and terrorism content through the use of technologies and processes to proactively detect and remove such material. Reasonable and proportionate steps must also be taken to protect ADS users from preparatory child sexual exploitation and abuse activity and preparatory terrorism activity.

The Code further sets out the following measures that apply specifically to children:

• Content guidelines and content moderation – Besides harmful content, children’s access or exposure to inappropriate content on the ADS must also be minimised through reasonable and proportionate measures, which include content guidelines and standards for app providers and content moderation measures by ADS providers that are appropriate for children.

Children must not be targeted to receive content that the ADS provider is reasonably aware to be detrimental to their physical or mental well-being.

• Protection for children – Children must be provided differentiated accounts with more robust settings to minimise access or exposure to and mitigate the impact of harmful or inappropriate content.

In this regard, the ADS provider must have in place systems and processes, including age verification, or other means of age assurance, to establish the age or age range of an ADS user with reasonable accuracy. If the ADS provider has yet to implement age assurance systems and processes, it must set out an implementation plan which includes a reasonable timeline for implementation to IMDA.

Children and their parents or guardians must be provided clear warnings of the implications if they opt out of the default settings of the children accounts, and must have access to information and tools that enable them to manage children’s safety and effectively minimise children’s access to harmful or inappropriate content.

The Code further sets out measures applicable to providers of apps with user generated content functionality:

• ADS providers must ensure that the providers of such apps have: (i) content moderation measures to detect, assess, and remove harmful content; and (ii) an in-app channel for users to report any harmful or inappropriate content.
• ADS providers must take appropriate action against app providers that fail to resolve ADS user reports in accordance with the ADS’s policies.

User Reporting and Resolution

The Code sets out a reporting and resolution mechanism that ADSs must have in place to allow individuals to report harmful or inappropriate content:

• Assessment and action – Reports must be assessed, and appropriate action must be taken by the ADS provider in a timely and diligent manner that is proportionate to the severity or imminence of the potential harm. In particular, timelines must be expedited for content related to child sexual exploitation and abuse material and terrorism.
• User follow-up – Unless the report is frivolous or vexatious, the ADS provider must inform the user who submitted the report of the decision and the action taken by the ADS provider without undue delay. The user must be allowed to submit a request for a review of the decision and the action taken.

• Informing other users – Where the ADS provider decides to remove or disable the reported app, or suspend or terminate the account of the app provider, any ADS user who has downloaded the reported app within the last six months must also be informed as soon as reasonably practical.

Accountability

The Code requires ADS providers to submit annual online safety reports to IMDA, which will be published on IMDA’s website. The reports must include suitable information and metrics, which are subject to agreement by IMDA. This includes:

• What steps the ADS provider has taken and the effectiveness of these steps to mitigate exposure to harmful or inappropriate content, including descriptions of specific measures in place to enhance online safety for users in relation to the above obligations; and
• What actions the ADS provider has taken in response to reports made by users.

Concluding Words

The threat of harmful online content is a growing issue across the world, attracting greater regulatory attention from governments. The Code represents the latest step in Singapore’s effort to tackle this issue, imposing a set of obligations on designated ADSs. Relevant service providers should take note of the requirements and review their operations to ensure compliance with the Code.  

IMDA has stated that it will continue efforts to ensure that regulatory and public education measures are put in place to address the growing range of harmful online content and protect Singapore users against online harms.

For further queries, please feel free to contact our team.

Click on the following links for more information (available on the IMDA portal at www.imda.gov.sg):

• Press Release titled “New Online Safety Code of Practice for App Distribution Services Enhances Protection for Singapore Users”
• Code of Practice for Online Safety for App Distribution Services