Guidance on Age-verification Arrangements from the BBFC

October 15, 2018

Under the Digital Economy Act 2017, the BBFC is the
regulator responsible for designating which of the websites accessible in the
UK are commercial pornographic websites and any age-verification arrangements
used by such sites are adequate.

The BBFC has now published guidance which was laid before Parliament
for its consideration and approval on 10 October. The guidance, which is
theoretically still a draft but is unlikely to alter, can be found here
(pdf). (Various other relevant documents can be found here.)

The guidance sets out the criteria by which the BBFC will
assess that a person has met with the requirements of the Digital Economy Act
2017, s 14, to secure that pornographic material is not normally accessible by
those under 18. It also outlines good practice in relation to age-verification
to encourage consumer choice and the use of mechanisms which confirm age,
rather than identity. It also covers the role and function of the Information
Commissioner’s Office in this context – the two bodies have agreed a framework
for cooperation and information sharing.

The meat of the guidance is set out in paras 5 and 6 as

5. The criteria against which the BBFC will assess that an
age-verification arrangement meets the requirement under section 14(1) to
secure that pornographic material is not normally accessible by those under 18
are set out below:

a. an effective control mechanism at the point of
registration or access to pornographic content by the end-user which verifies
that the user is aged 18 or over at the point of registration or access

b. use of age-verification data that cannot be reasonably
known by another person, without theft or fraudulent use of data or
identification documents nor readily obtained or predicted by another person

c. a requirement that either a user age-verify each visit or
access is restricted by controls, manual or electronic, such as, but not
limited to, password or personal identification numbers. A consumer must be
logged out by default unless they positively opt-in for their log in
information to be remembered

d. the inclusion of measures which authenticate
age-verification data and measures which are effective at preventing use by
non-human operators including algorithms

6. The following are features which the BBFC do not
consider, in isolation, comply with the section 14(1) requirement:

a. relying solely on the user to confirm their age with no
cross-checking of information, for example by using a ‘tick box’ system or
requiring the user to only input their date of birth

b. using a general disclaimer such as ‘anyone using this
website will be deemed to be over 18’

c. accepting age-verification through the use of online
payment methods which may not require a user to be over 18. (For example, the
BBFC will not regard confirmation of ownership of a Debit, Solo or Electron
card or any other card where the card holder is not required to be 18 or over
to be verification that a user of a service is aged 18 or over.)

d. checking against publicly available or otherwise easily
known information such as name, address and date of birth