Online age verification/BBFC Consultation

On 26 March 2018, the BBFC launched their consultation paper seeking public feedback on their draft guidance to the providers of age verification services.

The deadline for consultation responses was set at 23 April 2018.

Document Overview

• Document makes repeated mention of the “child protection” goals of the legislation and treats them as if they’re an explanation for why the BBFC aren’t going to go after every site, and just a subset of the obvious ones.
  • Sections: 1.12, 2.2, 2.5, 2.10

• Section 2.5 mentions that they will be prioritising sites which are “most frequently visited, particularly by children”
  • A curious comment, as this is difficult to establish. How can this be researched ethically?

• In terms of talking about the goals of the legislation being child protection, and then essentially admitting that only a subset of major sites will be targeted, this seems like an admission that the legislation will struggle to meet its own stated goals.
  • Legally this raises questions of proportionality. The chilling effect of AV, and the blocking powers of the BBFC represent a derogation to the free expression right of both consumers and site operators.
  • If the legislation is failing to even meet its own goals, it is hard to see how the impact to free expression that it represents can be considered proportionate.
  • This becomes a human rights question. JR on the basis of proportionality?

• Section 2.5 also mentions that the BBFC will target sites which host “potentially indecent images of children”. This does not seem to be something that is within the BBFC's remit.

• Throughout, the document defers privacy concerns to the ICO, thereby highlighting the big regulatory gap left uncovered between the two.
  • Section 1.8 defers privacy concerns to ICO and mentions the BBFC-IOU MoU that’s attached to the consultation.
  • Section 3.9 outlines the data protection compliance concerns that the BBFC might come across (incidentally, whilst reviewing the tool and not necessarily looking for them directly). It’s a short and unimpressive list.
  • Section 4.3 lists some ICO guidance about data protection that uses phrasing like “must” and “need”, but the BBFC notes that AV providers “should have regard” to this guidance. So it’s non-binding.
  • Section 4.8.b again notes that privacy is not the concern, and it’s just “data protection compliance concerns” that are an issue.

• Section 2.9 offers a useful overview of the BBFC’s statutory powers, from the Act.

• Sections 2.13 - 2.15 offer some insight into transparency.
  • BBFC confirm that they will monitor sites for which notices have been issued, and if a site “becomes compliant”, then the notices will be lifted.
  • If notices to block have been served on ISPs, then the BBFC will also ensure that those ISPs are informed that the block needs to be lifted.

• Section 2.16 suggests that the BBFC are aiming for transparency and will publish any notification or appeal outcomes on their site.

• Section 3.4 notes that the guidance outlines “good practice” in terms of using mechanisms to “confirm age but not identity”
  • But the rest of the document offers no real hints as to how this could be done practically.

• Section 3.7 offer some non-binding privacy guidance, recommending that AV providers:
  • Collect minimum data to verify age
  • Include measures to reduce the potential for children to misuse an already-verified account
  • “Provide ease of use for end-users” (It is unclear why this is relevant.)
  • Include clear information for end-users on data protection

• Section 3.8 suggests (also non-binding) that commercial porn sites implement a choice of AV providers.

• Section 4.4.b notes that the ICO might consider it a data protection compliance concern where AV data is being re-used for purposes other than AV “without the knowledge of the individual concerned”.
  • This may possibly prevent AgeID reusing data within the MindGeek ecosystem.
  • But it’s unclear from the BBFC’s wording here whether this means “actual knowledge”, or whether a ToS/Privacy-Policy “signed” by the user will suffice.