Online age verification/DCMS Guidance to Regulator

< Online age verification

This page summarises the guidance produced by the Department for Digital, Culture, Media and Sport targeting the regulatory body for Online age verification, currently the BBFC.

The final guidance document was published in January 2018, and can be downloaded from GOV.UK here.

The guidance is produced under s.27 of the Digital Economy Act 2017, and claims to set out a framework for regulating AV in the following areas:

  • “Regulator’s approach to the exercise of its powers;
  • Age-verification arrangements;
  • Appeals;
  • Payment-services Providers and Ancillary Service Providers;
  • Internet Service Provider blocking; and
  • Reporting.”

It is worth noting that this document constitutes guidance and does not confer legal obligations on the BBFC. However, the guidance is to be treated as persuasive. As noted in s.27(3) DE Act, the BBFC must "have regard" to it.

Regulator’s approach to the exercise of its powers

Document highlights that not all sites are likely to be caught by the regulator! It specifies that the BBFC may, if it thinks fit, choose to exercise powers principally in relation to persons who make pornography available “to a large number of persons”, or who “generate a large amount of turnover by doing so”.

It notes that - before it determines that a person is contravening the DE Act by not having AV implemented properly - the BBFC “must allow that person an opportunity to make representations about why the determination should not be made”.

The document also compels the BBFC to consider - when exercising its powers - which of the powers it has would be most effective in encouraging compliance. (So it can’t jump straight to blocking or massive fines).

Similarly, the document notes that before issuing a notice requiring ISPs to block a site, the BBFC “must consider whether issuing civil proceedings or giving notice to ancillary service providers and payment-services providers might have a sufficient effect on the non-complying person’s behaviour”.

For the purposes of transparency, the DCMS guidance notes that the BBFC should publish on its website details of any notices issued under s.19, 21, and 23.

Age-verification arrangements

The document does not outline how AV should work directly. It defends this by noting that “new age-verification technologies will develop over time” and that, as such, “the Secretary of State considers that rather than setting out a closed list of age-verification arrangements, the regulator’s guidance should specify the criteria by which it will assess, in any given case, that a person has met with this requirement”.

“The process of verifying age for adults should be concerned only with the need to establish that the user is aged 18 or above. The privacy of adult users of pornographic sites should be maintained and the potential for fraud or misuse of personal data should be safeguarded.”

“The role of the regulator should be to focus on the ability of arrangements to verify whether someone is 18 or over. The regulator should not duplicate the role of the Information Commissioner’s Office.”

The above sentence seems to make it pretty clear that this document is highlighting the fact that privacy and data security are specifically outside the scope of the BBFC’s field of interest, and that this is left to the ICO.

But it does note that the BBFC’s guidance should contain information about the ICO’s role, and the expectation that AV services and online pornography providers should “take a privacy by design approach as recommended by the ICO”. It also suggests that the guidance should outline “the expectation that age-verification services and online pornography providers should have regard to the ICO’s guidance on (among other things) data minimisation, privacy by design and security.”

The DCMS’s guidance suggests that the BBFC “should” inform the ICO where it has concerns that a tool they have assessed may not meet the requirements for data protection legislation.

But at the same time, this guidance does pretty specifically note that the BBFC aren’t concerned with privacy and data protection issues, so they are unlikely to be specifically searching out such issues. In this regard, serious privacy problems with some AV tools may never surface.


As per the DE Act, the Secretary of State for DCMS must be satisfied that an appeal process is in place for those who are subject to financial penalties or enforcement notices.

The document also notes that the DCMS must be satisfied that anyone hearing appeals must be “sufficiently independent” of the BBFC.

It notes that the BBFC’s appeals arrangements should specify the process for appeals, including:

  • “Right to appeal;
  • Grounds to appeal;
  • Appeal procedure;
  • Independent Appeal Panel;
  • Costs.”

The document has some other more detailed specifics about internal appeals and the structure of an Independent Appeals Panel, but nothing too unexpected or groundbreaking.

Payment-services providers and ancillary service providers The document talks about the power granted by the DE Act that allows the BBFC to give notice to ancillary payment-services providers that a provider is being noncompliant. But it also confirms that “there is no requirement in the Digital Economy Act for payment-services providers to take any action on receipt of such a notice”.

The document notes that the BBFC “should” consider the effectiveness of this kind of notification on a case-by-case basis.

The definitions of “payment-services provider” and “ancillary service provider” are from the DE Act and mostly as one would expect, however the document does highlight that the definition of “ancillary service provider” does include advertisers who advertise on or via any site operated by the non-complying person.

The document also notes that “ancillary service provider” is not limited to providers who have a direct financial relationship with the non-complying pornographic site, and can also include (but is not limited to):

  • Upload sites;
  • Search engines;
  • Discussion forums which users post links on;
  • Cyberlockers and cloud storage services;
  • Websites and app marketplaces allowing app downloads;
  • Hosting services which enable the download of apps;
  • Domain name registrars;
  • Set top boxes, mobile apps and other devices which can connect directly to streaming services.

The above list is drafted very widely so is worth paying close attention to. The document notes that the BBFC’s published guidance should contain a list of providers that it will consider ancillary service providers similar to the above, but that the list does not need to be exhaustive.

Internet Service Provider blocking

The document notes that “the regulator should take a proportionate approach and consider all actions (Chapter 2.4) before issuing a notice to internet service providers”.

It notes that the BBFC should take a proportionate approach and “take into account the child safety impact that will be achieved by notifying a supplier with a small number of subscribers”. Seems to imply that it does not want the BBFC to waste a lot of time and resources targeting small ISPs without much benefit.

But it also notes that “the regulator should consider any ISP that promotes its services on the basis of pornography being accessible without age verification irrespective of other considerations”. Effectively, if the ISP try to use being small and non-AV-compliant as a unique selling point, the BBFC should attempt to target them accordingly.

It is also worth noting that the document specifically notes that it is not expected that ISPs will not be expected to block services to business customers unless a specific need is identified.

The wording of the document appears to anticipate a lot of notifications as it suggests that the BBFC “should issue notifications to ISPs on a scheduled basis in the expectation that the ISPs will implement a blocking order within 3 working days”.

The document specifically notes that the BBFC should take into account technological developments, but that DNS blocking on ISP DNS servers will meet the requirements of s.23(2)(c). It explicitly notes that “ISPs will not be expected to block third-party DNSs”.

The DCMS guidance notes that where non-compliant sites have been blocked and are now complying, the regulator should notify the ISPs that the notice has been revoked.

The guidance also notes that ISPs are encouraged to inform the BBFC where they feel like there is a risk of over-blocking in the course of complying with a notice that the BBFC has issued them.

Section 23(4)(a) DE Act specifies that a blocking notice may require the ISP to provide information to users where a non-compliant site has been blocked. “The regulator should consult with ISPs to establish best practice on these customer notices ‘(splash pages’)”


This section just outlines that the BBFC must submit annual reports to the DCMS on their operation and outline statistics on how their AV department is functioning.

The specifics in this section are largely uninteresting and procedural.