Age Verification – General

What is Age Verification?
It is widely accepted that what is illegal in the real world should also be illegal online.

Many of our existing laws include age-restrictions.  The most common examples where we require proof of age are the purchase of alcohol, fireworks, cigarettes, knives, scratch-cards and pornography.  Increasingly, goods and services are accessed online, so an equivalent way to check the age of a consumer using the internet was needed.

Age verification technology provides this fundamental building block for applying the rule of law online.  It seeks to do so in a proportionate way, just as is the case in the real world: So for higher risk uses, a higher level of age assurance is required to confirm that a consumer is the age they claim to be.  And this new industry sector operates independently of the suppliers of age-restricted goods and services, and of the global platforms which advertise them, to a standard which can audited and certified.

How does Age Verification differ from identity assurance?
A key distinction of age verification, as opposed to identification, is that it is not always necessary to know the identity of an individual when you conduct an age check.  As people become more careful about sharing personal data, being able to prove your age without disclosing your identity will be increasingly valued.

Age verification tends to be a cheaper and more straightforward than age assurance.

 

Is age verification the same as age assurance?
No.  Third Party Age Verification is one form of age assurance. Our services typically work on an ‘attribute’ system where websites request confirmation of a particular user attribute (in this case age or age range) and we give a ‘yes’ or ‘no’ answer. This method reduces the amount of personal data we need to collect you and may allow websites to take advantage of technological expertise and latest developments in the field.

Other forms of age assurance, according to the UK Information Commissioner’s Office, include:

  1. Self-declaration – This is where a user simply states their age but does not provide any evidence to confirm it.
  2. Artificial intelligence – It may be possible to make an estimate of a user’s age by using artificial intelligence to analyse the way in which the user interacts with a website.
  3. Self-declaration and AI – Similarly you could use this type of profiling to check that the way a user interacts with a website is consistent with their self-declared age
  4. Account holder confirmation – You may be able to rely upon confirmation of user age from an existing account holder who you know to be an adult.
  5. Hard identifiers – You can confirm age using solutions which link back to formal identify documents such as a passport.
What methods of age verification are available?
Age assurance is a fast moving sector, with new methods being developed all the time.  Currently, checks can be conducted using:

  • Identity Documents (Passport, Driving Licence, PASS Scheme cards)
  • Credit reference agency data
  • Electoral Roll
  • Mobile Phone account records
  • Social analysis
  • Facial image analysis

Each of these, alone or in combination, verify age to a different level of assurance.  Regulators can determine the level of assurance they require for each use.

Do I need to repeat age verification each time I use a restricted website?
Once a consumer has secured an age check, it will usually not be necessary to repeat it not only for the original website or app where the check was made, but for other sites where the same AV provider is used.  Subsequent checks can be invisible to the consumer if they are willing to allow their devices to retain an encrypted AV token; and even if they do not do that, future checks will be streamlined as the provider will often be able to confirm they’ve previously passed a check.
Can I just verify my age once, and then access all age-restricted websites?
Already, individual providers offer a verify-once, use-many-times solution; so if you access a website that works with the same age verification provider for a site where you’ve already proven your age, you will usually not need to repeat the process.

In addition, many providers have put in place bilateral arrangements to recognise each other’s age checks; making it quicker to access new sites.

As the age verification market matures further, it is predicted that a multilateral “age-attribute exchange” will be formed, along the lines of the model used by payment networks such as Visa & Mastercard, where hundreds of different suppliers of credit and debit cards can all be accepted by a retailer through a single payment system.  The Age Verification sector is developing similar mechanisms for interoperability so this level of verify-once, use-many-times is extended across sites, regardless of which AV provider is used.  

So in future, you may be asked to prove your age when you first buy a new kitchen knife with your online supermarket order, and you will then never be asked to do so again by any other site where age-restrictions apply to its sales or content.

Age Verification – Online Alcohol Sales

What standard of age verification for online alcohol sales is required in the UK?
“The Home Office advises that anyone selling alcohol online or by phone should already be taking all reasonable steps to verify age at the point of sale in order to avoid committing an offence of selling alcohol to a child.  PAS 1296 is a good point of reference for these steps.”

The Home Office 2020

Isn't it sufficient to enter my date of birth, or send a scan of my driving licence?
Home Office guidance is that this is not sufficient to comply with UK laws as such superficial checks do not comply with the industry standard (PAS1296) so are unlikely to be deemed reasonable steps to verify age.

Age Verification – Offensive Weapons

What is the current law on selling knives and other offensive weapons online
It’s illegal to sell a knife to anyone under 18, unless it has a folding blade 3 inches long (7.62 cm) or less.  This applies online as much as it does in a retail store, so websites offering knives must conduct rigorous age checks at the point of sale.
How and when is the law on online sales of offensive weapons changing
Regulations are currently being finalised to implement the Offensive Weapons Act 2019.  This extends the current law from requiring age checks at the point of sale to also enforcing age checks at the point of delivery.
How does this affect retail collection points, couriers and other delivery services
Staff operating collection points for deliveries in retail outlets, as well as delivery drivers (or cyclists) will need to be trained to check proof of age on delivery.  The risks involved in asking so many inexperienced staff to conduct age-checks in a hurry on a doorstep can be mitigated by rigorous age verification at the original point of the online sale, with the potential to share details used by the consumer at that stage so they are available at the delivery point too.

Coronavirus – to protect delivery personnel, it is recommended that goods are left for the customer to collect from their doorstep.  If it is not safe to check a proof of age, it will be even more important to apply rigorous online age verification at the point of sale.

 

Age Appropriate Design Code

What is the Age Appropriate Design Code
The Age Appropriate Design Code (“AADC”) was written by the UK Information Commissioner’s Office (“ICO”) as a requirement of the Data Protection Act 2018 (Section 123).  It explains how to ensure online services appropriately safeguard children’s personal data.

The Code applies if a site provides online products or services (including apps, programs, websites, games or community environments) that process personal data and are likely to be accessed by children in the UK. It is, therefore, not only for services aimed at children.

Websites should follow the code to help them process children’s data fairly. It will also enable the design of services that comply, and demonstrate compliance, with the GDPR and PECR. If websites do not follow this code, they are likely to find it more difficult to demonstrate compliance with the law, should the ICO take regulatory action against them. 

Fines for breaking the code could be up to 4% of a company’s global turnover.

Does a website need to deploy Age Verification to comply with the AADC?
In some cases, yes.

While the ICO lists a number of options to provide age-assurance, the responsibility lies with the website to adopt a suitably robust approach dependent on the level of potential harm the site may cause if children too young to use it are given access.  In fact, this is already the law in the UK, under the Data Protection Act 2018, but the AADC will bring greater focus on this aspect of that law.

 

Can age verification providers confirm the age of children so I can comply with the AADC?
At present, the first thing a website which processes the data of its users (whether or not they open an account or actively submit any personal information) and offers access to content which may be deemed harmful to children, should at least apply a check that all its users are 18 or over.

Checks at 13 are also being developed, primarily for Social Media – see FAQ’s below.

In time, more granular checks for younger children may become available, but for now, the safest policy to ensure compliance with UK law is to apply an adult age check to prevent access to any material harmful to children.

Age Verification – Social Media

Why should social media platforms verify users are over 13?
In Europe, under the GDPR data protection legislation, children are only able to give consent to their data being processed if they are at least 13 years old, otherwise they need to provide parental consent.

Also, many platforms rely on the age given when a new profile is created to filter content, and comply with age-restrictions, such as those applied to advertising for certain products, for purchases or to see adult-only content.

Are age assurance techniques sufficient?
Some major social media platforms apply weaker checks that the age supplied by a customer is accurate, using social analysis for example (how old their friends are; whether the topics they show interest in are typical for the age they enter).    On this basis, they argue that they already undertake ‘age assurance’ to prevent those too young to use their services (typically <13) or those not old enough to view certain content or advertising (typically <18).  However, these methods are an imperfect science, with studies demonstrating between a quarter and a third of 9-12 year olds have social media accounts.  And the broad age assurance approach cannot operate at the margins, distinguishing between someone who is 17½ and someone who is 18½.

However, this cannot provide accuracy to a particular age, and certainly not validate a date of birth.  Not only does this expose the platform to allowing children under 13 to sign up, but it also means they will miscalculate when those users later turn 16, 18 or 21, exposing them to restricted content at a younger age than is legal.

Can age verification providers check ages below 18?
The AV sector is developing methods to check ages below 18, including facial analysis.

It is already possible to check as each registered user turns 18, or creates an account claiming to be 18 or older, that they are being truthful.  Using an AVPA member to conduct this check would allow platforms to identify a subset of their users who are verified as over 18 to the industry standard (PAS1296)

Age Verification – Online Dating

Is online dating age-restricted?
In the UK, the Online Dating Association has adopted a voluntary minimum age of 18.

Some campaigners advocate full identity assurance for online dating, to mitigate perceived risks around fraud and sexual assault.  However, it is likely that many consumers would object to such invasive demands for ID, and this could impact demand for online dating services.

Will users of dating apps be put off by having to prove their age?
Age verification technology has been designed to protect the user’s privacy, so the dating website would never have access to any personal information supplied to prove age.  The approach was originally developed to protect the privacy of users when they visit adult websites, and has been designed to a very high standard of data security, with certification available from independent auditors covering both privacy and the efficacy of the age checks themselves.
Will age verification prevent dating fraud and other associated crime?
Lying about your age when dating – whether on or offline – is not unusual, and sites may or may not wish to prevent this.  Indeed, dating sites could still allow it, even after applying age verification for harm prevention purposes.  That would be a matter of policy, and marketing considerations.

But a further benefit of applying AV to all ages may be that fraudulent users would think twice if they knew they had to, at some stage in the profile creation process, verify their age by disclosing their identity – albeit to an independent third party who would not share personal details except an age confirmation with the dating sites.  This could therefore help tackle dating fraud, and indeed, be a further deterrent to those who seek victims for non-financial crimes.

What laws and regulations will affect online dating in future?
The Duty of Care requirements in the Online Harms Bill will mirror the ICO’s recently published Age Appropriate Design Code, and require operators to take a proportionate, risk- based approach.  The challenge for online dating sites is that the risk of children under 18 using their services, and then potentially chatting online or meeting up with adults who, knowingly or unknowingly then date a minor, is likely to be perceived as a serious harm by a society which wishes to protect children.

So it is arguable that only doing as much as the social media platforms do at present will not be sufficient.  A more reliable form of age verification, albeit with a relatively low level of proof required (as compared to say, that which is required to buy a hunting knife online), is likely to be required were a regulator to become involved.  BSI’s PAS 1296 standard allows for lower levels of proof but still to a recognised and effective standard.

Age Verification – Online Pornography

(under the UKDigital Economy Act 2017)

Why do we need age verification for online pornography
  • Children and teens are stumbling across pornography from an early age, as young as seven.
  • Majority of young people’s first time watching pornography was accidental, with over 60% of children 11-13 who had seen pornography saying their viewing of pornography is unintentional 
  • 83% of parents agreed that age-verification controls should be in place for online pornography
  • Only 60% of households with children employ any form of parental controls, leaving 40% of children at risk of exposure to porn when at home, and even more through access to the internet from outside their home including over mobile phones.
  • With 94% of 8-11 year olds regularly going online (OfCom), this is leaving a generation of children at high risk of mental harm from exposure to hardcore pornography.
Doesn’t this create a “hackers’ charter” by creating lists of an individual’s browsing history?
No – age verification would be carried out by independent providers who would not need to retain any personal data including any identification once they’d issued an age check
Can’t you use a Virtual Private Network to get around the law?
No – the law would be broken however a UK resident accessed an adult site, so those sites would need to detect and block VPNs (as Netflix, BBC iPlayer etc. already do), or implement age-gates globally.
Won’t technology such as DNS over HTTPS make enforcement impossible?
No – technically DNS over HTTPS doesn’t prevent ISPs blocking access to an IP address; and even if it did, there were other enforcement mechanisms within the DEA such as blocking payments from users and advertisers through action taken by “ancillary suppliers” such as Mastercard and Visa, who’d committed to taking action if required by a regulator.
Wasn’t there very low public awareness of the new rules?
YouGov poll from March 2019 showed that 76% of the British public were unaware of that age verification is being introduced.  The regulator, as well as all the main adult sites, had plans to educate users in the run-up to the new law coming into force.  Meanwhile consumers are increasingly being age-checked for other online activity and will become more used to it over time.
Would there not be thousands of sites that did not comply?
The regulator would need to take rapid action to deter non-compliance.  As with gambling, where licensed sites quickly report unlicensed competitors to the Gambling Commission, there would be a large degree of peer-policing.

There was a credibility issue after so many delays – so this would need to be addressed ahead of a new enforcement date.  But all the major porn sites were gearing up to implement age verification, contracting with AV providers and developing new login mechanisms to ensure they complied.

Were privacy, security and accuracy concerns addressed comprehensively?
The approach of age verification (“AV”) was designed to ensure that the companies which check age did not share identity with the websites visited: 

  • There was also a new Certification Scheme run by the appointed regulator, the BBFC, to give added assurance about data security and privacy.
  • AVPA members subscribe to the trade association’s code of conduct which offers further reassurance, and reduces the risk of fake AV services
  • A new standard was developed by the BSI and Digital Policy Alliance to certify that suppliers are conducting effective age verification (PAS 1296)

What does being a Member of the AVPA offer?

Why should I check age verification is being provided by an AVPA member
Members of the AVPA sign up to our demanding Code of Conduct, providing additional assurance about data security, privacy and rigorous age checking standards.
What standards do AVPA members apply
AVPA Members must comply with applicable published international or local age verification standards (where these have been endorsed by the AVPA).

In the UK, PAS 1296:2018 is the BSI standard already recommended by the Home Office to online suppliers of age restricted products, and all AVPA members apply this standard to their age checks.

In addition, AVPA Members must enforce the highest levels of data security to protect your privacy, applying rigorous, best practice standards such as BSI 27001 to their age verification systems.

What does the AVPA Code of Conduct Cover
AVPA Members sign up to a Code of Conduct which addresses key requirements trading standards officers would wish to see from suppliers of online age verification services:
– Fairness and Transparency

– Use of appropriate verification methods

– Security and Privacy

– Accuracy

– Independence

Read the full Code of Conduct here.

CONTACT

Membership enquiries: please use the form above.

Press enquiries: avpa@avpassociation.com 07811 409769

Technical enquiries: technical@avpassociation.com