We are increasingly asked how the myriad EU and UK legislation requiring age restrictions online all fit together. This article seeks to explain this. We do so by primarily considering the UK which is leading the way in the SafetyTech sector and its associated legislation and regulation, but it is already apparent that the EU is mirroring many, if not all, of these measures to some degree.
So, first of all, which are the applicable laws when considering online age restrictions?
Contract Law
Various legacy legislation on the sale of age-restricted goods applying online
Various legacy legislation on access to age-restricted online services.
Advertising restrictions
General Data Protection Regulations
There is also a very specific requirement for parental consent before younger children can give permission (under Article 8) for the processing of their data. This ‘digital age of consent’ varies between Member States of the EU. In the UK it is 13, for example. (Note that consent is only one of a number of legal bases to process personal data, so it is not a general prohibition on processing the data of younger children with their parents’ approval – organisations can also rely on performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.)

The Audio-Visual Media Services Directive
VSPs must establish and operate systems for obtaining assurance as to the age of potential viewers. VSP providers must ensure that restricted material that has the most potential to harm the physical, mental or moral development of children must be subject to the strictest access control measures.
This began life in 1989 as the “Television without Frontiers” directive, and was renamed in 2008, applying a requirement for age verification to linear television channels with adult content. In 2018 it was extended to cover online VSPs such as Youtube. EU laws have to be transposed into the domestic law of Member states before they are effective; only 4 states did so by the deadline of 19 Sept 2020, but others are progressively catching up under pressure from the European Commission. The UK has put the directive into law, but its regulator, Ofcom, is still consulting on how it will enforce it.

Age-Appropriate Design Code (also known as the Children’s Code)
Online Safety Bill (UK, not yet law)

When do these laws apply
There are few clear dates in the timetable for the introduction of the new laws described above. Once passed, regulators will often take a year or more to draft and consult on guidance before progressively enforcing, perhaps offering a grace period to give services time to make the changes required for compliance.
Our best estimates for forthcoming legislation are set out below.

Some jurisdictions are more important than others. We’ve mentioned Ireland, but Cyprus is also critical for the AVMSD given the number of the largest adult websites based there.
The big picture
The illustration below sums up the combined picture of emerging of the future regulatory eco-system once these measures are all in force.

On this basis, we confidently predict that by 2023, new legislation in the UK and across the EU will make independent, standards-based age checks a foundation of internet safety. Age checks will need to be applied to any digital service which has the potential to cause harm to children.
The AVPA is leading the design of a pan-European infrastructure for parental consent and age verification, as a pilot project funded by the European Commission at the request of the European Parliament. This interoperable network of providers, www.euCONSENT.eu, will allow such checks to be made with little or no impact on the user experience.