Current Region:
Global

Adult websites

Adult websites are fast becoming more regulated under European Union and domestic member state law.  So, it would be wise to begin to age verify your user-base sooner rather than later,  so if and when a legal requirement is enforced upon you, you do not face a cliff-edge fall in traffic overnight.

EU Wide: Audio Visual Media Services Directive

Adult websites are required to have in place measures that are appropriate to protect minors from content which may impair their physical, mental or moral development.  It is prudent to assume, on the basis that it is highly likely that regulators and courts will, that pornography may impair the mental  and moral development of children under 18.

Adult websites must establish and operate systems for obtaining assurance as to the age of potential viewers. Adult content providers must ensure that restricted material that has the most potential to harm the physical, mental or moral development of children must be subject to the strictest access control measures  – so there may some scope for homepages to be accessible without the most rigorous age verification – perhaps using some of the method which offer lower levels of assurance – provided they do not include explicit content on the landing pages for the site itself.  Equally, if the content is more extreme,  then even medium levels of assurance may be insufficient; so a check which is easily circumvented with, say, a credit card borrowed from a parent where no charge is made and no record appears on the parents’ statement to alert them to this usage, may not be good enough for more hardcore material.

If interpreted strictly by regulators, this  may also means that if your site includes any content that would be classified as only suitable for 18+ in a cinema, R18,  or would not be permitted at all,  then you need to have implemented rigorous age verification mechanisms to ensure than no child under the age of 18 can access this content.  Regulators may regard this as a hard and fast rule applied up to the 18th birthday, so estimation techniques will not work for users just over 18, but still within the margin for error of any given estimation technique e.g.where artificial intelligence algorithms estimate them to be 19 or 20 but the margin for error for the machine learning technique in question is known to be +/-  2 years.

The level of assurance required will be determined by the detailed regulations and guidance of the regulator responsible for your site, so the one in the country where you are ‘established’.

This directive came into force in September 2020, but is only effective in  any given Member State when it has been transposed into domestic law.   Services fall under the jurisdiction of the country in which they are ‘established’ – which usually means the country of their headquarters within the EU.

Already in force

Austria, Belgium, Bulgaria, Germany,  Denmark, Finland, France, UK, Hungary, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Portugal,  Sweden

Scheduled to come into force

Cyprus – 30 June 2021 (with effect from  30 June 2022)

In progress

Czech Republic, Estonia, Spain, Croatia, Ireland,  Poland, Romania, SLovakia, Slovenia,

(Data correct May 2021 – check source for updates.)

Enforcement and penalties

The regulator, Ofcom, will enforce AVMSD by:

  • Issuing legally binding decisions if a VSP is in breach of its obligations for not taking appropriate measures to protect users;
  • Setting out the steps required to remedy the breach and ensure compliance;
  • Imposing financial penalties of up to 5% of ‘applicable qualifying revenue’ to ensure deterrence; and
  • Issuing a direction to suspend or restrict the entitlement to provide a VSP.

EU Wide: GDPR (in force today)

You should be sure that your users are at least old enough to give consent for their personal data to be processed, if you rely on consent under Article 8 of GDPR, as a basis for processing some or all personal data you obtain from your users.  (Remember, personal data  even includes just an IP address.)  In the UK, this “age of  digital consent” is 13 but it varies between EU member states so if you have users in the EU, you will need to also determine their location and apply the relevant age as part of this check. Click here to see a map of the digital age of consent provided by our member PRIVO.

So, if you offer users the ability to open accounts on your site, and create usernames, passwords, preferences etc., you will need to check they are over the age of digital consent in the country where they are located before it is possible to rely on their consent.  If they are below that age, they need their parents’ permission to share data, but given the rules under AVMSD essential prohibit children from viewing adult website, securing parental consent is pointless – it does not override the AVMSD requirement (or some member state laws below).

Enforcement and penalties

Tools at the disposal of the regulator, the Information Commissioner, include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, there is the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.

UK Only: Age Appropriate Design Code

This is in force today, but a grace period is in operation until 2 September 2021.

This statutory guidance,  also known as “The Children’s Code” requires online services which process  personal data (whether or not this is on the basis of consent or any other reason permitted under GDPR) to consider if they could risk the moral, physical or mental well-being of children under 18.  And if so, to put in proportional measures to safeguard children and young people.

You need to consider the content of your site, and ask yourself how any current or future content might be harmful to children – so for example:

  • Where adults can interact with minors, there is a risk of grooming, the inappropriate exchange of photographs and conversations etc.  Indeed, research shows that this is increasingly a problem between minors as well.
  • If adult sites facilitate could physical encounters by allowing users to communicate with one another, there may also be a physical risk if children agree to meet other people through the service.

Our opinion is that all adult sites established in the UK clearly require age verification to be in place to identify children using the site so they can be protected from harmful content.

The level of rigor required is a matter for the judgement of the sites concerned – giving consideration to the nature of the content on the site, the number of users under 18 found to be using it, etc.  But given the reputational risk if a child is harmed by your service, we recommend, under this legislation, at least a standard level of assurance.  See our page on levels of assurance for an explanation of the methods of age verification that  achieve this degree of confidence in an age check.

Enforcement and penalties

As for GDPR above.

UK but with global effect: Online Safety Bill

This Bill, currently only a draft, will replace the AVMSD in the UK.  It expands the jurisdiction from sites established in the UK to sites globally which are visited by users in the UK.

The Bill was published in May 2021 and Ministers intend for it to become law in 2022. It imposes a range of legal duties on “user-to-user services” which are defined broadly to include any functionality allowing one users to ‘encounter’ content from another user.  Predominantly, this affects social media platforms, although public search engines are also in scope.

As drafted, this will only apply if an adult site offers “user-to-user” services.  This is defined as an internet service by means of which content that is generated by a user of the service, or uploaded to or shared on the service by a user of the service (including written material or messages, oral communications, photographs, videos, visual images, music and data of any description) may be read, viewed, heard or otherwise experienced (‘encountered’) by another user, or other users, of the service.

This new law  extends its scope globally to any service which has links with the United Kingdom i.e.

  • the service has a significant number of United Kingdom users, or
  • United Kingdom users form one of the target markets for the service (or the only target market) or
  • the service is capable of being used in the United Kingdom by individuals, and
  • there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the United Kingdom arising from:
    • in the case of a user-to-user service, content present on the service;
    • in the case of a search service, content that may be encountered in or via search results.

As many adult sites are well-known to children they are also “likely to be used by Children” , so they must comply with the further duties applicable in the Bill relating to minors. (Remember, children are defined as under 18-years-old.)

The largest Adult websites may be considered Category 1 sites, with additional duties placed on them to protect adults as well.

Please read our briefing on the Online Safety Bill for further explanation of these new duties.

Enforcement and penalties

The regulator, Ofcom, can issue access restriction orders, service restriction orders, or impose an appropriate and proportionate penalty of whichever is the greater of—

  • £18 million, and
  • 10% of the person’s qualifying worldwide revenue.

France – Domestic Abuse Bill

The CSA is currently developing  its approach to enforcement of this new legislation but there is already legal action underway to seek court approval for enforcement measures against a small number of high profile adult sites,  not all based in France.

Germany –  JMStV

This treaty  between German states requires that adult content is only allowed  in a closed user-group which requires rigorous age-verification,  although this can be done on an anonymised basis.

The KJM regulator has historically focused on websites established in Germany, but has recently begun action against a major site located elsewhere in the EU which is accessed widely by Germans and does not adopt the required rigorous age verification established for home-grown adult sites.

PLEASE NOTE THIS WEBSITE DOES NOT CONSTITUTE LEGAL ADVICE – YOU SHOULD ALWAYS SEEK INDEPENDENT LEGAL ADVICE ON COMPLIANCE MATTERS
Skills

Posted on

May 17, 2021

Submit a Comment

Your email address will not be published. Required fields are marked *