Adult websites are fast becoming more regulated under European Union and domestic member state law. So, it would be wise to begin to age verify your user-base sooner rather than later, so if and when a legal requirement is enforced upon you, you do not face a cliff-edge fall in traffic overnight.
EU Wide: Audio Visual Media Services Directive
Adult websites are required to have in place measures that are appropriate to protect minors from content which may impair their physical, mental or moral development. It is prudent to assume, on the basis that it is highly likely that regulators and courts will, that pornography may impair the mental and moral development of children under 18.
Adult websites must establish and operate systems for obtaining assurance as to the age of potential viewers. Adult content providers must ensure that restricted material that has the most potential to harm the physical, mental or moral development of children must be subject to the strictest access control measures – so there may some scope for homepages to be accessible without the most rigorous age verification – perhaps using some of the method which offer lower levels of assurance – provided they do not include explicit content on the landing pages for the site itself. Equally, if the content is more extreme, then even medium levels of assurance may be insufficient; so a check which is easily circumvented with, say, a credit card borrowed from a parent where no charge is made and no record appears on the parents’ statement to alert them to this usage, may not be good enough for more hardcore material.
If interpreted strictly by regulators, this may also means that if your site includes any content that would be classified as only suitable for 18+ in a cinema, R18, or would not be permitted at all, then you need to have implemented rigorous age verification mechanisms to ensure than no child under the age of 18 can access this content. Regulators may regard this as a hard and fast rule applied up to the 18th birthday, so estimation techniques will not work for users just over 18, but still within the margin for error of any given estimation technique e.g.where artificial intelligence algorithms estimate them to be 19 or 20 but the margin for error for the machine learning technique in question is known to be +/- 2 years.
The level of assurance required will be determined by the detailed regulations and guidance of the regulator responsible for your site, so the one in the country where you are ‘established’.
This directive came into force in September 2020, but is only effective in any given Member State when it has been transposed into domestic law. Services fall under the jurisdiction of the country in which they are ‘established’ – which usually means the country of their headquarters within the EU.
Already in force
Austria, Belgium, Bulgaria, Germany, Denmark, Finland, France, UK, Hungary, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Portugal, Sweden
Scheduled to come into force
Cyprus – 30 June 2021 (with effect from 30 June 2022)
In progress
Czech Republic, Estonia, Spain, Croatia, Ireland, Poland, Romania, SLovakia, Slovenia,
(Data correct May 2021 – check source for updates.)
Enforcement and penalties
The regulator, Ofcom, will enforce AVMSD by:
- Issuing legally binding decisions if a VSP is in breach of its obligations for not taking appropriate measures to protect users;
- Setting out the steps required to remedy the breach and ensure compliance;
- Imposing financial penalties of up to 5% of ‘applicable qualifying revenue’ to ensure deterrence; and
- Issuing a direction to suspend or restrict the entitlement to provide a VSP.
EU Wide: GDPR (in force today)
You should be sure that your users are at least old enough to give consent for their personal data to be processed, if you rely on consent under Article 8 of GDPR, as a basis for processing some or all personal data you obtain from your users. (Remember, personal data even includes just an IP address.) In the UK, this “age of digital consent” is 13 but it varies between EU member states so if you have users in the EU, you will need to also determine their location and apply the relevant age as part of this check. Click here to see a map of the digital age of consent provided by our member PRIVO.
So, if you offer users the ability to open accounts on your site, and create usernames, passwords, preferences etc., you will need to check they are over the age of digital consent in the country where they are located before it is possible to rely on their consent. If they are below that age, they need their parents’ permission to share data, but given the rules under AVMSD essential prohibit children from viewing adult website, securing parental consent is pointless – it does not override the AVMSD requirement (or some member state laws below).
Enforcement and penalties
Tools at the disposal of the regulator, the Information Commissioner, include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, there is the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.
UK Only: Age Appropriate Design Code
This is in force today, but a grace period is in operation until 2 September 2021.
This statutory guidance, also known as “The Children’s Code” requires online services which process personal data (whether or not this is on the basis of consent or any other reason permitted under GDPR) to consider if they could risk the moral, physical or mental well-being of children under 18. And if so, to put in proportional measures to safeguard children and young people.
You need to consider the content of your site, and ask yourself how any current or future content might be harmful to children – so for example:
- Where adults can interact with minors, there is a risk of grooming, the inappropriate exchange of photographs and conversations etc. Indeed, research shows that this is increasingly a problem between minors as well.
- If adult sites facilitate could physical encounters by allowing users to communicate with one another, there may also be a physical risk if children agree to meet other people through the service.
Our opinion is that all adult sites established in the UK clearly require age verification to be in place to identify children using the site so they can be protected from harmful content.
The level of rigor required is a matter for the judgement of the sites concerned – giving consideration to the nature of the content on the site, the number of users under 18 found to be using it, etc. But given the reputational risk if a child is harmed by your service, we recommend, under this legislation, at least a standard level of assurance. See our page on levels of assurance for an explanation of the methods of age verification that achieve this degree of confidence in an age check.
Enforcement and penalties
As for GDPR above.
UK but with global effect: Online Safety Bill
This Bill, expect to become law in the Autumn of 2023, imposes a range of legal duties on “user-to-user services” which are defined broadly to include any functionality allowing one users to ‘encounter’ content from another user. Predominantly, this affects social media platforms, although public search engines are also in scope. Part 5 of the Bill extends its scope to all adult websites.
Where these services are likely to be accessed by UK children under 18, there is a specific duty to protect them from mental or physical harm. As gaming sites often allow users to interact and share content such as game play or comments, they are in scope for this new Online Safety legislation.
As many adult sites are also “likely to be used by Children” they must comply with the further duties applicable. (Remember, children are defined as under 18-years-old.)
The largest adult sites may be considered Category 1 sites, with additional duties placed on them to offer adults the choice of additional protection from online harms as well
(This will replace the Audio Visual Media Services Directive in the UK. It expands the jurisdiction from video sharing platforms established in the UK to sites globally which are visited by users in the UK.)
Please read our briefing on the Online Safety Bill for further explanation of these new duties (which will be updated when the Bill is enacted as it has been considerably amended by Parliament and is not finalised).
This new law extends its scope globally to any service which has links with the United Kingdom i.e.
- the service has a significant number of United Kingdom users, or
- United Kingdom users form one of the target markets for the service (or the only target market) or
- the service is capable of being used in the United Kingdom by individuals, and
- there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the United Kingdom arising from:
- in the case of a user-to-user service, content present on the service;
- in the case of a search service, content that may be encountered in or via search results.
Enforcement and penalties
The regulator, Ofcom, can issue access restriction orders, service restriction orders, or impose an appropriate and proportionate penalty of whichever is the greater of—
- £18 million, and
- 10% of the person’s qualifying worldwide revenue.
France – Domestic Abuse Bill
The CSA is currently developing its approach to enforcement of this new legislation but there is already legal action underway to seek court approval for enforcement measures against a small number of high profile adult sites, not all based in France.
Germany – JMStV
This treaty between German states requires that adult content is only allowed in a closed user-group which requires rigorous age-verification, although this can be done on an anonymised basis.
The KJM regulator has historically focused on websites established in Germany, but has recently begun action against a major site located elsewhere in the EU which is accessed widely by Germans and does not adopt the required rigorous age verification established for home-grown adult sites.