Insights UK Online Safety Act: Ofcom publishes consultation on age assurance for providers of pornographic content

Ofcom, the designated regulator under the Online Safety Act, which received Royal Assent in October 2023, is currently working through a programme to produce and consult on various Codes of Practice and Guidance as required by the Act (previously reported by Wiggin here and here). On 5 December, Ofcom published a consultation on its proposed Guidance for service providers publishing pornographic content. Under Part 5 of the Act, providers of pornographic content online have a duty to ensure, by the use of age verification or age estimation (or both), that children are not normally able to encounter that content. The age verification or age estimation must be of such a kind, and used in such a way, that it is “highly effective at correctly determining whether or not a particular user is a child.” The Act also requires service providers to keep a written record of the age verification or age estimation used and the way in which the service, when deciding on the kind of age assurance or age estimation used, had regard to protecting UK users from a breach of relevant legal requirements on privacy, and a duty to publish written details of the age verification or age estimation it is using.

The proposal sets out guidance on which service providers fall within the scope of Part 5 and, as required under the Act, provides examples of age verification and age estimation (“age assurance”) that are, or are not, “highly effective,” examples of the way in which a provider can comply with the duty to protect users from breaches of privacy, principles to be applied to determine compliance with each of the Part 5 duties, and examples of circumstances that are not likely to comply with such duties.

For example, regarding the specific age assurance duty, the proposal includes a non-exhaustive list of age assurance methods that could be highly effective. These include open banking, photo-ID matching, facial age estimation, mobile-network operator age checks, credit card checks and digital identity wallets. However, an age assurance method (whether on that list or yet to be developed) can only be highly effective if it meets four specified criteria, and the proposed guidance examines each in turn. The criteria are that the age assurance method is technically accurate, robust (e.g. can operate in low light conditions or is not easily circumvented), reliable (e.g. data checked by the system is from a trustworthy source) and fair (e.g. does not have a lower degree of accuracy for certain ethnicities or does not prevent adults from accessing the service).

Ofcom states that it includes only one type of age estimation (facial) as it does not have evidence to suggest that other methods are capable of being highly effective, are sufficiently mature technologies, or are being deployed at scale. Ofcom also recognises that it is unlikely there will be any kind of age assurance method that will be impossible to circumvent.

The proposal also lists of examples of methods that are not capable of being highly effective, including self-declaration of age, payment methods which do not require the user to be over 18 and general contractual restrictions on the use of the service by children. The Act itself confirms that self-declaration of age is not to be regarded as compliant. Accordingly, Ofcom explains that the list it has provided identifies measures that, in its view, fall short of self-declaration of age.

Ofcom expects to publish the final guidance in 2025 after which the Part 5 duties will come into force.

For more information, click here, and to respond to the Consultation, which closes on 5 March 2024, click here.