Ofcom consults on new guidance about age assurance under the Online Safety Act

Many of us would love to turn back the clock and be challenged to prove we’re over 18 again. I once almost jumped over the counter and hugged the cashier when, aged 35, I was asked for ID. However, for responsible platforms, age verification in the digital world, is a serious challenge. There has been uncertainty about what the regulators require to ensure those who are underage are blocked from seeing inappropriate content. Now, draft guidance, recently released by Ofcom, helps resolve this. While the guidance is focused on restricting access to pornographic content, it is relevant to any business wanting to implement online age-gating effectively.

Part 5 of the Online Safety Act imposes specific duties on service providers that display or publish pornographic content on their online services. These include the duty to implement age assurance to ensure that children are not normally able to encounter such content. The age assurance must be implemented and used in a way that is highly effective at correctly determining if a user is a child. There are also record-keeping duties.

Ofcom says that, at the moment, services publishing pornographic content online do not have sufficient measures in place to prevent children from accessing this content. Many grant children access to pornographic content without age checks, or by relying on checks that only require the user to confirm that they are over the age of 18.

Ofcom has now published its draft guidance and consultation regarding age assurance under the Online Safety Act 2023. The guidance is intended to assist providers of online services that publish or display regulated provider pornographic content in complying with their age assurance and record-keeping duties under the Act, and Ofcom is seeking feedback on its approach before finalising the guidance.

Proposed guidance on ensuring that children are not normally able to encounter regulated provider pornographic content

Ofcom’s draft guidance helpfully sets out a non-exhaustive list of the types of age assurance measures that it believes can be highly effective at correctly determining whether a user is a child. It also identifies types of age assurance that would not be suitable to meet the duties in Part 5 of the Act. 

It lists the following as being acceptable (subject to effective implementation): open banking, photo ID matching, facial age estimation, mobile network operator age checks, credit cards and digital identity wallets

Ofcom’s press release about the consultation provides a useful summary of these ‘highly effective’ methods of verification. The speed with which some of the technological solutions have been developed by the private sector, particularly facial age estimation, means that these ‘new’ options are now accepted as viable alternatives to more cumbersome options such as ID matching. Ofcom’s list is not exhaustive, so there may well also be tech developed in the future which will also fulfil Ofcom’s criteria.

Ofcom is less keen on the following which it deems inadequate: self-declaration, use of debit cards, other payment methods which do not require the user to be over 18 and general contractual restrictions.

The draft guidance also states that service providers should:

  • implement an age assurance process effectively so that it fulfils each of the criteria of technical accuracy, robustness, reliability, and fairness in determining whether a particular user is a child;
  • consider the principles of accessibility and interoperability to ensure that the age assurance process is easy to use and does not unduly prevent adults from accessing legal content; 
  • ensure access controls are in place to prevent users who have been identified as children through the age assurance process from encountering pornographic content on the service. Service providers also should not host or permit content on their service that directs or encourages child users to circumvent the age assurance process or access controls; 
  • familiarise themselves with the data protection legislation, and how to apply it to their age assurance method(s), by consulting the “Childrens’ Code” guidance from the Information Commissioners Office (ICO).  This ICO guidance presents the age verification options available but leaves those seeking to be compliant to take a risk based approach to determine the type of measures which should be deployed in order to ensure “age appropriate design”. The new draft guidance from Ofcom appears to be the first age assurance guidance which is prescriptive about what methods are and are not compliant, for high risk, potentially harmful content for children.  It must be assumed that if providers use Ofcom’s ‘acceptable’ methods and processes to ensure that children are not normally able to access pornographic material, they will also be complying with the Children's Code.

Ofcom’s draft guidance also covers how to fulfil the Online Safety Act’s record-keeping duty:

  • Service providers should keep a durable written record of the age assurance process in use. The record must be up-to-date and easy to understand. 
  • Written records must explain how the service provider has considered the importance of protecting users from a breach of any statutory provision or rule of law concerning privacy. The draft guidance sets out examples of how providers can demonstrate this, such as carrying out a data protection impact assessment or keeping records of staff training carried out on privacy.
  • Service providers must publish a summary of the written record of their age assurance process which should be easy to understand and available in an easy-to-find area of the regulated service’s website. 

Finally, the guidance addresses Ofcom’s approach to assessing compliance: 

  • When determining if a service provider has complied with its duties, Ofcom will have regard to its regulatory principles of transparency, accountability, proportionality, consistency, and ensuring that regulatory action is targeted only at cases where it is needed. 
  • It has set out a non-exhaustive list of examples where it is likely to consider that a service provider has not complied with its duties, such as the age assurance process routinely failing to correctly determine if a particular user is a child.
  • It will follow the procedures set out in its Online Safety Enforcement Guidance (which it is also currently consulting on) where it suspects non-compliance with the obligations that apply to service providers under the Act.

Next steps

The consultation ends on 5 March 2024. Once Ofcom has considered all responses, it will publish the final guidance. It expects this to be in 2025, after which the UK government will bring these duties into force. In the meantime, the draft guidance is a great reference point for businesses wanting to get robust measures in place.