The Age-verification Regulator under the UK's Digital Economy Act, the British Board of Film Classification (BBFC), has advised age-verification providers that they will not be certified under the Age-verification Certificate (AVC) if they use a digital wallet in their solution.
The AVC is a voluntary, non-statutory scheme that has been designed specifically to ensure age-verification providers maintain high standards of privacy and data security. The AVC will ensure data minimisation, and that there is no handover of personal information used to verify an individual is over 18 between certified age-verification providers and commercial pornography services. The only data that should be shared between a certified AV provider and an adult website is a token or flag indicating that the consumer has either passed or failed age-verification.
Murray Perkins, Policy Director for the BBFC, said: “A consumer should be able to consider that their engagement with an age-verification provider is something temporary.
In order to preserve consumer confidence in age-verification and the AVC, it was not considered appropriate to allow certified AV providers to offer other services to consumers, for example by way of marketing or by the creation of a digital wallet. The AVC is necessarily robust in order to allow consumers a high level of confidence in the age-verification solutions they choose to use."
Accredited providers will be indicated by the BBFC’s green ‘AV’ symbol, which is what consumers should look out for. Details of the independent assessment will also be published on the BBFC’s age-verification website, ageverificationregulator.com, so consumers can make an informed choice between age-verification providers.
The Standard for the AVC imposes limits on the use of data collected for the purpose of age-verification, and sets out requirements for data minimisation.
The AVC Standard has been developed by the BBFC and NCC Group - who are experts in cyber security and data protection - in cooperation with industry, with the support of government, including the National Cyber Security Centre and Chief Scientific Advisors, and in consultation with the Information Commissioner’s Office. In order to be certified, AV Providers will undergo an on-site audit as well as a penetration test.
Please see link to UK Government announcement on start date for new age-verification regime and the robust data protection conditions provided by the AVC: https://www.gov.uk/government/news/age-verification-for-online-pornography-to-begin-in-july
Further announcements will be made on AV Providers' certification under the scheme ahead of entry into force on July 15.
- 8.5.12 of the AVC Standard says "Personal data used for fraud prevention and detection and to verify a user’s age for access to commercial online pornographic material shall not be used for any other purposes, such as marketing or the creation of digital wallets. Age-verification providers shall not market other services to these users during or after the age-verification process. If a user has already created an account with an age-verification provider for the provision of a different service, such as age-verification for websites related to gambling, age-verification providers are able to continue processing that user’s personal data for those purposes."
- 8.5.13 of the AVC Standard says that "A user shall be given the option to verify their age without being required to set up an account with the age-verification provider."