On December 5, 2023, the United Kingdom Office of Communications (Ofcom) published for consultation its draft guidance on age guarantee (and other Part 5 obligations) for service providers who publish pornographic content on online services, together with an accompanying document consultation document. This is the second draft guidance document published by Ofcom since the Online Safety Act came into force.
This guidance is of greatest relevance to certain U2U (user-to-user) service providers; consult our November 2023 blog post for definitions and further information, because Ofcom is likely to propose similar and possibly identical age guarantee measures for these service providers in spring 2024.
What duties under the Online Safety Act does the guidance apply to?
Services that host pornographic content
If you provide services that host pornographic content, you must:
- Implement age verification or age estimation (or both) to ensure that children (users under 18 years of age) typically cannot encounter content that is regulated pornographic.
- Make sure age verification and/or age estimation are highly effective to correctly determine whether a particular user is a child or not.
Under the Online Safety Act, "age verification" means any measure designed to verify the exact age of users of a regulated service, while "age estimation" means any measure designed to estimate the age or age range of users of a regulated service. 'Age guarantee' refers to the verification or estimation of age.
U2U service providers
All U2U service providers that are likely to be accessed by children must implement age verification or age estimation (or both) to prevent children of any age from encountering "top priority content that is harmful to children." This includes, for example, content that promotes suicide or eating disorders.
Interestingly, the Online Safety Act specifically requires Ofcom to consider the final version of the guidance when deciding what verification and/or age estimation to recommend for U2U services in order to comply with this duty. The guidance is therefore a good indication (and a good idea) of what U2U service providers can expect from Ofcom's draft guidance and codes for safeguarding children, due to be published in spring 2024.
What does the guide say?
As can be seen from industry practice, Ofcom recognizes that the technology related to age monitoring is still developing and therefore does not recommend any specific tools or technologies in the guidance.
The guide covers the age guarantee:
- Methods – The particular system that supports an age assurance process.
- Processes – The general way in which one or a combination of methods is implemented.
Ofcom has taken a principles-based approach and proposes four criteria that a service provider should use when considering age assurance methods and processes:
- Accuracy – The age assurance method must be precise when identifying the age of a user under laboratory testing conditions. Ofcom recommends taking a “challenge age” approach. This means that, for example, when the age guarantee method is only accurate within a range of seven years, the challenge age should be set to 25 years, so that any user estimated to be less than this age will be subject to further controls.
- Sturdiness – Ofcom anticipates common threats to the robustness of age assurance methods, such as children trying various techniques to circumvent methods of accessing certain services. Ofcom therefore recommends that service providers test their age assurance processes in multiple unexpected, real-world environments, and plan countermeasures against such threats.
- Reliability – An age assurance method must work consistently, so that it produces the same (or similar) results when the same (or similar) inputs are used in different circumstances. Ofcom states that service providers must implement robust monitoring and testing programs to achieve this goal and ensure that any evidence used to identify a user's age comes from a trusted source.
- Justice – Finally, Ofcom states that the method should, as far as possible, avoid or minimize unwanted bias or discrimination. Therefore, service providers should include diverse data sets when training and testing their age assurance process.
After selecting an age assurance process that meets these four criteria, Ofcom notes that service providers should also consider:
- If the age assurance process is easy to use, works for all users and does not unduly exclude adult users from accessing legal content ("accessibility").
- The extent to which the process is capable of communicating with other systems ("interoperability").
Examples of good practices
Ofcom has also helpfully published a list of age assurance methods in the guidance which it considers "could be very effective" and which "may not be very effective". Examples include:
Data protection and record keeping requirements
Finally, the guide provides further information and guidance on a service provider's duty to maintain a written record of:
- The type of age assurance methods and processes you use.
- How you have considered privacy and data protection laws when deciding how to use the age guarantee.
- How you carry out your Part 5 duties and your record-keeping duties.
The guidance emphasizes that service providers must comply with the UK data protection regime when processing personal data as part of their age guarantee and refers service providers directly to the Information Commissioner's Office guidance on data protection and age guarantee.
Comment
In summary, Ofcom states that service providers are free to decide which age assurance methods and processes best suit their service, as long as they are effective.
Service providers should carefully consider:
- The appropriateness and proportionality of the proposed methods in light of the services offered and the likelihood that children will be able to access these services.
- Compliance with additional regulatory obligations, such as data protection and privacy.
- Factors that may lead Ofcom to determine that methods and processes are not “highly effective” – in particular, the risk that the methods chosen may be circumvented.
- Whether the evidence provided by users is consistent in terms of its quality and reliability.
The consultation on the guidance closes on March 5, 2024. For more information or to assess how the Online Safety Act and/or the guidance will impact your business, please contact Cooley attorneys. James Thug, Lupe Sampedro, Joanne Elieli, Edward Turtle, Carol Holly, Morgan McCormack either Carolina Ljungwaldh.
