Guidance on Age-verification Arrangements Submitted to the Secretary of State pursuant to section 25 of the Digital Economy Act 2017 October 2018 1 Contents 1. Introduction 2. The BBFC's Approach and Powers under Part 3 of the DEA 3. Age-verification Standards 4. Data Protection and the Information Commissioner's Office 2 Annex 1 Definition of “Pornographic material” Annex 2 The Draft Online Pornography (Commercial Basis) Regulations 2018 Annex 3 Definition of "Extreme pornographic material" Annex 4 Definitions Annex 5 Voluntary, Non-statutory Certification of Age-verification Solutions 1. Introduction 1. Part 3 of the Digital Economy Act 2017 (the Act) provides for the regulation, through age-verification, of online pornography. The primary purpose of this Part is the protection of children from pornographic content online. 2. Section 14(1) of the Act provides that: A person contravenes this subsection if the person makes pornographic material available on the internet to persons in the United Kingdom on a commercial basis other than in a way that secures that, at any given time, the material is not normally accessible by persons under the age of 18. “Pornographic material” is defined in section 15 of the Act (Annex 1) The Online Pornography (Commercial Basis) Regulations 2018 (Annex 2) determine whether a person is making pornographic material available on a commercial basis. 3. On 21 February 2018 the British Board of Film Classification was designated by the Secretary of State to be the Age-verification Regulator responsible for:  identifying and notifying non-compliant providers of online commercial pornography (section 19)  notifying ancillary service providers and payment-services providers (section 21) and directing internet service providers to block access to non-compliant pornography services (section 23) 4. Under the terms of the Act, a provider of online commercial pornography will be deemed non-compliant if they fail the requirements of section 14(1) of the Act to secure that pornographic material is not normally accessible by those under 18, and/or provide content which is deemed to be extreme pornographic material as defined in section 22 of the Act (Annex 3). 5. The BBFC is responsible for assessing and determining whether the arrangements for making pornographic material available online comply with the requirements of section 14(1) of the Act. Section 25(1) requires the BBFC to publish guidance about the types of arrangements that it will treat as complying with the provisions of the Act. Prior to publication, this guidance must be submitted to the Secretary of State and be laid before both Houses of Parliament in accordance with the procedure set out in section 3 25. 6. Section 27 of the Act provides that the Secretary of State may issue guidance to the Regulator in relation to the exercise of the Regulator’s functions. The Secretary of State issued "Guidance from the Secretary of State for Digital Culture Media and Sport to the Age-verification Regulator for Online Pornography" in January 20181. This Guidance on Age-verification Arrangements has been drafted having had regard to the guidance issued by the Secretary of State. 7. This guidance sets out the criteria by which the BBFC will assess that a person has met with the requirements of section 14(1) of the Act, to secure that pornographic material is not normally accessible by those under 18. This guidance also outlines good practice in relation to age-verification to encourage consumer choice and the use of mechanisms which confirm age, rather than identity. 8. This guidance also includes the role and function of the Information Commissioner's Office (ICO), the UK's independent body set up to uphold information rights, and the requirements that age-verification solutions and online pornography providers must adhere to under data protection legislation, which is enforced by the ICO. As set out in 3.6 of the Secretary of State's Guidance to the Regulator, the role of the BBFC is to focus on the ability of arrangements to verify whether someone is 18 or over. The BBFC will not duplicate the role of the ICO, and there is a memorandum of understanding establishing a framework for co-operation and information sharing. 9. This guidance will have effect from the date on which the relevant sections of Part 3 of the Act comes into force. The BBFC may from time to time revise this guidance, in particular in the light of technological developments and experience of the operation of the regulatory regime. Any changes to this guidance will be laid before parliament in line with section 25 of the Act. 10. This guidance adopts and applies the definitions of various terms used in the Act. In the event of any unintended conflict in meaning or interpretation between this guidance and the Act, the Act shall prevail. 1 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/673425/Guidance_from_the _Secretary_of_State_for_Digital__Culture__Media_and_Sport_to_the_AgeVerification_Regulator_for_Online_Pornography_-_January_2018.pdf 4 11. The BBFC will report annually to the Secretary of State on the regulatory regime. In accordance with 7.1 of the Secretary of State's Guidance to the Regulator, these reporting requirements include:  the impact and effectiveness of the regulatory framework and recommendations for revision of the scope if appropriate  the number of persons it has investigated and determined to be compliant or non-compliant (including details of the grounds of non-compliance)  the number of ancillary service providers, payment-services providers and Internet Service Providers it has notified, and responses to such notification 12. In accordance with section 26(2)(b) of the Act the BBFC will, from time to time, carry out research to gain insight into the effectiveness of the regime with particular reference to the protection of children and to determine the effectiveness of ageverification systems. 13. In some circumstances the BBFC may be willing to respond to requests for additional general guidance on its interpretation of the statutory requirements where such requests raise issues of general concern to stakeholders. Any such additional guidance given is informal only and is without prejudice to the BBFC’s powers under the Act. Stakeholders must ensure they comply with their statutory obligations under the Act. They should seek their own legal and technical advice on any issues. The BBFC does not accept liability for any loss or damage alleged to result from reliance placed either on its published guidance or any supplementary informal guidance it may give. 5 2. The BBFC's Approach and Powers under Part 3 of the DEA 1. All providers of online pornography who are making available pornographic material to persons in the United Kingdom on a commercial basis will be required to comply with the age-verification requirement. The method by which an internet connection or access can be obtained is irrelevant. 2. The BBFC will approach the discharge of its functions under the Act in an objective, consistent and transparent manner to achieve the primary purpose of the Act; that is the protection of children. 3. The BBFC will adopt a proportionate regulatory approach in relation to the discharge of its functions under the Act in accordance with section 26 and in accordance with chapter 2 of the Secretary of State Guidance to the regulator. 4. This proportionate approach consists of:  deciding which services that provide online pornographic material on a commercial basis it will investigate  assessing whether an age-verification arrangement complies with the provisions of section 14(1) of the Act to secure that pornographic material is not normally accessible by those under 18  assessing whether the service contains extreme pornographic material  determining the most effective course of enforcement action to take 5. When deciding which services to investigate, and in order to allow the BBFC to maintain as its priority the protection of those aged under 18 from accessing pornographic content online, the type of factors it will take into account may include, but will not be limited to, services which:  are most frequently visited, particularly by children, in the UK  are most likely to be sought out by children (for example because they have attracted media or social media attention or because they rank highly on search engine results)  contain extreme pornographic material  contain potentially indecent images of children or raise other child protection concerns  6 are reported to the BBFC by stakeholders and the public 6. The BBFC will seek to encourage compliance with s14(1) of the Act before using the powers listed in paragraph 9 below. It will issue a provisional determination of noncompliance before an enforcement notice under section 19(2) of the Act. 7. In accordance with chapter 2.4.a of the Secretary of State's guidance, the BBFC will, in any such provisional determination of non-compliance, specify a prompt timeframe for compliance and, if it considers appropriate, set out the steps that it considers that the person needs to take to comply. 8. If no satisfactory steps are taken following the provisional determination of noncompliance, the BBFC will give a person an enforcement notice where it determines that the person is contravening section 14(1). This is subject to the requirement that the person concerned be given the opportunity to make representations to the BBFC prior to such a determination (section 19(3)). 9. Once an enforcement notice has been issued, the BBFC has available a number of powers:  to give notice to any payment-services provider that the BBFC considers that a person is contravening section 14(1) and/or is making extreme pornographic material available on the internet to persons in the UK (section 21)  to give notice to any ancillary services provider that the BBFC considers that a person is contravening section 14(1) and/or is making extreme pornographic material available on the internet to persons in the UK (section 21)  to give notice to an internet service provider that the BBFC considers that a person is contravening section 14(1) and/or is making extreme pornographic material available on the internet to persons in the UK and require the internet service provider to take further steps as may be specified in order to prevent access to the offending material by persons in the UK (section 23)  to institute civil proceedings against a person to whom an enforcement notice has been issued (section 19(11)) 10. Before beginning notification action under section 21 and/or section 23, the BBFC will, on a case-by-case basis, determine which notification action or actions to take. When making a determination, the BBFC will be guided by its assessment of which course of action will be most effective in achieving the child protection goals of the legislation, and will consider whether a notice to payment-services providers and/or ancillary 7 service providers and/or internet service providers will have a significant effect on the non-compliant person's behaviour. 11. When deciding the most effective course of enforcement action, and therefore which notice or notices to issue, the BBFC may, among other considerations, assess whether non-compliant pornographic services have:  content or services that require payment  links to the non-compliant service on platforms such as social media  advertising on or by the pornographic service  a presence on search engine results  significant visitor numbers in the UK 12. The BBFC will take a case-by-case approach, and will also consider what enforcement action has proven to encourage compliance in previous cases of non-compliance. 13. If a non-compliant pornographic service becomes compliant by securing that the material is not normally accessible to those under 18 and/or by removing extreme pornographic material, then all enforcement action will cease and any notices will be withdrawn. 14. The BBFC will inform any recipient of a notice under section 21 that the relevant pornographic service has become compliant so that the relevant ancillary services provider or payment-services provider will be aware that there is no longer a request to withdraw services, or a request to take other appropriate action. 15. The BBFC will inform any recipient of a notice under section 23 that the relevant pornographic service has become compliant so that the relevant ISP will be aware that they are no longer required to prevent access to the service by persons in the UK. 16. The BBFC will publish on its website details of notification action taken and the outcome of any appeals. This includes where notifications have been withdrawn for services which become compliant. All interested parties should regularly refer to the BBFC's website to keep up to date on action taken. 8 3. Age-verification Standards 1. Under Part 3 of the Digital Economy Act 2017, providers of commercial pornographic material online must adopt effective and robust age-verification arrangements to ensure that the material is not normally accessible to those under 18. 2. The use of age-verification in relation to the sale of age restricted goods and services online is well established. A range of solutions to age-verify online is currently available on UK-hosted pornography services. These solutions draw from numerous datasets including credit card, passport, driving licence and mobile phone ageverification. Age-verification is most frequently supplied through third party providers. 3. The BBFC recognises that age-verification is an evolving and fast changing technology. It expects that advances will improve the capability and variety of systems that will become available. Consequently, the BBFC will adopt a principle-based approach when assessing new age-verification arrangements and shall maintain a dialogue with stakeholders in order to take any developments into consideration and will from time to time update this guidance accordingly. 4. As envisaged in the Secretary of State’s Guidance to the Regulator, this guidance does not provide an exhaustive list of approved age-verification solutions, but sets out the criteria by which the BBFC will assess that a person has met the requirements of section 14(1) of the Act to secure that pornographic material is not normally accessible by those under 18. This guidance also outlines good practice in relation to ageverification to encourage consumer choice and the use of mechanisms that confirm age but not identity. The BBFC will actively assess individual age-verification arrangements to test their effectiveness and robustness. Arrangements which do not meet the necessary requirements, as set out below, will be treated as non-compliant. 5. The criteria against which the BBFC will assess that an age-verification arrangement meets the requirement under section 14(1) to secure that pornographic material is not normally accessible by those under 18 are set out below: a. an effective control mechanism at the point of registration or access to pornographic content by the end-user which verifies that the user is aged 18 or over at the point of registration or access 9 b. use of age-verification data that cannot be reasonably known by another person, without theft or fraudulent use of data or identification documents nor readily obtained or predicted by another person c. a requirement that either a user age-verify each visit or access is restricted by controls, manual or electronic, such as, but not limited to, password or personal identification numbers. A consumer must be logged out by default unless they positively opt-in for their log in information to be remembered d. the inclusion of measures which authenticate age-verification data and measures which are effective at preventing use by non-human operators including algorithms 6. The following are features which the BBFC do not consider, in isolation, comply with the section 14(1) requirement: a. relying solely on the user to confirm their age with no cross-checking of information, for example by using a 'tick box' system or requiring the user to only input their date of birth b. using a general disclaimer such as 'anyone using this website will be deemed to be over 18' c. accepting age-verification through the use of online payment methods which may not require a user to be over 18. (For example, the BBFC will not regard confirmation of ownership of a Debit, Solo or Electron card or any other card where the card holder is not required to be 18 or over to be verification that a user of a service is aged 18 or over.) d. checking against publicly available or otherwise easily known information such as name, address and date of birth 7. Although not a requirement under section 14(1) the BBFC recommends that ageverification providers adopt good practice in the design and implementation of their solutions. These include solutions that:  collect the minimum data required to establish that the user is aged 18 or over  include measures to reduce the potential for improper use, in particular by children, of a verified account 10  provide ease of use for end-users  include clear information for end-users on data protection  confirm only that a person is aged 18 or over to an online pornographic service 8. Although not a requirement under section 14(1) the BBFC recommends that online commercial pornography services offer a choice of age-verification methods for the end-user. 9. In the interests of data minimisation and data protection, the BBFC does not require that age-verification arrangements maintain data for the purposes of providing an audit trail in order to meet the requirements of the act. 10. Age-verification arrangements involve important considerations as to the security and confidentiality of data collected as part of the process of determining that an individual is aged 18 or over. The BBFC’s assessment of age-verification effectiveness, to meet the requirement under section 14(1) to secure that pornographic material is not normally accessible by those under 18, is set out in paragraphs 5 and 6 of this chapter. 11. Outside of the statutory regime for age-verification and in order to encourage good practice, the BBFC is developing a voluntary, non-statutory certification scheme for age-verification solutions in consultation with the ICO. This scheme will incorporate a third party assessment of the data security standards within any age-verification solution which seeks certification under the scheme. Only those age-verification solutions which pass the scheme’s standards, as audited by the third party, will receive certification by the Age-verification Regulator. An outline of the certification scheme appears in Annex 5. 12. In accordance with 3.8 and 3.9 of the Secretary of State's Guidance to the Regulator, a memorandum of understanding sets out that the BBFC will inform the Information Commissioner's Office where concerns arise during its assessment of the ageverification effectiveness that the arrangement does not comply with data protection legislation. The ICO will consider if further investigation is appropriate. The BBFC will inform the online commercial pornography provider(s) that it has raised concerns with the ICO. 13. Following formal approval of this guidance by Parliament, the BBFC will assess ageverification arrangements in order to ensure that online commercial pornographic services using those arrangements will meet the requirement under section 14(1). The BBFC will report the results of these assessments on its website. 14. All age-verification arrangements must be fit for purpose and effectively managed so as to ensure that commercial pornographic material online will not normally be 11 accessible by persons under the age of 18. Responsibility for ensuring that any required age-verification arrangement is in place and is operating effectively rests at all times with the person that makes pornographic material available online. 12 4. Data Protection and the Information Commissioner's Office 1. The privacy of adult users of pornographic sites should be maintained and the potential for fraud or misuse of personal data should be safeguarded. 2. The ICO is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. 3. Under the General Data Protection Regulations (GDPR) age-verification solutions and online pornography providers have a general obligation to comply with the following requirements when processing personal data: a. age-verification systems must be designed with data protection in mind – ensuring users’ privacy is protected by default b. individuals must be told why, when, where and how their personal data is being processed, and by which organisations. Where an organisation processing personal data is based outside the EU, an EU-based representative must be appointed and notified to the individual c. the need to process the minimum personal data necessary to achieve the intended outcome of confirming age; additional personal data should not be collected, irrespective of whether it is subsequently securely deleted. There must be an appropriate lawful basis for the processing of any personal data in line with the requirements of data protection legislation d. the need to process personal data securely in light of the associated risks presented by the processing e. the need to facilitate individuals’ rights (including the rights of access, erasure and rectification) f. the need to ensure that personal data is not retained for longer than is necessary to achieve the purposes for which it was originally collected 4. The following is a (non-exhaustive) list of issues which the ICO consider may raise data protection compliance concerns: a. failing to assess, document and mitigate privacy risks b. re-using age-verification data for purposes other than age-verification without the knowledge of the individual concerned 13 c. where age-verification is provided by third party providers, failing to ensure appropriate measures are in place to ensure the data is adequately safeguarded d. retaining data for longer than is necessary e. a requirement to provide, and any subsequent retention of, physical location information f. the collection and retention of personal data about site visitors who fail the ageverification check. g. failing to ensure security issues are appropriately addressed 5. Under the General Data Protection Regulations (GDPR) age-verification solutions and online pornography providers processing personal data, have a general obligation to follow the ICO’s guidance on data protection and specifically data minimisation, security and data protection by design and default. 6. Under the General Data Protection Regulations (GDPR) age-verification solutions and online pornography providers processing personal data, have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities. In line with the requirements of GDPR Article 35(4), the ICO guidance on Data Protection Impact Assessments identifies processing activities that would require online age-verification services and online pornography providers to undertake such an assessment prior to the commencement of any processing of personal data via an age verification arrangement2. More information about data protection impact assessments can be found on the ICO's website https://ico.org.uk/for-organisations/guide-to-the-generaldata-protection-regulation-gdpr/accountability-and-governance/data-protectionimpact-assessments/ 7. Data protection legislation requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. More information about data security can be found on the ICO's website https://ico.org.uk/for- organisations/guide-to-the-general-data-protection-regulation-gdpr/security/ 2 https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/dataprotection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/. 14 8. The GDPR applies to the processing of personal data of data subjects who are in the EU by a controller not established in the EU where the processing activities are related to the offering of goods and services, irrespective of whether payment is required. 9. More information about these and other requirements of data protection legislation can be found on the ICO’s website www.ico.org.uk. 10. The ICO will promote good information rights practices in adult content providers by: a. providing support where appropriate to online pornography services regarding questions related to data protection and privacy matters in relation to ageverification b. agreeing a referral process with the BBFC, for use where data protection compliance concerns arise as part of assessment of age-verification effectiveness c. agreeing arrangements with the BBFC in a Memorandum of Understanding to be made publicly available 11. There are a number of tools available to the ICO for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. In line with the ICO’s Regulatory Action Policy, the ICO will take proportionate, appropriate and effective regulatory action, including referring issues to overseas regulators via international cooperation channels if appropriate. 15 Annex 1 – Definition of Pornographic Material Section 15 of the Digital Economy Act 2017 states that: (1) In this Part “pornographic material” (except in the expression “extreme pornographic material”) means any of the following— (a) a video work in respect of which the video works authority has issued an R18 certificate; (b) material that was included in a video work to which paragraph (a) applies, if it is reasonable to assume from its nature that its inclusion was among the reasons why the certificate was an R18 certificate; (c) any other material if it is reasonable to assume from its nature that any classification certificate issued in respect of a video work including it would be an R18 certificate; (d) a video work in respect of which the video works authority has issued an 18 certificate, and that it is reasonable to assume from its nature was produced solely or principally for the purposes of sexual arousal; (e) material that was included in a video work to which paragraph (d) applies, if it is reasonable to assume from the nature of the material— (i) that it was produced solely or principally for the purposes of sexual arousal, and (ii) that its inclusion was among the reasons why the certificate was an 18 certificate; (f) any other material if it is reasonable to assume from its nature— (i) that it was produced solely or principally for the purposes of sexual arousal, and (ii) that any classification certificate issued in respect of a video work including it would be an 18 certificate; (g) a video work that the video works authority has determined not to be suitable for a classification certificate to be issued in respect of it, if— (i) it includes material (other than extreme pornographic material) that it is reasonable to assume from its nature was produced solely or principally for the purposes of sexual arousal, and 16 (ii) it is reasonable to assume from the nature of that material that its inclusion was among the reasons why the video works authority made that determination; (h) material (other than extreme pornographic material) that was included in a video work that the video works authority has determined not to be suitable for a classification certificate to be issued in respect of it, if it is reasonable to assume from the nature of the material— (i) that it was produced solely or principally for the purposes of sexual arousal, and (ii) that its inclusion was among the reasons why the video works authority made that determination; (i) any other material (other than extreme pornographic material) if it is reasonable to assume from the nature of the material— (i) that it was produced solely or principally for the purposes of sexual arousal, and (ii) that the video works authority would determine that a video work including it was not suitable for a classification certificate to be issued in respect of it. (2) In this section— “18 certificate” means a classification certificate which— (a) contains, pursuant to section 7(2)(b) of the Video Recordings Act 1984, a statement that the video work is suitable for viewing only by persons who have attained the age of 18 and that no video recording containing that work is to be supplied to any person who has not attained that age, and (b) does not contain the statement mentioned in section 7(2)(c) of that Act that no video recording containing the video work is to be supplied other than in a licensed sex shop; “classification certificate” has the same meaning as in the Video Recordings Act 1984 (see section 7 of that Act); “material” means— (a) a series of visual images shown as a moving picture, with or without sound; (b) a still image or series of still images, with or without sound; or 17 (c) sound; “R18 certificate” means a classification certificate which contains the statement mentioned in section 7(2)(c) of the Video Recordings Act 1984 that no video recording containing the video work is to be supplied other than in a licensed sex shop; “the video works authority” means the person or persons designated under section 4(1) of the Video Recordings Act 1984 as the authority responsible for making arrangements in respect of video works other than video games; “video work” means a video work within the meaning of the Video Recordings Act 1984, other than a video game within the meaning of that Act. 18 Annex 2 – The Draft Online Pornography (Commercial Basis) Regulations 2018 The Draft Online Pornography (Commercial Basis) Regulations 2018 can be found at the following link: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_da ta/file/747184/Commercial_basis_regulations_DRAFT_20_Sept_2018.pdf 19 Annex 3 – Definition of Extreme Pornographic Material Section 22 of the Digital Economy Act 2017 states that: (1) In this Part “extreme pornographic material” means (subject to subsection (3)) material— (a) whose nature is such that it is reasonable to assume that it was produced solely or principally for the purposes of sexual arousal, and (b) which is extreme. (2) For the purposes of subsection (1)(b), material is extreme if— (a) its content is as described in section 63(7) or (7A) of the Criminal Justice and Immigration Act 2008, and (b) it is grossly offensive, disgusting or otherwise of an obscene character. (3) Material to which paragraphs (a) and (b) of subsection (1) apply is not “extreme pornographic material” if it is or was included in a classified video work, unless it is material to which subsection (4) applies. (4) This subsection applies to material— (a) which has been extracted from a classified video work, and (b) whose nature is such that it is reasonable to assume that it was extracted (with or without other material) solely or principally for the purposes of sexual arousal. (5) In this section— (a) “classified video work” means a video work in respect of which a video works authority has issued a classification certificate; (b) “video work” means a video work within the meaning of the Video Recordings Act 1984; (c) “video works authority” means a person designated under section 4(1) of the Video Recordings Act 1984; (d) “classification certificate” has the same meaning as in the Video Recordings Act 1984 (see section 7 of that Act); (e) “material” means— (i) a still image or series of still images, with or without sound; or (ii) a series of visual images shown as a moving picture, with or without sound. 20 Section 63 of the Criminal Justice and Immigration Act (2008) states that: (7)An image falls within this subsection if it portrays, in an explicit and realistic way, any of the following— (a) an act which threatens a person's life, (b) an act which results, or is likely to result, in serious injury to a person's anus, breasts or genitals, (c) an act which involves sexual interference with a human corpse, or (d) a person performing an act of intercourse or oral sex with an animal (whether dead or alive), and a reasonable person looking at the image would think that any such person or animal was real. (7A)An image falls within this subsection if it portrays, in an explicit and realistic way, either of the following— (a) an act which involves the non-consensual penetration of a person's vagina, anus or mouth by another with the other person's penis, or (b) an act which involves the non-consensual sexual penetration of a person's vagina or anus by another with a part of the other person's body or anything else, and a reasonable person looking at the image would think that the persons were real. 21 Annex 4 – Definitions Age-verification Arrangement – The system put in place by an online commercial pornographic service to ensure that pornographic content is not normally accessible to children. Age-verification Method – The means by which age-verification (or age checking) is achieved (e.g. use of an ID document or credit card). Age-verification Provider – A company which supplies an age-verification method or solution to an online pornographic service. Age-verification Solution – A combination of age-verification methods. 22 Annex 5 – Voluntary, Non-statutory Certification of Ageverification Solutions VOLUNTARY, NON-STATUTORY CERTIFICATION OF AGE-VERIFICATION SOLUTIONS The Digital Economy Act 2017 (DEA) requires that commercial online pornographic services put in place controls which ensure that it is not normally possible for children to access pornographic content. The BBFC has been designated as the Age-verification Regulator under the DEA. The Ageverification Regulator will undertake assessments to ensure that commercial pornographic services are complying with the statutory requirement imposed by s14(1) DEA by carrying robust age-verification controls. The Information Commissioner's Office (ICO) is the regulator responsible for privacy and data security. In consultation with the ICO and with support from the Department for Digital, Culture, Media & Sport, in order to encourage good practice, the Age-verification Regulator will work with providers of age-verification solutions to develop an additional, voluntary, non-statutory assessment and certification of age-verification solutions. What does the Age-verification Regulator certification provide? This voluntary certification scheme will mean that age-verification providers may choose to be independently audited by a third party and then certified by the Age-verification Regulator. The third party’s audit will include an assessment of an age-verification solution’s compliance with strict privacy and data security requirements. When accessing certified age-verification solutions, consumers will find a link which will direct them to the Age-verification Regulator's website and a summary of the age-verification provider's third party assessment report, confirming for consumers that the age-verification solution has met the required high standards both in relation to privacy and data security and age verification. Who provides the assessment and certification? The Age-verification Regulator will administer this non-statutory certification scheme for those age-verification providers who volunteer to submit their solutions. The Age-verification Regulator will also provide the certification. This is in addition to, and separate from, the Ageverification Regulator's assessment of commercial online pornographic services pursuant to the DEA. 23 The Age-verification Regulator will contract a third party to develop an assessment based on: 1. The Age-verification Regulator’s statutory guidance on age-verification arrangements 2. Privacy standards, above and beyond legal obligations, to address data security, data minimisation, and the prevention of misuse of data. 3. Other industry standards and best practice which support, and are consistent with, the Ageverification Regulator's guidance The ICO will advise in the development of those parts of the assessment which are based on Data Protection Legislation. The operation and standards of the scheme will, from time to time, be subject to review and amendment by the Age-verification Regulator particularly in order to address relevant changes and technological developments. The contracted third party will carry out assessments leading to the Age-verification Regulator’s certification of age-verification solutions that meet the high standards set out in the scheme. Who may be certified? Both gateways for age-verification solutions and providers of age-verification solutions may be certified. A gateway would fail certification if it used any solution which was not itself certified. Participation in the certification scheme is not a requirement under s14(1) of the DEA. Who covers the cost? The cost of the third party audit will be paid for by individual age-verification providers who choose to submit their solution for certification. DCMS will fund the set up and the administrative costs of the Age-verification Regulator and support the implementation of this voluntary certification scheme. 24