Ofcom’s Latest Guidance on Age Assurance Under the Online Safety Act

On 5 December 2023, the UK Office of Communications (Ofcom) published for consultation its draft guidance on age assurance (and other Part 5 duties) for service providers publishing pornographic content on online services, along with an accompanying consultation paper. This is the second draft guidance document published by Ofcom since the Online Safety Act came into force.

This guidance is of wider relevance to certain U2U (user-to-user) service providers – see our November 2023 blog post for definitions and more information – because Ofcom is likely to propose similar and possibly identical age assurance measures for these service providers in spring 2024.

What duties under the Online Safety Act does the guidance apply to?

Services that host pornographic content

If you provide services that host pornographic content, then you must:

  • Implement age verification or age estimation (or both) to ensure that children (users under 18 years of age) cannot normally encounter content that is regulated pornographic content.
  • Ensure that the age verification and/or age estimation are highly effective at correctly determining whether or not a particular user is a child.

Under the Online Safety Act, ‘age verification’ means any measure designed to verify the exact age of users of a regulated service, whereas ‘age estimation’ means any measure designed to estimate the age or age range of users of a regulated service. ‘Age assurance’ refers to age verification or age estimation.

U2U service providers

All U2U service providers that are likely to be accessed by children must implement age verification or age estimation (or both) to prevent children of any age from encountering ‘primary priority content that is harmful to children’. This includes, for example, content that promotes suicide or eating disorders.

Interestingly, the Online Safety Act specifically requires Ofcom to consider the final version of the guidance when deciding what age verification and/or age estimation to recommend to U2U services for the purpose of complying with this duty. The guidance therefore is a good indication of – and insight into – what U2U service providers can expect in Ofcom’s draft guidance and codes for protection of children, which is due to be published in spring 2024.

What does the guidance say?

As can be seen across industry practice, Ofcom acknowledges that technology around age assurance is still developing and, therefore, does not recommend any specific tool or technology in the guidance.

The guidance covers age assurance:

  • Methods – The particular system that underpins an age assurance process.
  • Processes – The overall manner through which one or a combination of methods are implemented.

Ofcom has adopted a principle-based approach and proposes four criteria that a service provider should use when considering age assurance methods and processes:

  • Accuracy – The age assurance method should be accurate at identifying a user’s age under laboratory test conditions. Ofcom recommends taking a “challenge age” approach. This means that, for example, where the age assurance method is only accurate within a seven-year range, the challenge age should be set at 25, so that any user estimated to be below this age will be subject to more checks.
  • Robustness – Ofcom anticipates common threats to the robustness of age assurance methods, such as children trying various techniques to circumvent methods in order to access certain services. Ofcom therefore recommends that service providers stress-test their age assurance processes in multiple real-world and unexpected environments – and plan countermeasures against such threats.
  • Reliability – An age assurance method must perform in a consistent manner, so that it produces the same (or similar) outputs when the same (or similar) inputs are used in different circumstances. Ofcom states that service providers should implement robust monitoring and testing programmes to achieve this objective and ensure that any evidence used to identify a user’s age comes from a trustworthy source.
  • Fairness – Lastly, Ofcom states that the method should, as far as possible, avoid or minimise unintended bias or discrimination. Service providers should, therefore, include diverse datasets when training and stress-testing their age assurance process.

After selecting an age assurance process that meets these four criteria, Ofcom notes that service providers also should consider:

  • Whether the age assurance process is easy to use, works for all users and does not unduly exclude adult users from accessing legal content (‘accessibility’).
  • The extent to which the process is able to communicate with other systems (‘interoperability’).

Examples of good practice

Ofcom also has helpfully published a list of age assurance methods in the guidance that it considers ‘could be highly effective’ and ‘are not capable of being highly effective’. Examples include:

Data protection and record-keeping requirements

Lastly, the guidance provides further information and direction on the duty of a service provider to keep a written record of:

  • The type of age assurance methods and process that it uses.
  • How it has considered privacy and data protection laws when deciding how to use age assurance.
  • How it complies with its Part 5 duties and record-keeping duties.

The guidance emphasises that service providers must comply with the UK’s data protection regime when processing personal data as part of their age assurance and directly refers service providers to the Information Commissioner’s Office’s guidance on data protection and age assurance.

Commentary

In summary, Ofcom states that service providers are free to decide what age assurance methods and process best suit their service, provided that they are effective.

Service providers must carefully consider:

  • The suitability and proportionality of the proposed methods in light of the services offered and the likelihood of children being able to access these services.
  • Compliance with additional regulatory obligations, such as data protection and privacy.
  • The factors which may lead to Ofcom determining that the methods and process are not ‘highly effective’ – in particular, the risk that the chosen methods can be circumvented.
  • Whether the evidence provided by users is consistent in terms of its quality and reliability.

The consultation on the guidance closes on 5 March 2024. For further information, or to assess how the Online Safety Act and/or guidance will affect your business, please contact Cooley lawyers James Maton, Lupe Sampedro, Joanne Elieli, Edward Turtle, Carol Holley, Morgan McCormack or Carolina Ljungwaldh.

Contributors

Carolina Ljungwaldh

James Maton