Ofcom has published its next consultation regarding the Online Safety Act 2023 about age assurance.
Part 5 of the Act imposes specific duties on service providers that display or publish pornographic content on their online services. These include the duty to implement age assurance to ensure that children are not normally able to encounter such content. The age assurance must be implemented and used in a way that is highly effective at correctly determining if a user is a child. There are also record-keeping duties.
Ofcom says that currently, services publishing pornographic content online do not have sufficient measures in place to prevent children from accessing this content. many grant children access to pornographic content without age checks, or by relying on checks that only require the user to confirm that they are over the age of 18.
The consultation focuses on Ofcom’s draft guidance to assist providers of online services that publish or display regulated pornographic content in complying with their age assurance and record-keeping duties under the Act.
Proposed guidance on ensuring that children are not normally able to encounter regulated provider pornographic content
- Ofcom has set out a non-exhaustive list of kinds of age assurance that could be highly effective at correctly determining whether a user is a child. It also identifies types of age assurance that would not be suitable to meet the duties in Part 5 of the Act.
- Service providers should implement an age assurance process that fulfils each of the criteria of technical accuracy, robustness, reliability and fairness to ensure that it is highly effective at correctly determining whether a particular user is a child.
- Service providers should also consider the principles of accessibility and interoperability to ensure that the age assurance process is easy to use and does not unduly prevent adults from accessing legal content.
- Service providers should ensure access controls are in place on the service to prevent users who have been identified as children through the age assurance process from encountering pornographic content on the service. They also should not host or permit content on their service that directs or encourages child users to circumvent the age assurance process or access controls.
- Service providers should familiarise themselves with the data protection legislation, and how to apply it to their age assurance method(s), by consulting guidance from the ICO.
Proposed guidance relating to the record-keeping duty
- Service providers should keep a durable written record of the age assurance process in use. The record must be up-to-date and easy to understand.
- Written records must explain how the service provider has considered the importance of protecting users from a breach of any statutory provision or rule of law concerning privacy. The draft guidance sets out examples of how providers can demonstrate this.
- Service providers must publish a summary of the written record of their age assurance process which should be easy to understand and available in an easy-to-find area of the regulated service’s website.
Proposed guidance on Ofcom’s approach to assessing compliance
- When determining whether a service provider has compelled with its duties, Ofcom will have regard to its regulatory principles of transparency, accountability, proportionality, consistency, and ensuring that regulatory action is targeted only at cases where it is needed.
- It has set out a non-exhaustive list of examples where it is likely to consider that a service provider has not complied with its duties.
- It will follow the procedures set out in its Online Safety Enforcement Guidance (which it is currently consulting on) where it suspects non-compliance with the obligations that apply to service providers under the Act.
Next steps
Once Ofcom has considers all responses, it will issue a statement setting out the final guidance. It expects this to be in 2025, after which the UK government will bring these duties into force.