On 11 Oct. 2024, France's Audiovisual and Digital Communication Regulatory Authority, the Autorité de régulation de la communication audiovisuelle et numérique,published the final version of its standard for age verification systems to access pornographic sites. By enforcing rigorous age verification processes, including "double anonymity" solutions, it sets a new benchmark in this domain.
The standard requires services or sites broadcasting pornographic content to comply with strict technical requirements relating to the reliability of age checks and the protection of users' privacy.
Primarily designed to protect minors from accessing pornographic content, the standard may also serve as a model for other industries requiring age verification. It is imperative for all stakeholders involved in implementing age verification to understand the requirements outlined in the standard and their potential impact on age verification processes within their platforms.
Context
This standard is part of a long legislative saga that began in 2020. Since 1 March 1994, Article 227-24 of the French Criminal Code has prohibited exposing minors to pornographic content, but it was not until 2020 the article specified that a simple declaration of age is not sufficient to prove an individual is not a minor.
In July of the same year, Law No. 2020-936, aimed at protecting victims of domestic violence, introduced a special procedure enabling Arcom to give notice to editors of pornographic sites to comply with the law, and to ask courts to order noncompliant sites be blocked.
A decree was published under powers granted by Article 23 of Law No. 2020-936, concerning the implementation of measures to protect minors from accessing sites broadcasting adult content. France's data protection authority, the Commission nationale de l'informatique et des libertés, issued an opinion on the decree, recommending the use of trusted third parties.
In May 2024, Law No. 2024-449 aimed at securing and regulating the digital space strengthened the existing system and enabled Arcom to adopt a standard for the minimum technical requirements applicable to age verification systems.
General principles of system reliability, privacy protection
The standard defines the general principles applicable to all age verification solutions.
First, the home page must not display any pornographic content until the user's age has been verified. This verification must be carried out at each session — secured against sharing and fraud and robust against attacks, such as deepfakes and spoofing.
Second, if the solution uses age estimation, it must prevent false positives. It must also include mechanisms to prevent minors from circumventing the estimation through, for example, the use of recorded photos.
Third, solutions must be nondiscriminatory and tested on diversified datasets. They must also comply with the principles of accuracy, proportionality, data minimization, transparency, accessibility and security, and enable users to exercise their rights.
Finally, the standard adopts the concept of double anonymity, which the CNIL already put forward in 2021 in its opinion on the decree of Law No. 2020-936 and in 2022 in its recommendation titled "Online age verification: balancing privacy and the protection of minors." Double anonymity guarantees the site does not know the user's identity and the provider of the age verification solution does not know which sites the user visits. Platforms will have to offer at least one age verification method that complies with the double anonymity concept, with mandatory compliance from 11 April 2025.
Requirements for age verification systems
The standard includes minimum requirements applicable to all age verification systems, plus specific requirements for systems that respect the principle of double anonymity.
Independence. The provider of the age verification system must be legally and technically independent of the relevant sites. In particular, it must guarantee the sites will not, under any circumstances, have access to the data required to verify age.
In addition, for double anonymity systems, the relevant site must not be able to recognize a user who has already used the system, know or deduce the source or method of obtaining proof of age, or recognize that two proofs of age come from the same source.
Confidentiality in relation to the sites. The relevant sites must not directly collect the data required to verify age, such as identity, age, birthdates or other related information.
Confidentiality in relation to the providers. The age verification system provider must not retain the data collected or collect official identity documents unless the data makes it possible to obtain a digital identity or proof of age that can be reused. This obligation is without prejudice to compliance with the legal and regulatory obligations that apply to certain service providers, such as banking institutions.
In addition, for double anonymity systems, the service provider must not know for which site or service the age verification is being carried out.
Confidentiality in relation to third parties. Where other third parties are involved in the age verification process, they must not retain users' personal data, except for the storage of evidence at the user's request.
In addition, for double anonymity systems, any third parties involved must not be able to recognize a user who has already used the age verification system.
Automated decision making and safeguards. The standard states that "when determining whether or not a user may access an online public communication service on the basis of the evidence submitted to it, the service in question disseminating pornographic content makes an automated decision within the meaning of Article 22 of the GDPR." It adds that the CNIL "considers that such a decision may be based on the exception provided for in paragraph 2.b. of Article 22 GDPR, insofar as the service in question disseminating pornographic content is subject to an age verification obligation provided for in Article 227-24 of the French Criminal Code and the provisions of Law No. 2024-449."
Consequently, the service provider must put in place "appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject"pursuant to Article 22(2)(b) of the GDPR and allow users to rectify their data pursuant to Article 16 of the GDPR. Users must, therefore, be able to contest the results of the analyses.
Transparency. The relevant sites must specify the level of privacy protection of each age verification solution without one solution being particularly emphasized and indicate when a third party may know the site or service for which the age verification is being carried out.
In addition, for double anonymity systems, the user must be clearly informed that the age verification provider cannot know the service for which this verification is being carried out.
Other specific requirements for double anonymity systems. The relevant sites must ensure that users have access to at least two different methods of generating proof of age that allow for the obtaining of such proof via a double anonymity system — for example, a solution based on identity documents and a solution based on age estimation.
Furthermore, the double anonymity age verification system must be available to at least 80% of the adult population residing in France.
Transitional period
Article 10 of Law No. 2024-449 specifies relevant sites must implement an age verification solution that complies with the requirements within three months of the standard's 11 Oct. 2024 publication by Arcom.
However, the standard notes a transitional period of three months — until 11 April 2025 — during which the relevant sites may implement solutions for verifying age using debit/credit cards, provided certain conditions are met. In particular, that: an independent third party offers the service; the verification is secure and prevents the risk of phishing; the solution ensures the existence and validity of the card; and the verification is coupled with strong authentication, for example, using the 3D Secure security protocol.
Penalties for noncompliance
In the event of noncompliance with the standard or the law, Arcom may impose a penalty of up to 150,000 euros or 2% of worldwide turnover, excluding value-added tax in the previous financial year, whichever is higher.
Arcom may also order internet access service providers or providers of domain name resolution systems to block the addresses of the relevant sites within 48 hours. The relevant service may request the cancellation of the measures taken by Arcom before an administrative judge and appeal the latter's decision, if necessary.
The standard sets a precedent for protecting minors in the digital space. By mandating rigorous age verification processes, including double anonymity solutions, the standard is not only prioritizing the protection of minors but also paving the way for other countries and industries to follow suit. This standard could serve as a model for sectors beyond adult content, such as online gambling and alcohol sales, where age verification is crucial.
In addition, globally, France's approach might influence other countries to adopt similar regulations, potentially leading to a more unified international framework for age verification.
Mihnea Dumitrascu is a privacy and data protection associate at Bird & Bird.
