UK law will soon require adults (18+) in the UK to be age-checked when they visit pornographic websites and apps. This requirement is part of the Digital Economy Act 2017 and is intended to prevent children and young people accidentally viewing inappropriate sexual content.

The age verification law is expected to come into force in autumn 2019.

Age verification is primarily aimed at commercial porn sites but it may in time also be required for other sites and apps.

Age verification means proving that you are aged 18 or over. Proof requires more than simply ticking a box or typing in a date of birth – which anyone can do.

It is difficult to reliably prove your age without verifying your identity. This means that to access paid-for porn online you will have to provide personal identity details such as your name or telephone number.

To be accurate, age verification processes must use data that cannot be reasonably known, obtained or predicted by another person without theft or fraud. Reliable sources of information include:

• Identity documents (i.e. passport or driving licence)
• Utility bills
• Credit card details (not including Debit, Solo or Electron or any other card where the card holder is not required to be 18 or over)
• Electoral roll data
• Know Your Customer (KYC) checks via specialist credit check or identity check software (this data generally includes name, age, address and telephone/email contact details)
• Mobile phone SMS
• Social media identity

It is recommended (but not required) that pornography providers offer users a choice of age verification methods. This means that you may need to go through several age verification systems in order to access the content you want.

You should be logged out of age-verification-restricted sites by default unless you opt-in for your information to be remembered. Major age verification tool providers including MindGeek are likely to offer a “single sign-in” approach, so that you only need to log into an age verification platform once to remain logged in across all of the porn sites you choose to visit. The ease of this approach is appealing, but it also carries a significant tracking and privacy risk. Single sign-in builds up a profile of your porn viewing habits, which if exposed could have a devastating impact on your personal and professional life.

Porn websites and apps will generally use a third-party company to conduct an age verification process. There are a range of age verification tools currently on the market. These include AgeID (owned by MindGeek, which also runs porn sites including PornHub, Brazzers, YouPorn and RedTube), AVSecure, Yoti and VeriMe.

To give you a guide as to what to expect, here is how some of the major providers operate:

• AgeID

MindGeek’s AgeID tool is expected to dominate the market. You undergo a one-time age verification process and then are provided with an email and password for future access to any site that uses AgeID as their method of age verification.

To register with AgeID you can either go through an online age verification process or purchase a “PortesCard” from PayPoint outlets and selected other UK retailers. This card contains a unique validation code which you must activate on the Portes app. You can then use the code to access all adult sites using AgeID.

It will be unavoidable to engage with AgeID if you want to access mainstream porn. However, AgeID carries a particular privacy risk due to connecting your porn use across multiple sites. The PortesCard also requires you to make an in-person purchase, which is likely to require you to show ID. The app could link your online porn use to your real-world identity by requesting or requiring access to your phone’s contact list.

• AVSecure

This is a blockchain company. Once you validate your age with an integrated third-party data validator, AVSecure will log this validation on its blockchain and give you an access key which can be used on AVSecure sites.

There is no way of tracking if, how, where and when you use your AVSecure key and neither AVSecure or the adult website have access to your identity.

You can also purchase an anonymous “Age Verification” card at selected retail stores across the UK – retailers will apply a “Check25” approach which means you may or may not be asked to show ID to complete this purchase.

• Yoti

This is an app-based process. On downloading the free app, you must upload a selfie photo and scan an official ID document such as a passport. The app uses facial recognition matching to verify that your ID document is genuine. An adult site that uses Yoti’s system will then ask you to confirm your age by using the Yoti app to scan a QR code.

Yoti claims that its software only recognises genuine faces, as opposed to photographs-of-photographs. App permissions could link to your real-world identity, and the company stores encrypted user info on its servers, which are, like any server, vulnerable to hacking and decryption.

• VeriMe

This company uses telephone numbers to age-verify. When the VeriMe tool is enabled on an adult site, you’ll be required to enter your mobile number. You’ll then receive a text message to which you must reply by typing VERIFY. This will be used to confirm that you have a live number that is not age-blocked.

VeriMe does not collect customers’ personal information and provides no personal data to sites. It stores a part of customers’ telephone numbers in encrypted form for auditing purposes. 

Although VeriMe does not associate your mobile phone number with the content you view online, other companies requesting your telephone number may do so. In principle, there is a significant tracking and privacy risk in linking your porn viewing to your telephone number, especially if you also use this number for work and other purposes. Be careful about who you give your telephone number to and do not respond to any unsolicited text messages claiming to be associated with any particular site.

The Digital Economy Act 2017 requires all commercial pornography providers to age-verify UK users. This applies whether sites and apps are hosted in the UK or overseas.

The British Board of Film Classification (BBFC) has been appointed by the government as a regulator to make sure that porn providers comply with the law. The BBFC can issue fines and instruct internet service providers (ISPs) and mobile phone networks to block sites and apps that refuse or fail to implement age verification. It could also ask social media companies and search engines to remove accounts/links relating to non-compliant porn providers.

Where porn providers outside the UK refuse or fail to implement age verification, the BBFC has stated that it will ask payment providers such as VISA to refuse to process UK payments, with the aim of preventing UK users from accessing these sites and apps.

The vast quantities of porn on the internet will make it difficult for the BBFC to police compliance effectively across all sites and apps. It is expected to concentrate its limited resources on the sites and apps that are most used or searched for by under-18s. Small, niche porn providers that do not implement age verification may therefore escape regulatory attention. However, this also carries its own risks, as small sites are the most likely to use cheap age verification systems which could put you at risk of credit card scams or other privacy invasions.

The British Board of Film Classification (BBFC) has been appointed to regulate companies providing age verification services. The BBFC has issued guidance on how age verification providers should operate and published a voluntary certification scheme which providers can use to demonstrate they meet data protection standards.

We consider the BBFC’s privacy standard to be weak. It effectively allows companies to write their own privacy scheme and then tick they have complied with it. This encourages a ‘race to the bottom’ in privacy terms. The voluntary nature of the scheme also means that it will be difficult for consumers to know which companies they can truly trust with their data. There is a high risk of fraud and scams.

We emphasise that the BBFC cannot guarantee your privacy. Their certification scheme might provide some protection against fraud and scams but as a whole they will struggle to ensure that Age Verification is safe, secure and anonymous.

It is not illegal for adults to watch porn in the UK. There are legal ways you can avoid using age verification to access online porn, but these all have risks so choose carefully.

It may be possible to use Virtual Private Networks (VPNs) to circumvent age verification. Porn providers are likely only to ask for age verification prompt from users who appear to be visiting from the UK. A VPN will make you appear to be outside the UK, in which instance the requirement to age-verify may not be triggered.

If you choose to use a VPN, find a provider you trust. Free VPNs carry data privacy risks and should be avoided. Avoid any VPNs that store a log of your online activity. To avoid age verification you are likely to need to use a VPN with servers based outside the UK, and possibly outside the EU.

It is possible to use BitTorrent or the Tor network to access the internet anonymously. However, be aware that your web traffic can still be monitored at the moment it exits Tor so this is not a fool-proof workaround.

Non-UK-based porn providers can opt not to use age verification. You should be able to access free porn sites and apps based overseas without verifying your age. It is likely that non-UK-based commercial sites that fail to use age verification for UK users will have UK payment methods blocked; however, using a VPN or non-UK payment method may still give you access.

Age verification software is provided by a range of private companies. The law does not specify how these providers should operate. Some providers will be fairly reputable. Others may put your personal data at risk of fraud or scams.

Any age verification provider will have access to your real identity as well as your porn-watching behaviour across multiple websites – this includes what websites you access, when and how often, what videos within those sites you watch, what search terms you use, and more. This is highly sensitive information. At present, there is nothing to stop age verification or porn companies selling or using this data in any way they wish.

The major porn publisher, MindGeek, looks like it will dominate the age verification market. MindGeek’s product, AgeID, is especially likely to track people’s porn use across the internet. MindGeek runs a range of mainstream pornographic sites including PornHub, YouPorn, Brazzers and RedTube. This gives it a direct commercial interest in collecting as much data as possible on visitor demographics, viewing preferences and other detailed analytics. If MindGeek can become the age verification provider for multiple porn providers through offering a “single sign-in” tool, it will be able to collect the viewing preferences of users across a multitude of different, niche and sensitive sites and apps. This carries a high risk of data abuse.

It is possible for a porn provider to legitimately re-use your personal data, for example with consent, claiming anonymisation, or through some other legitimate interests. Read Terms of Service documents carefully and do not agree to anything you do not understand. Be wary of any company promising free content or additional features, as it is likely that they are only doing this to get your consent to them further using and sharing your personal data.

Age verification services must at some stage directly identify you in order to accurately verify that you are over 18. Once your real-world identity is connected to your pornography viewing preferences, significant privacy threats emerge.

Systems will most likely aim to provide “single sign-in” to keep you logged in across different websites, when driven by links or advertising. This creates a strong likelihood that age verification companies will build databases of UK porn habits, which will inherently be vulnerable to hacks and leaks.

No database is ever fully secure. Hacks and leaks can and will happen, even where age verification or pornographic providers take precautions against them.

Once sensitive data about your private sexuality is in the public domain, there is no going back. Your sexual preferences and porn viewing habits cannot simply be changed or destroyed. This information becoming public could have a devastating effect on your personal life, family and professional reputation.

The EU General Data Protection Regulation 2018 (GDPR) provides some positive improvements for data protection, but it does not on its own protect information that is as potentially revealing as a person’s pornographic viewing history.

The GDPR and UK data protection laws require personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. In theory, age verification systems must be designed with data protection in mind – i.e. they must ensure that your privacy is protected by default.

You should be told by porn providers why, when, where and how your personal data is being processed, and by which third-party companies or organisations. Age verification systems must process the minimum personal data necessary to verify your age; additional personal data should not be collected, irrespective of whether it is subsequently securely deleted. Personal data must not be kept for longer than is necessary to achieve the purpose of age verification, and must not be used for other purposes, such as advertising.

The British Board of Film Classification (BBFC) has published a certification scheme for age verification providers which will assess whether systems comply with these legal requirements. However, the scheme is currently weak and voluntary. Non-certified age verification providers that do not comply with GDPR data protection standards can and will continue to operate.

The GDPR alone does not guarantee your online privacy.

If the BBFC thinks that an age verification or porn provider is not complying with GDPR requirements, it can report it to the Information Commissioner’s Office (ICO). The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Providers can be reported to the ICO if they:

• fail to assess, document and mitigate privacy risks;
• re-use your age verification data for other purposes without your knowledge;
• fail to ensure appropriate measures are in place to ensure your data is adequately safeguarded in age verification processes;
• keep your personal data for longer than is necessary;
• collect and keep personal data about people who fail an age verification check.

This provides a potential layer of protection; however, the ICO does not have to investigate BBFC reports. 

You could also make an individual complaint to the ICO if you believe that an age verification or porn provider is not keeping your personal details safe. However, this course of action will make your pornography viewing a matter of public record, which could be embarrassing and have detrimental impacts on your home life and work.

Even if the ICO does investigate reports and complaints, porn providers can be located outside the UK (and outside the EU) which makes enforcement of findings or sanctions difficult. Post-Brexit, even enforcement against EU-based companies might be difficult.

Personal data that becomes public knowledge cannot be revoked, recalled or adequately compensated for. You could choose to sue a porn provider for failing to adequately protect your sexual data, but this will expose your private life to further public scrutiny.

You may not always be immediately aware that your data has been leaked. Companies must inform the Information Commissioner’s Office (ICO), the UK authority responsible for overseeing data protection compliance, of data leaks, but they do not always have to tell the people whose data is affected. Companies can also be fined for leaking your data but this money will not be used to provide you with financial compensation.

Sites and apps which host “extreme” pornographic material as defined in section 22 of the Digital Economy Act will now be blocked outright. This definition is quite broad and could lead to a range of sites being blocked. Other porn sites and apps will continue to operate in the UK, but in order to access these you will soon need to prove that you are over 18.

This means that you will no longer be able to access porn anonymously. Age verification requires you to provide some form of ID. Porn sites may be able to use this to track what you watch, when, where and for how long. They may also choose to store and share this data. Age verification therefore carries unique new privacy risks.

Age verification also carries an inherent risk of censorship. Porn sites will be subject to regulation by the British Board of Film Classification (BBFC). Sites and apps hosting explicit content may be shut down if they do not comply with regulatory standards. Social media companies and search engines could also be asked to remove links and accounts connected to non-compliant sites.

At present, age verification only applies to commercial porn sites with more than one-third explicit content. The BBFC has stated that it will focus regulatory attention on the sites and apps most often visited or searched for by under-18s. However, it has also indicated plans to monitor social media sites such as Reddit, Tumblr and Flickr which are not covered by the legislation but provide a potential route for young users to access porn, and has said it will report in 2020 on whether it recommends further legislative action.

It is probable that once politicians work out that age verification is failing to make porn inaccessible to children, some will demand that more and more sites are blocked. It is highly likely that the BBFC will be pushed to block ever larger numbers of websites. This could lead to thousands of sites with legal content being blocked in the UK, making it the most censorious country in the democratic world.

Porn sites might also self-censor as a result of age verification. User data collected through age verification might influence a company’s corporate direction, including leading them to water down or stop providing certain niche, kink or LGBTQ+ content.

There is no evidence that age verification will either prevent children or teenagers from accessing pornography online or reduce demand for it among young people.

Age verification requirements only apply to UK-based porn sites. Sites operating or purporting to operate offshore can and will continue to offer porn with no access control.

It may also still be possible for teenagers to acquire UK porn site log-in details, for example by using a parent’s ID. They would then be subject to the same risks of hacking and leaking as adults – and could also put other people’s privacy at risk in the process. If a teenager’s personal and sexual information is shared, this could lead to bullying, outing or worse.

Teenagers could use Virtual Private Networks (VPNs) and other technological workarounds to try and avoid age verification, just as adults could try to do. They are more likely to gravitate towards free VPNs which track internet use and therefore carry increased data privacy risks. Teenagers should be advised never to use free VPNs.

There is a risk that age verification will push teenagers towards using dark sites and subreddits, where they could be exposed to illegal and extreme material with which they otherwise would never have come into contact. Age verification also does not cover torrent file-sharing sites, which teenagers often use to download and share pirated videos.

Although the internet has given young people unprecedented access to adult content, education is far more likely than technological solutions to address the problems arising from this.

There is no evidence that age verification will prevent children or teenagers from stumbling upon pornography online.

The law means that adult content will be removed from the homepages of porn sites, but age verification does nothing to prevent porn being openly available on social media, advertised on e.g. file-sharing sites and appearing in search engine results. 

If anything, age verification is likely to make the internet riskier.

Adults and some young people may be pushed towards using untraceable proxy servers and related systems to avoid age verification, where they could be exposed to illegal and extreme material with which they otherwise would never have come into contact.

Data breaches are only one aspect of the privacy risks involved for porn site users. Many problems stem from the fact that users may be permanently ‘logged in’ and tracked across websites. Age verification providers may choose to keep a record of websites visited by their users. These records may be exposed if account details are inadvertently shared. New risks of fraud, abuse of accounts and other unwanted social behaviours can also be identified.