BBFC Accreditation Scheme for Age Verification Providers
The Application Period is now open.
We received the final documents and terms for the BBFC certification scheme for age verification providers last Friday. This has had significant input from various Government bodies including DCMS (Dept for Culture, Media & Sport), NCC Group plc (expert security and audit firm), GCHQ (UK Intelligence & Security Agency) ICO (Information Commissioner’s Office) and of course the BBFC (the regulator).
The scheme appears to have very strict rules.
It is a multi-disciplined scheme which includes penetration testing, full and detailed audits, operational procedures over and above GDPR and the DPA 2018 (Data Protection Act). There are onerous reporting obligations with inspection rights attached. It is also a very costly scheme when compared to other “quality standard” schemes, again perhaps designed to deter the faint of heart or shallow of pocket.
It seems it will be heavily promoted to consumers to provide them with comfort that any AV provider who attains accreditation has met stringent standards regarding data handling and privacy.
Consumers will likely be advised against using any systems or methods where the prominent green AV accreditation “kitemark” symbol is not displayed.
The guidance is focused on ensuring the purity of age verification and includes the following important clauses:
• Only the MINIMUM amount of personal data required to verify a user’s age shall be collected. A user’s identity shall not be verified as part of the process.
• Information about the requesting website that the user has visited shall not be collected against the user's activity.
• Age-verification providers shall only share the result of an age-verification check (pass or fail) with the requesting website.
• Personal data relating to the physical location of a user shall not be collected as part of the age-verification process.
• Personal data used for fraud prevention and detection and to verify a user’s age for access to commercial online pornographic material shall not be used for any other purposes, such as marketing or the creation of digital wallets. Age verification providers shall not market other services to these users during or after the age verification process.
• A user shall be given the option to verify their age without being required to set up an account with the age-verification provider.
The intent seems clear. AV providers should not aim to do anything with a user other than verifying their age. Methods or systems that attempt otherwise will likely not attain accreditation from the BBFC. AVSecure was built from conception along these lines. We retain zero consumer data like email (which we don’t collect) or IP address, and never market to users.
Our FREE verification system can solve any issues you may have relating to being able to offer a trusted, accredited product.
The Age Verification Guidance does not preclude your business from carrying out separate and distinct data capture, or membership processes, but this should be done after and separate from the age verification process itself.
Our recommendation is, and has always been that, for those merchants looking to use this opportunity to “sign-up” new members etc, the best way to do it is immediately after a quick, smooth, successful, certified, simple, non-intrusive AV check has been made and to do it as a separate, optional flow process.
Thereby, if any customer abandons the merchant sign up process, no traffic is lost.
It appears that some solutions or methods may have intended to try to effectively disguise a sign-up scheme by collecting billing details proffered by the user as part of the AV method, or to force consumers into a localized platform or marketing product.
These approaches seem to have been firmly stamped out by the details of the certification rules.
If you have any questions, we are always happy to help.