The UK government has released new guidelines for its upcoming age verification law, which will require pornography sites and apps to verify that visitors are 18 or older. The guidelines contain a number of important provisions, including the promise of new voluntary data standards and explicit exclusions for social media sites. But critics say the suggestions simply add to the legislative quagmire the government has created for itself.

“The policy is completely full of holes,” Jim Killock, executive director of the UK’s Open Rights Group, told The Verge. “It puts too much power in the hands of companies, [and] if teenagers in particular have any incentive to get around these controls, they will.”

Age checks were supposed to be “fully in place” by April 2018

The law was first proposed in July 2017, with the promise that it would be “fully in place” by April 2018. But concerns about the potential for government overreach, the stifling of free speech, and privacy violations have slowed its passage, and it’s now not expected to go into effect until next year.

Under the law, all pornography sites and apps must verify users’ ages with a system approved by the industry. A number of solutions have been suggested, but the frontrunner is AgeID, which is built by porn titan MindGeek (the owner of sites including Pornhub, RedTube, and YouPorn). AgeID would use mechanisms like credit card logs or telephone registries to verify someone’s age, creating an encrypted database of users.

Sites that fail to comply with the new law will face fines and other coercive measures. This could mean blocking the site’s ability to process payments in the UK or geoblocking their social media presence on sites like Twitter and Facebook.

All of this was known already, but these new guidelines from the British Board of Film Classification (BBFC), which classifies films in the UK and will now regulate online pornography, was presented to Parliament this month as an update to the fine details. The document mostly reiterates past information, but it includes significant additions as well.

What’s new in the BBFC’s guidelines?

The UK’s data watchdog, the ICO, will be able to establish a set of guidelines to protect users’ data in any age verification system. Privacy has always been a major concern for the new law since any verifier is going to end up creating a centralized database that potentially records the porn habits of UK citizens, which is a prime target for hackers.

However, the ICO’s guidelines will be voluntary, meaning companies like MindGeek won’t be forced to sign up. “Which is kind of crazy,” says Killock. “Because it means the government has basically conceded the argument [that user privacy is threatened by the new law], but regulators won’t be able to do anything about it.”

User privacy is a major concern for the new law

The guidelines have yet to be published, and there’s no indication of when this might happen. (We’ve contacted the ICO for information and will update this story if we hear more.)

Another note on “good practices” from the BBFC suggests that companies do not need to verify users’ identities, only their ages. Similarly, they do not need to keep logs of every site users access (as potential verifier AGEify has suggested it could do for up to six months at a time). Again, though, these practices might not be embraced by the industry.

A final addition in the BBFC’s guidelines is a newly clarified exemption for any site where “pornographic material makes up less than a third of content.” So if a site is two-thirds safe for work, it won’t have to verify users’ ages. This means social media platforms like Twitter, Reddit, and Tumblr — which are home to a lot of pornographic material — will not be policed. (Sites that advertise pornography are not covered by this exemption.)

However, the current wording of the guidelines still leaves a lot of unanswered questions. For example, how exactly will regulators measure the ratio of SFW to NSFW content? “Are they going to measure this in URLs, number of files, pixels, or what?” asks Killock.

The government is pushing this law by saying it will protect younger internet users from stumbling across pornographic material. But as Killock and others have noted, the law is far from watertight, and it leaves a number of avenues open for determined young people to circumvent age verification systems. The main effect it will have, they suggest, is creating huge liabilities for UK citizens, for porn sites, and for the government itself.

The UK is well aware of this, and in a speech to the House of Commons earlier this month, the Minister for Digital and the Creative Industries, Margot James, warned that it will face legal challenges costing up to £10 million ($13 million) in the first year alone. James notes that the government did explore the option of taking out commercial insurance for this “but failed to do so given difficulties in accurately determining the size of potential risks.”