The UK government is bracing itself to face legal challenges when it implements controversial smut age check rules, and has said it could cost up to £10m in the first year alone.

The plans to require online porn providers to check users are over 18 before granting them access to the site have been in the offing since 2017, when the Digital Economy Act was passed into law.

However, bringing the rules into force has taken longer than the government planned: it had hoped to roll them out in April this year, but had to push this back to give the newly minted regulator time to draw up and consult on its guidance.

The regulator, the British Board of Film Classification, has now done this, and the guidance has been published this month alongside draft regulations for approval by Parliament.

El Reg deep dive: Everything you need to know about UK.gov's pr0n block READ MORE

At the same time, digital minister Margot James has revealed that the government has had to ask the Treasury to provide indemnity of up to £10m to the BBFC, to protect it against legal challenges.

“Despite the effective work with industry, charities and the public to promote and encourage compliance, this is a new law and there nevertheless remains a risk that the BBFC will be exposed to legal challenge on the basis of decisions taken as the age verification regulator or on grounds of principle from those opposed to the policy,” James told MPs last week.

She said that it was impossible to accurately quantify the value of the risk, but had put it in the range of £1m to £10m in the first year. James added that due to the wide bracket the BBFC couldn’t get commercial insurance – and so will have to rely on the government to bail it out.

The draft regulations and guidance, meanwhile, show that the government and regulator have broadly stuck to their guns, with a few exceptions.

Who slips out of the net?

One such tweak concerns which people will be covered by the law. As planned, it will apply when porn is made available on the internet on a commercial basis – either in exchange for customer’s cash or on an ad-funded basis.

But now, websites where porn makes up a third or less of the material available on the site or by other means, such as an app, will be exempt – unless the site is marketed as a smut provider.

It isn’t clear how the regulator will calculate this one-third (for instance, whether it will be a third of all content, or of a specific type of content) or how this will affect sex bloggers. But it is likely to slip one group of concern – sex workers who advertise their services online – out of the BBFC’s net.

However, Whitehall and the BBFC have resisted clamour from some age verification providers and children’s protection groups to extend the rules to cover social media platforms.

UK age-checking smut overlord won't be able to handle the pressure – critics READ MORE

In an explanatory note (PDF) published alongside the regulations, the government said: “The focus of the legislation should be pornographic websites, rather than popular social media platforms on which pornographic material is only a small part of the overall content.”

And the BBFC has classed them as ancillary service providers (ASPs), rather than purveyors of porn. This means the likes of Twitter and Facebook can be asked to remove their services from the non-compliant sites (although the BBFC will have no power to compel them to do so), but won’t need to comply with the rules for porn providers.

This will be a welcome move for those who feared further creep of state control of the web, and the spectre of a regulator being able to require an ISP to block Twitter.

However, it will infuriate those who argue leaving such platforms out would undermine the government’s purported aim of protecting children from stumbling across porn online, since it will remain a clear, simple way for them to access smut.

Similarly, little has changed in the guidance’s sections on privacy and data protections, despite numerous responses calling for stronger wording on these issues.

This is partly because the BBFC’s hands are tied; the law does not give it power to mandate privacy or security arrangements or enforce against those that don’t protect users’ privacy.

Don't verify ID, just age!

The final version does add into its list of good practice that solutions should confirm only that a person is aged 18 or over, rather than confirming their identity.

There is also a section specifying that the BBFC “does not require that age-verification arrangements maintain data for the purposes of providing an audit trail in order to meet the requirements of the act”.

(If this seems out of the blue, it's perhaps worth noting that AV provider Ageify suggested in its response (PDF) that content providers should keep logs of access for a period of six months to a year to guarantee the BBFC could trace “every age verification to its original source”. Of course, Ageify is developing such a solution and is "ready to showcase it whenever needed”.)

However, in light of concerns about the proliferation of shonky AV solutions, the BBFC has proposed a certification scheme, to be developed in consultation with the ICO.

This will be a voluntary, non-statutory scheme that includes a third party assessment of the solution’s privacy and data security standards – and the cost for the assessment would be footed by the AV provider.

The BBFC also introduced a new point into the guidance for ASPs to say that no organisations with a commercial interest in AV solutions will be notified of non-compliance, and that no AV provider will be considered an ASP.

The regulations can’t be changed, but will need to be approved by each House of Parliament before they can come into force.

DCMS said that it wanted many of the BBFC’s powers will come into force “as soon as possible”, but the power to impose financial penalties – which are up to £250,000 or 5 per cent of turnover – under Section 19 won’t come into force at this stage. ®

Don't penalise us for complying Among the responses to the consultation – many of which The Register analysed before they were made public – are those from age verification providers. Perhaps of most interest to observers of the AV debate is the submission from AgeID, which was developed from the Mindgeek stable – that biz is the kingpin provider of Porn Tube sites. Opponents have expressed concern about AgeID allowing Mindgeek to gain a greater stranglehold on the market. In contrast to most other AV providers that submitted evidence – including Ageify, Yoti and Verime – which took the opportunity to sell their product, AgeID doesn't mention how great its solution is. Instead, it focuses on concerns that the BBFC's proposed "proportionate approach" could disadvantage compliant sites. This approach, which will see sites assessed based on how popular they are among kids, how high up search engine results they are and how widely discussed they are, will “not stop children from stumbing across pornographic content”, AgeID said. A more common sense plan, it claimed, would be an advanced notice approach. The regulator should identify all 4.5million-plus pornographic domains, based on lists from ISPs, and “inform them in advance that they will all be enforced against on X date unless they enable age verification”. This, it said, would prevent a “slow drip of compliance”. It also said that some sites “may try to capitalise by not enabling age verification” until they receive their first enforcement letter, which would disadvantage compliant sites. Moreover, AgeID criticised the BBFC’s stated approach of entering into a dialogue rather than wielding hefty fines from the off (which El Reg notes is a commonly stated aim of regulators in other sectors), saying sites could just stall with “empty promises”. AgeID also complained that, because Google’s search rankings are based on whether customers click a link and bounce back to the search page – rather than continuing to use the site linked to – AV checks might mean higher bounce rates – which would send compliant sites down the list. Rather, search engine owners should “amend their algorithms to push non-compliant sites down the list, and give compliant sites a higher ranking”. Other AV providers do discuss other aspects of the regulations – Yoti for instance says social media platforms should be included as a porn provider. But the level of concern about the effect the legislation will have on compliant sites expressed by a biz spun out of one of the largest porn providers in the world, whose sites are sure to top of the BBFC's list if they don't comply, is – at the very least – notable.