Draft rules for age verification on pornographic websites could put users’ privacy at risk and give the world’s biggest porn publisher a power similar to that of Facebook and Twitter, critics have said.

The guidance, which comes after the government passed a law last year forcing pornography sites to use age checks or face being blocked, states there is no legal requirement for sites to offer visitors a choice of age verification services.

MindGeek, the company that controls most of the world’s online traffic for pornography, has introduced its own age verification service, which critics say could allow it to corner the market, allowing it to become the “Facebook of porn” and collect vast amounts of data on users’ porn viewing habits.

The draft rules, published by the British Board of Film Classification (BBFC), the newly appointed age verification regulator, pass all responsibility for regulating the privacy and security of the services to the Information Commissioner’s Office, with no specific security rules to be applied in the sector.

The BBFC has invited submissions to a consultation on how it should police age verification for online porn, which was legislated for in last year’s Digital Economy Act. Age checks had been due to go live next month, but the implementation of the law has been delayed until the end of the year.

Jim Killock, the executive director of the campaign body Open Rights Group, and Myles Jackman, a lawyer who specialises in obscenity cases, both said the draft guidance “absolutely” gave MindGeek the opportunity to establish a monopoly.

“These are the two key points,” Killock said. “There is no requirement for user choice and there is no requirement for any privacy to be higher than the General Data Protection Regulation. Basically, they are washing their hands and hoping the market will sort it out. They even said they hope the market will provide, but that’s not how digital markets work, digital markets work as a monopoly, like Facebook, like Twitter.”

Jackman said he believed existing data protection rules – which will also apply to age verification – were not strong enough to securesensitive data that could potentially be collected by a service policing adults’ pornographic viewing habits. He tweeted an annotated copy of the draft guidance, which he said showed that many specific requirements for data protection were qualified by “should”, which he argued showed the toothlessness of the BBFC as regulator.

Myles Jackman (@MylesJackman) UPDATE: The BBFC's position on user privacy and data security for sensitive personal sexual information can be summarised (in)effectively as follows:



"Don't ask us; ask the ICO".



(Mind the regulatory gap please ladies and gentlemen, nothing to see here). pic.twitter.com/Fu42i4lr49

MindGeek owns free-to-view streaming sites including Pornhub, YouPorn, RedTube, Tube8 and SpankWire, which between them are said to account for most of the porn viewed on the internet. It also owns premium sites including Brazzers, Reality Kings, Mofos, and Bromo.

James Clark, a spokesman for MindGeek’s AgeID product, said the company saw its AgeID product as one of many age verification platforms and that “many sites, including those owned by MindGeek, [would be] implementing multiple solutions”.

“It’s important that users have the option to select the age verification platform that suits their needs best and offers a seamless experience,” he said, adding that the company expected about 20-25 million users to sign up to age verification.

Warren Russell, the chief executive of AV Yourself, another company preparing to compete for the age verification market, agreed the guidance could in theory hand MindGeek’s AgeID product a monopoly, but he said he did not believe that would happen.

“What solution the MindGeek brands choose to use is their decision at the end of the day,” Russell said. “But lots of the merchants we have spoken to, including MindGeek brands, have shown interest in using more than one.

“It’s high-volume traffic they are dealing with. What they are interested in is disaster recovery: you don’t want all your traffic going through one product because if that breaks you lose all your traffic.”