The UK's age verification overlord has issued guidance for checking whether citizens should be able to access online smut, emphasising data protection and its plan to take a "proportionate regulatory approach".

The government last year signed off on controversial plans to require online porn providers to check their users are over 18 before letting them into the site, ostensibly to stop kids stumbling across sex online.

Overseeing compliance will be the British Board of Film Classification, which was appointed regulator at the end of last month.

It can fine non-compliant sites up to £250,000 and require internet service providers to block them. Payment providers, IT firms and social media sites can be asked – but are not required – to stop such services.

Ahead of the law coming into force, the BBFC has today published much-anticipated guidance for pornographers (PDF) and the companies that help them do business (PDF), which it is consulting on for the next month.

This sets out what the BBFC will deem as compliant use of AV tools, the process it will take when assessing porn sites and issuing enforcement notices, and what it deems "good practice" for elements of the tools it can't enforce.

As expected, the BBFC said it plans to take a "proportionate approach". This will see it focus first on sites with more users (and more child users) and those that kids are seeking out, for instance after social media attention, as well as those raising child safeguarding concerns.

The regulator added that it will aim to "encourage compliance" by offering sites the chance to address non-compliance within a "prompt timeframe" before using its regulatory stick.

It added that service providers will be alerted if a site they have been told to take action against becomes compliant, so they know there's no longer a request to withdraw services.

El Reg deep dive: Everything you need to know about UK.gov's pr0n block READ MORE

Of most interest, though, is the BBFC's attitude to security and privacy, which have been at the heart of the debate around age verification (AV), as critics argue it is unwise to create a database of people's porn viewing habits and that it might encourage bad security practices online.

Recognising these concerns, the BBFC said that "the privacy of adult users of pornographic sites should be maintained and the potential for fraud or misuse of personal data should be safeguarded".

However, under the Digital Economy Act it can't dictate what AV solutions sites use, nor can it specify privacy or security arrangements or enforce against sites or tools that don't protect users' privacy.

Instead, it can only say that sites and providers must comply with data protection laws and offer good practice guidance that AV tools should use.

This includes offering clear information for end-users on data protection; that tools don't ask for more data that necessary to confirm someone's age – for instance they shouldn't ask for physical location data – and that they have measures to reduce improper use, for instance by children.

Any data protection compliance concerns identified during its assessments will be reported to the Information Commissioner's Office, the BBFC said. The guidance also sets out a draft memorandum of understanding between the two bodies.

Among the non-exhaustive list of issues the BBFC said the ICO would be on the lookout for are: failing to assess, document and mitigate privacy risks; reusing data for non-AV purposes without the individual's knowledge; retaining the data for longer than necessary; collecting or retaining information on people who fail age checks.

Although the document is unlikely to change the opinions of the most vocal critics, Neil Brown, a lawyer at decoded:Legal, said on Twitter that it has more information on data protection than the £90+VAT Publicly Accessible Standard for AV tools that was issued last week.

There’s a substantive section on privacy and data protection considerations too — way beyond the issues considered in the PAS. — Neil Brown (@neil_neilzone) March 26, 2018

Elsewhere, the document sets out what the BBFC will look for when assessing whether the AV tools sites are using are compliant with the law. These include using an effective control mechanism to verify the user is over 18 at the point of access and using data that "cannot be reasonably known by another person, without theft of data or identification documents or readily predicted by another person".

Sites should also ensure that users verify their age on each visit or that access is restricted by some others means, such as a password.

Measures that aren't up to scratch include a lack of cross-checks – so things like "fill in your date of birth" and general disclaimers are out – using data that would be "easily known", such as name and address; and accepting payment methods that don't require users to be over 18, like Solo cards.

Although not a requirement, the BBFC advised online commercial porn services to offer a choice of AV tools. This idea was mooted ahead of the consultation, but observers pointed out it could put a greater burden on porn sites and wouldn't necessarily offer any more security – especially if dodgy actors started setting up exploitative AV tools.

Meanwhile, the BBFC confirmed that social media sites – among others, such as providers of IT services, search engines and third parties advertising with or for sites – will be ancillary service providers.

This means the regulator can notify them to say a site is non-compliant, and ask nicely for them to remove their services from the non-compliant site – but have no power to compel them to.

The deadline for responses to the consultation is April 23, and if you want your response to be confidential, there's a sheet to fill in setting out which bits you want to keep private. ®