The Age-verification Certificate (AVC) is a voluntary, non-statutory certification scheme to ensure age-verification providers maintain high standards of privacy and data security.
It has been developed by the BBFC and NCC Group in cooperation with industry, with the support of government, including the National Cyber Security Centre and Chief Scientific Advisors, and in consultation with the Information Commissioner’s Office. Under the AVC, age-verification providers may choose to be independently audited by NCC Group, who are experts in cyber security and data protection, and then certified by the BBFC. The third party audit by NCC Group will include an assessment of an age-verification provider’s compliance with strict privacy and data security requirements.
Certified providers will carry the BBFC’s new green ‘AV’ symbol to indicate that rigorous security checks have been met and the provider has a high standard of data protection (subject as set out below).
The BBFC, with the agreement of DCMS, has decided that the scope of the assessment and certification will apply only to the primary age-verification provider. The AVC will ensure data minimisation is being followed and that there is no handover of personal information used to verify an individual is over 18 between certified age-verification providers and commercial pornography services.
A third party forming part of an age-verification provider’s solution(s) is not required to be certified for the age-verification provider itself to be certified, and will not necessarily be independently audited by NCC Group. However, age-verification providers must meet the AVC’s third party requirements.
The decision on the final standard for the AVC means that the scope of the scheme has changed from that set out in Annex 5 of the BBFC’s Guidance on Age-verification Arrangements, with the agreement of DCMS.
Annex 5 described our aims for the AVC. In regards to scope, the Annex states: ‘Both gateways for age-verification solutions and providers of age-verification solutions may be certified. A gateway would fail certification if it used any solution which was not itself certified.’
Primary age-verification providers’ systems and processes will be assessed under the AVC. If an age-verification provider works with other third party companies in order to perform age-verification checks, these companies will not be directly assessed unless they choose to independently seek a certification. However, it is a requirement of the standard for the AVC that only the minimum amount of personal data required to verify a user’s age shall be shared with third parties involved in the age-verification process and that information about the original requesting online pornographic service shall never be shared with third parties involved in the processing of verifying a user’s age.
Age-verification providers who are part of the AVC still retain the full responsibility for complying with all data protection and other relevant legislation (including the Data Protection Act 2018 and GDPR). An assessment and accreditation under the AVC is not a guarantee that the age-verification provider and its solution (including its third party companies) comply with the relevant legislation and standards, or that all data is safe from malicious or criminal interference. Accordingly BBFC shall not be responsible for any losses, damages, liabilities or claims of whatever nature, direct or indirect, suffered by any age-verification provider, pornography services or consumers/ users of age-verification provider’s services or pornography services or any other person as a result of their reliance on the fact that an age-verification provider has been assessed under the scheme and has obtained an Age-verification Certificate or otherwise in connection with the scheme.
In addition, receipt of certification shall not preclude in any way the BBFC’s right and duty to undertake investigations of the age-verification provider and its solution and/or websites and other providers of commercial online pornographic services using the age-verification provider's solution, and exercising its enforcement powers or any other powers pursuant to the Digital Economy Act 2017.
If you are an age-verification provider and would like to be certified, or for more information, please contact the BBFC at firstname.lastname@example.org.
Details of age-verification providers that have chosen to be assessed under the scheme and achieved certification will be published on this page.