CNIL issues guidance on online age verification

In an attempt to address this issue, Article 227-24 of the French criminal code^[2] was updated in 2020 to specify that the offence of disseminating a pornographic message that is likely to be received by a minor may arise even when access to that message is subject to a declaration indicating that the recipient is at least eighteen years of age.

However, the law is silent on the technical means to be adopted by website operators in order to avoid liability. In practice, Decree N° 2021-1306 of 7 October 2021 entrusts the French public regulatory authority for audio-visual and digital communication (ARCOM) with the task of drawing up guidelines detailing the reliability of the technical procedures that websites must implement to prevent access by minors. However, ARCOM has embarked on litigation against editors of pornographic sites rather than issuing codes of conduct for these operators.

It is in this context that the CNIL, on 28 July 2022, published recommendations inviting the development of more effective and privacy-friendly solutions for age control. The key takeaways are as follows:

First, the CNIL states its preference for the use of user-controlled devices such as parental controls. However, there is a limit to this approach as the law places responsibility on website editors for implementing age verification obligations.

Second, the CNIL provides a helpful list of “pros” and “cons” covering the existing age verification solutions including:

• Asking for credit card details. However, the risk of phishing associated with this method is very high.
• Carrying out an analysis of facial features to authorise access by individuals who are clearly over 18. This solution is prone to error for people close to the age of 18.
• Conducting offline verification of identity documents. It may not be certain that the person using the card is the legitimate owner.
• Using online verification identity documents. Some systems verify the identity of the individual by comparing the photograph on the identity document provided with a "live detection" test, i.e. the capture of a photograph or video taken by the user at the time of the age verification request.
• Relying on the tools offered by the State to verify identity and age. France is setting up a digital identity system to allow citizens quick access to administrative services, by means of a connection identifier (France connect). However, the CNIL considers that private operators should not use this system.
• Using age verification systems by inference. Such as importing the individual's internet browsing history, or analysing their "maturity" via a questionnaire.

Finally, the CNIL suggests the use of an independent trusted third party responsible for determining the age of users, who would sit between the user and the site. This third party would follow the procedure described below:

1. An individual wishing to view a website that is subject to an age based access restriction will be provided by the website with a document to be signed by a third party who has evidence of the individual’s age. This document will not indicate the service/ website that issued it.
2. The individual will choose the trusted third party among those proposed (e.g. a bank, energy supplier, administration, trusted third party etc.). The individual will give the document to the third party who will sign it without knowing the purpose for which the document will be used.
3. Finally, the website will receive this signed document and will check the validity of the signature. The website will only know that the individual is of an appropriate age to access the services, without receiving any additional information on the individual or the third party used.

Given the sensitivity of the data collected and the intrusive nature of age verification systems, the CNIL suggests creating a specific certification for these third-party actors.

[1] Source: Génération numérique survey "the digital practices of young people aged 11 to 18", (March 2021)

[2] The offense is punishable by three years' imprisonment and a fine of 75,000 euros