France's new age verification standard: Tightening controls on access to explicit image sites
Written By
Associate
UK
As an associate in our London-based international Privacy & Data Protection practice, I advise UK and international clients across a variety of sectors on a wide range of international data and privacy issues. This includes core regulatory frameworks such as the General Data Protection Regulation (GDPR) or the ePrivacy directive, and emerging EU data laws.
On 11 October 2024, France's Audiovisual and Digital Communication Regulatory Authority, the Autorité de régulation de la communication audiovisuelle et numérique (“Arcom”), published the final version of its standard for age verification systems to access pornographic sites. By enforcing rigorous age verification processes, including "double anonymity" solutions, it sets a new benchmark in this domain.
The standard requires services or sites broadcasting pornographic content to comply with strict technical requirements relating to the reliability of age checks and the protection of users' privacy.
Primarily designed to protect minors from accessing pornographic content, the standard may also serve as a model for other industries requiring age verification. It is imperative for all stakeholders involved in implementing age verification to understand the requirements outlined in the standard and their potential impact on age verification processes within their platforms.
Context
This standard is part of a long legislative saga that began in 2020. Since 1 March 1994, Article 227-24 of the French Criminal Code has prohibited exposing minors to pornographic content, but it was not until 2020 that the article specified that a simple declaration of age is not sufficient to prove that an individual is not a minor.
In July of the same year, Law No. 2020-936, aimed at protecting victims of domestic violence, introduced a special procedure enabling Arcom to give notice to editors of pornographic sites to comply with the law, and to ask courts to order non-compliant sites be blocked.
On this occasion, the French data protection authority (“CNIL”) had already issued an opinion on the draft decree, recommending the use of trusted third parties. You can find out more about this procedure and the CNIL's recommendations in my previous article on this subject, which can be accessed here.
In May 2024, Law n° 2024-449 aimed at securing and regulating the digital space (the "SREN Law”) strengthened the existing system and enabled Arcom to adopt a standard for the minimum technical requirements applicable to age verification systems.
General principles of system reliability & privacy protection
The standard defines the general principles applicable to all age verification solutions.
First, the home page must not display any pornographic content until the user's age has been verified. This verification must be carried out at each session — secured against sharing and fraud and robust against attacks, such as deepfakes and spoofing.
Second, if the solution uses age estimation, it must prevent false positives. It must also include mechanisms to prevent minors from circumventing the estimation through, for example, the use of recorded photos.
Third, solutions must be non-discriminatory and tested on diversified datasets. They must also comply with the principles of accuracy, proportionality, data minimization, transparency, accessibility and security, and enable users to exercise their rights.
Finally, the standard adopts the concept of double anonymity, which the CNIL already put forward in 2021 in its opinion on the decree of Law No. 2020-936 and in 2022 in its recommendation titled "Online age verification: balancing privacy and the protection of minors." Double anonymity guarantees the site does not know the user's identity and the provider of the age verification solution does not know which sites the user visits. Platforms will have to offer at least one age verification method that complies with the double anonymity concept, with mandatory compliance from 11 April 2025.
What are the requirements for age verification systems?
The standard also includes minimum requirements applicable to all age verification systems, plus specific requirements for systems that respect the principle of “double anonymity”. The table below summarises these requirements.
| Minimum requirements for all age verification systems | Specific requirements for systems that respect the "double anonymity" principle |
The provider of the age verification system must be legally and technically independent of the relevant sites. In particular, it must guarantee that the sites will not, under any circumstances, have access to the data required to verify age. | In addition to the minimum requirements, the relevant site must not be able to recognise a user who has already used the system, know or deduce the source or method of obtaining proof of age, or recognise that two proofs of age come from the same source. |
| The relevant sites must not directly collect the data required to verify age, such as identity, age, date of birth or other information. | N/A |
The age verification system provider must not retain the data collected or collect official identity documents unless the data makes it possible to obtain a digital identity or proof of age that can be re-used. This obligation is without prejudice to compliance with the legal and regulatory obligations that apply to certain service providers (for example: banking institutions). | In addition to the minimum requirements, the service provider must not know for which site/service the age verification is being carried out. |
Where other third parties are involved in the age verification process, these third parties must not retain users' personal data, except for the storage of evidence at the user's request. | In addition to the minimum requirements, any third parties involved must not be able to recognise a user who has already used the age verification system |
The standard states that "when determining whether or not a user may access an online public communication service on the basis of the evidence submitted to it, the service in question disseminating pornographic content makes an automated decision within the meaning of Article 22 GDPR". It then adds that the CNIL "considers that such a decision may be based on the exception provided for in paragraph 2.b. of Article 22 GDPR, insofar as the service in question disseminating pornographic content is subject to an age verification obligation provided for in Article 227-24 of the French Criminal Code and the provisions of the SREN Law."
Consequently, the service provider must put in place "appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject" pursuant to Article 22(2)(b) GDPR and allow users to rectify their data pursuant to Article 16 GDPR. The user must therefore be able to contest the result of the analysis. | N/A |
The relevant sites must specify the level of privacy protection of each age verification solution without one solution being particularly emphasized and indicate when a third party may know the site/service for which the age verification is being carried out. In addition, for "double anonymity" systems, the user must be clearly informed that the age verification provider cannot know the service for which this verification is being carried out. | N/A |
| N/A | The relevant sites must ensure that users have access to at least two different methods of generating proof of age that allow for the obtaining of such proof via a "double anonymity" system (for example, a solution based on identity documents and a solution based on age estimation). |
| N/A | The "double anonymity" age verification system must be available to at least 80% of the adult population residing in France. |
Transitional period
Article 10 of the SREN Law specifies relevant sites must implement an age verification solution that complies with the requirements detailed above within three months of the standard's publication by Arcom.
The standard indeed notes a transitional period of three months — until 11 April 2025 — during which the relevant sites may implement solutions for verifying age using debit/credit cards, provided that certain conditions are met. In particular, that: an independent third party offers the service; the verification is secure and prevents the risk of phishing; the solution ensures the existence and validity of the card; and the verification is coupled with strong authentication (for example: using the 3-D Secure protocol).
Penalties for non-compliance
In the event of non-compliance with the standard or the law, Arcom may impose a penalty of up to 150,000 euros or 2% of worldwide turnover, excluding VAT in the previous financial year, whichever is higher.
Arcom may also order internet access service providers or providers of domain name resolution systems to block the addresses of the relevant sites within 48 hours. The relevant service may request the cancellation of the measures taken by Arcom before an administrative judge and appeal the latter's decision, if necessary. The diagrams below summarise the different procedures.
1. In the event of non-compliance with the standard:
2. If minors can access pornographic content in violation of Article 227-24 of the French Criminal Code:
The standard sets a precedent for protecting minors in the digital space. By mandating rigorous age verification processes, including double anonymity solutions, the standard is not only prioritizing the protection of minors but also paving the way for other countries and industries to follow suit. This standard could serve as a model for sectors beyond adult content, such as online gambling and alcohol sales, where age verification is crucial.
In addition, globally, France's approach might influence other countries to adopt similar regulations, potentially leading to a more unified international framework for age verification.
If you have any questions or want to explore how these changes impact your business, please get in touch with Mihnea Dumitrascu.
A version of this article has also been published by the International Association of Privacy Professionals (IAPP), you can access the article via their website here.
Latest insights
More Insights
Privacy Unpacked Episode 6 - Pseudonymisation in Focus: Key Takeaways from the EDPB Guidelines
1 minute Feb 25 2025
