French regulator Arcom's standard for online age verification rolls out in 2025

The French government's legislation to secure and regulate the digital environment – known as the SREN (sécurité et régulation de l’espace numérique) law – last year introduced an age verification system to protect minors.

The SREN law, which was enacted in May 2024, aims to ensure that online public communication service providers – including websites, apps, on-demand audiovisual media services providers – that make pornographic content available to the public under their editorial responsibility and video-sharing platform services providing pornographic content are not accessible to minors.

The aim is to protect minors from online pornography and to ensure compliance with article 227-24 of the French Criminal Code, which prohibits exposing minors to pornographic content.

This system will have to comply with a set of standards published by the French broadcast authority Arcom, which has indicated adopting a neutral technological approach. The broadcast regulator said that it is the "platforms’ responsibility to find an effective and privacy preserving age assurance solution, provided they rely on an independent third party and do neither collect nor process themselves the users’ personal data.”

2025 timeline

Services have until 9 January 2025 to comply with the requirements of the standard. An additional three-month transitional period until 9 April 2025 will follow, during which alternative proof based on the use of a bank card will be accepted under specific conditions.

Arcom published the standard on 9 October 2024, after the French data protection authority the CNIL provided its opinion on its reference document on age verification systems.

The new standard will be updated from time to time and is intended as a transitional solution until the adoption of an “efficient European solution”. In September last year, Arcom called on the European Commission to issue “either general guidelines on article 28 [of the EU Digital Services Act (DSA)] or to consider issuing shorter and minimal guidelines related to article 28 but dedicated only, for instance, to the protection of minors on pornographic online platforms or to prevent them from accessing the most serious content.”.

General requirements

Arcom’s standard imposes general requirements around reliability and privacy protection to the age verification system.

Reliability requirements

The system must be able to distinguish between adult and minor users. The absence of discrimination (for example, to avoid the bias of certain systems based on machine learning) and the robustness of the system must also be guaranteed including against the risk of deepfakes (for example, facial feature recognition solutions must include a life detection mechanism).

Privacy protection requirements

Some of the privacy protection requirements  are common to all verification systems, while others are specific to the “double anonymity” system. The latter consists in a separation between the systems responsible for issuing proof of age, on the one hand, and the services requesting the submission of such proof on the other. Users must be presented with at least one age verification device that complies with ‘double anonymity’ privacy protection standards.

In addition, the age verification system must apply at each access to the service by the user.

Minimum technical requirements

Arcom has set out a list of minimum technical requirements applicable to the age verification system (pursuant to the General Data Protection Regulation). These requirements include:

• The verification age system provider must be legally and technically independent from the platform service.
• The platform service must not access and process the users’ data collected for the verification.
• The verification age system provider must not store the users’ data and collect official ID documents, unless the system is used to generate reusable proof of age.
• No personal data of the users can be stored by any third party participating in the age verification system unless the users request it to store a proof.
• The verification age system provider must allow users, in the event of an error, to challenge the result of the analysis, and the service must inform the users of the availability of redress mechanisms available through the provider of the verification age system.

In addition, for verification age systems using the “double anonymity”, the requirement include:

• The verification age system must not allow the recognition of a user who has already used the system by the platform service and any third party participating in this system, nor the recognition of the source or method by which it was obtained.
• The verification age system provider must not have any knowledge of the Service for which verification is being carried out.
• The platform service must ensure that the provider offering the “double anonymity” solution combines at least two methods of obtaining proof of age; for example, a solution based on identity documents and a solution based on estimated age.
• The level of data protection must be displayed with the verification age system.

Requirements for auditing and evaluating age verification solutions are detailed in the Arcom’s standard.

Commission plans

The Commission has plans to draw up guidelines on the protection of minors guidelines, as well as an age verification mobile app. The French framework on the age verification system is expected to be repealed with the adoption of an efficient EU technical solution.

The Commission plans to adopt guidelines in the first half of 2025 to enforce the protection of minors online and to develop an age verification solution within two years.

The DSA empowers the Commission to issue guidelines to help providers of online platforms apply a high level of protection for minors. The Commission intends to adopt the guidelines by July 2025, after a public consultation planned by March 2025.

According to the Commission, these guidelines: “will provide a non-exhaustive list of good practices and recommendations for online platform providers to help them mitigate risks related to the protection of minors and ensure a high level of privacy, safety and security for children.”

The guidelines will also “apply to all online platforms, including those that are aimed at adults (such as adult entertainment platforms) but that still have underage users due to inadequate or non-existent age-verification tools.”

App by 2027

By the end of 2026, the Commission plans to introduce a mobile app. It has stated that it aims to “enable users of online web services to prove their age through the presentation of an electronic attestation through a dedicated application (mobile app) in a privacy preserving manner in order to access age restricted content.”

A call for tenders was launched in October 2024 for the “development, consultancy and assistance for an age verification solution”.

The Commission has specified that this solution could also include an app supporting a “zero-knowledge proof protocol”; namely, a feature allowing to verify an attribute is true without disclosing any further details, which could be located and published by Member States in app stores.