Recently I assisted someone that received a warning from “Public Health England” that they would be deregistered and not allowed any cross-border sales unless they can demonstrate how they verify their client's age on their website. Their website links were removed from the list until such time they could demonstrate the process.
Now that was a real honest WTF moment. As things stand at the moment, there are no guidelines what-so-ever on the requirements for age verification in the UK, EU that will guarantee your potential client is who they say they are. Even the suggested legislation for porn websites has been moved to the back-burner or scrapped as it is simply not achievable without running into privacy and data protection issues.
Now Public Health England wants us to fix this problem that no-one else can fix…
Original Age Verification methodology that was in place was:
The first thing we did was to visit the “Public Health England website to find the list of registered cross-border sales businesses to see how the rest of the businesses are doing it. With them still, on the list, we assumed they obviously doing it right and expected to find some indication on what steps to take.
Every single one of the websites, both locally and internationally, approached age verification in exactly the same way we did. I managed to buy things from websites with fake names, fake date-of-births and fake addresses without a problem. So clearly they do not have any controls in place.
The following is a guide to possible steps and precautions that retailers could adopt to assist with age verification. However, it should be noted that these may not be suitable for some situations and retailers will need to assess what steps are suitable and appropriate to their individual circumstances. Retailers may be able to develop other methods of age verification.
Nice!! It says absolutely nothing. We are still nowhere closer to solving the problem we did not know we have or even know what we are missing. At one stage we even suspected the email was a phishing attempt by some scrupulous guy in his mom's basement. Turned out it was not the case but every email sent to Public Health resulted in the same thing. “Fix the Problem”.
Well, it would be helpful if you can say what you want. What box needs to be ticked or what needs to be written or said by who to who…
Following many back-and-forth emails, reading and wondering, looking at what, looking at various options like;
Problem is still that anyone can enter a parents information and be underage. Where do you draw the line and where does your responsibility ends?
Then an email came back from someone at Public Health England saying “Onscreen Age Verification is not sufficient” and “Please submit a new registration”
Fine, whatever… Fact is the websites I visited has no, none, zero-age verification other than onscreen…
Anyway, let's visit the online cross-border registration form. This page stood out… Obviously…
Now, whether the red-underlined (that was my edit) parts were there 4 or 5 years ago. Who knows. But what I understand was that it does not really matter what you have implemented on your website. It comes down to what you enter in this box.
Red tape and bureaucracy at its best.
Following is a screenshot of the actual application form with the important bits underlined.
An email was received shortly following the application stating it was successful and the website links restored on the Public Health England website as an approved Cross Border Distance Seller.
I am not saying Public Health England will not spot check and test your actual Age Verification process at some stage. So make sure you actually do the right thing and follow your own procedure if you have any doubts.
I hope this could be useful to someone else out there that run into this problem.