Italy’s new AGCOM regulations for adult content, which come into effect on 12th November, emphasise two key points.
The verifier must not know which platform or site for which the check will be used. The content provider must not obtain identifying personal data of the user, only a result like: ‘user is over 18’. This is known as the double blind method – ARGOM use the term double anonymity.
Secondly, verification must be robust and each session, or visit, must be age-checked. ‘One and done’ age checks are not sufficient for repeat visits. Even if a user creates an account, they must be age checked when they return to that account.
Also verifiers should not be owned by adult operators.
The regulations are tech agnostic, but must meet the above conditions.
Which age assurance methods can meet AGCOM’s requirements?
Digital identity credentials or apps, for example a digital wallet, can submit a pre-verified age over / under credential directly to the website or platform. This meets the double blind requirement and the privacy requirement.
Specifically, this method refers to Digital ID Wallets, such as the EU Digital Identity Wallet (EUID), or third party operators, (such as Yoti). AGCOM is expected to be trialing a beta version of the EU’s white label app for age verification, based on the EUID wallet platform.
A typical user journey would be:
- User sets up a third party app and verifies their identity with a government issued ID
- A user visits an adult content site and is asked to prove their age
- User shares their age credential from the app – this only includes an over 18 verification – not date of birth nor name, location or any meta data
- The site does not receive any identity information and the third party provider does not know which site is requesting the credential
- Yoti do not have the technical means to link any Yoti Wallet users who share an age proof with any individual platform.
Which methods are not allowed by AGCOM?
AGCOM have determined that the following methods are not suitable for age verification for adult content.
| Method | Status | Reason |
| Self-declaration tick box | Not permitted | No verification |
| Date of birth entry | Not permitted | No verification |
| ID upload to site | Not permitted | Not double anonymity |
| Email age estimation | Not permitted | Not user linked |
| Social-media or SSO account | Not permitted | Not user linked |
| SPID or CIE direct login | Not permitted | Not double anonymity |
| Mobile or SIM data | Weak | Not user linked |
| Credit-card inference | Weak | Not user linked |
| Facial age estimation | Conditional | Needs certification and privacy safeguards |
Credit card and mobile checks AGCOM deem as weak. However, they may be used as a secondary check as a risk signal, multi-factor authentication (encouraged within the regulations), or as part of a third party age check – but not the primary source. Email, social media or ‘single sign on’ accounts are not seen as a satisfactory age check by AGCOM as they are not user linked.
Italy’s government log-in, SPID / CIE, is not permitted since it would include personal information and is therefore not double blind.
Facial age estimation within a reusable wallet is yet to be declared as permitted. Yoti’s Facial Age Estimation has been approved by KJM, the German regulator, for adult content. This has recently been changed from a buffer of 5 years to 3 years. This reflects Yoti’s improved Facial Age Estimation performance, and provides safeguards. With Yoti Facial Age Estimation we are unable to match a user to a service provider, nor an individual. Only an age over result is returned, and data is immediately deleted.
Yoti Digital ID is a convenient, re-usable solution for individuals, and is practical and scalable for businesses. For more information please contact us here.
