Background and legal obligations under Spanish audiovisual laws

Video sharing platforms (VSP) are currently in the spotlight due to the existence of free-to access platforms that provide content harmful to minors (e.g., violence, pornography, etc.). This has become one of the top-listed concerns of the CNMC and other public authorities (e.g., the Spanish Data Protection Authority) which are focusing on how to protect minors and shield them from such content, legally restricted to adults

This has also become a priority following enactment of the new Spanish General Audiovisual Law (implementing the Audiovisual Media Services Directive as modified in 2018) which included VSPs under its umbrella and established (among other measures) the following:

• The obligation to establish and operate age verification systems for users with respect to content that may harm the physical, mental or moral development of minors, and which, in any case, prevent their access to the most harmful audiovisual content, such as gratuitous violence or pornography (art. 89.1(e) of the General Audiovisual Law).

• Commercial communications that encourage harmful or damaging behaviors to minors shall require verification of age and access only to users of legal age (art. 91.1 of the General Audiovisual Law).

The Consultation also reminds operators that a breach of the obligations mentioned above may be deemed a very severe administrative infringement (without prejudice to potential criminal liability).

Purpose of the Consultation and its highlights

The main purpose of the Consultation (see here) is to gather the opinions of different stakeholders - whether they are researchers, service providers, associations linked to the development and protection of minors, trustworthy verifiers, users in general or other groups - on everything related to age verification and protection of minors against harmful content.

While all questions presented in the Consultation are listed below, the following remarks are particularly interesting:

• The Consultation highlights how ads and commercial communications by VSP can also be for adults only, and also subject to age verification mechanisms.

• On the minimum requirements of age verification systems, the Consultation clarifies that these systems must ensure at all times that anyone accessing harmful content is an adult. It differentiates between the unique identification of the adult including the age attribute (which can be anonymously carried out) and his/her authentication (at the beginning of login or access, and which should depend on an individually assigned authentication element).

Solutions such as the simple presentation or sending of a copy of the identity document, as well as the simple and mere identification and proof of age through the presentation of a photograph, do not provide adequate guarantees and should be avoided.

As already established in recent decisions (the most recent one among many can be found here), mere declarations of being of legal age (without further actions) or merely providing guidance on how to establish parental controls; cannot be deemed age verification or sufficient to meet age verification obligations.

• Age verification can be performed by matching a traditional physical identity document, an electronic physical identity document, or a digital identity document. These documents can be, for example, ID cards, passports, resident certificates (EU citizens), resident cards (non-EU citizens), or a digital or virtual identity support not based on a physical document. The Consultation also points to future eIDAS2 and legal age attribute credentials, and analyses both remote and face-to-face authentication and its dangers.

• Regarding age verification through the use of a debit/credit card, the CNMC analyses its risks and disadvantages.

• Whether the VSP itself or third party providers should carry out the age verification is also addressed in the Consultation (including pros and cons of both alternatives).

• Self-regulation and coregulation is also addressed and suggested in the Consultation.

Consultation’s questions:

• Question 1: Do you consider appropriate the approach of establishing age verification mechanisms for all audiovisual content, including advertising, by VSPs providing harmful content?
• Question 2: Should the age verification system be established before accessing any content offered by VSP, or would it be sufficient to include such a verification system later on, in the actual access to the audiovisual content, making it possible to access a censored version of the content without having passed the verification system?
• Question 3: Do you consider it appropriate for each provider to decide on the age verification mechanisms to be implemented in its service, and, if so, that each user should ultimately opt for the most convenient of the systems offered?
• Question 4: What is your opinion of the general approach to solutions that may or may not be based on face-to-face control?
• Question 5: How can the correct transmission of access passwords to the previously identified user be done? How could an adequate prevention of disclosure or multiplication of access authorizations be carried out?
• Question 6: Assuming that an identification by electronic means is implemented, what are the risks of the system providing erroneous results?
• Question 7: What other solutions can ensure accuracy and precision in identifying and specifying the age of the access requester?
• Question 8: Do you consider that it is more appropriate for the protection of the child that the age verification system be the same or horizontal regardless of the access device or operating system used or, on the contrary, do you consider that there are significant differences in these elements that recommend an age verification system adapted to each access device or operating system?
• Question 9: What technological drawbacks or limitations can you foresee in the implementation of age verification systems?
• Question 10: What do you consider to be the strengths and weaknesses of each of the age verification systems described? Are there any other mechanisms in addition to those considered that you consider adequate for age verification?
• Question 11: How do you rate the different systems considered, taking into account the desirable balance between reliability, personal data protection and cost?
• Question 12: What should be the audit guarantees for each of these systems, allowing the CNMC to verify that they are complying with the expected reliability?
• Question 13: How do you rate having a third party entity independent of the VSP carry out age verification versus having the provider do it itself? How do you think it would affect your commercial success if an VSP did not offer users the possibility of age verification through an independent third party?
• Question 14: How do you think the user can be informed about the fact that the one who performs the age verification is an independent third party?
• Question 15: What specific aspects related to the access procedure, type of consumption, time spent or duration of access to harmful content through VSP should be taken into account when implementing age verification systems?
• Question 16: How often do you think the system should request the renewal of the user's accreditation?
• Question 17: Of the aspects identified in the previous question, which do you consider have an impact on the effectiveness of age verification measures? Please justify your answer.
• Question 18: Do you consider that co-regulation can be a useful instrument to assist in the establishment of these age verification systems that provide security to minors and to the agents that implement them?
• Question 19: What incentives or disadvantages may be involved in using co-regulatory systems for the implementation of age verification systems in this area?
• Question 20: Are you aware of the existence of any co-regulatory agreements in this area? If so, please attach or submit the appropriate information for consideration.
• Question 21: Are there any other issues that you think should be addressed in the scope of this consultation?

Next steps

• If your company provides video sharing services (even if not focused on adult content), read the questions to assess how this impacts your business practices.

• Consider submitting comments/answers as part of the consultation process.

• Take a look to the Spanish Data Protection Guidance and concept test on age verification mechanisms which were published on the same day as the Consultation and which delve into these mechanisms and their guiding principles.