France and age assurance: A complete guide to comply with the SREN Law and ARCOM requirements
As countries around the world continue to grapple with the challenge of protecting children online, more and more jurisdictions are requiring that online platforms and websites containing age-restricted content must perform age verification on their users.
The latest entrant? France, with its recently passed Law on Securing and Regulating the Digital Space (loi visant à sécuriser et à réguler l'espace numérique, SREN Law). The law implements a number of measures to regulate the digital space — including age verification requirements for certain websites.
Below, we take a closer look at what France’s SREN Law is and how it set the stage for ARCOM to issue new age assurance and verification rules for websites operating within the country. We also outline those requirements, the timeline for compliance, and penalties for non-compliance.
France’s SREN Law explained
On May 21, 2024, French lawmakers officially adopted the Law on Securing and Regulating the Digital Space (SREN Law).
As its name suggests, the law was written with a goal of regulating online websites, platforms, and services used by the French people. To achieve this goal, the law implements a number of provisions, including:
Safety measures for citizens and minors:
Safety measures to prevent children from accessing pornography online
Criminalization of non-consensual deepfake pornography
Measures to control online hate, cyberbullying, and other harmful content
Pre-enactment of EU Data Act provisions for cloud computing services
Establishment of a national coordination network for the regulation of digital services
Bestowment of new powers for national regulatory authorities under the Digital Services Act and the Digital Markets Act
Strengthening of personal data protection and user rights
Regulation of online advertising to increase transparency
Regulation of online games that offer players digital monetizable tokens
With this in mind, the SREN Law is a piece of sprawling legislation that touches on many different parts of the country’s digital space. In the rest of this article, we will focus primarily on that first provision — the protection of minors against online pornography.
Keep learning: Global age verification laws: How to maintain compliance and keep friction low
Where does ARCOM come into play?
The SREN Law requires that websites hosting pornographic content must implement age verification measures in order to prevent minors from accessing this adult material. It does not, however, specify how age verification must be completed or which technologies and methods are acceptable.
Instead, the SREN Law states that the Regulatory Authority for Audiovisual and Digital Communication (ARCOM) — the agency responsible for regulating broadcast and digital media — would draft and release rules and standards for age assurance and verification.
On October 11, 2024, ARCOM published the final version of the age verification standards that pornographic websites must adhere to. These standards outline the “minimum technical requirements applicable to age verification systems” used to comply with the SREN Law, which we explore in greater detail below.
France’s age verification law: ARCOM’s timeline
Although ARCOM released its standards for age verification in October of 2024, they would not immediately come into full effect.
To ease the implementation of a solution that meets ARCOM’s standards for France’s age verification law, websites and platforms were granted a three-month transition period from January 11, 2025, to April 11, 2025.
During this transitional period, websites were allowed to use an age verification solution that relied on collecting a valid debit or credit card number from users. Following the transitional period, credit- and debit-card-based solutions would no longer be allowed.
ARCOM’s standards are now in full effect, and any website or online platform hosting pornography accessible to French users must now have age verification measures in place that comply with ARCOM’s issued guidelines.
ARCOM’s age verification standards
Any website accessible in France that contains pornography must comply with the following standards:
Pornography cannot be displayed on the website’s home page until a user’s age has been verified.
Age verification must occur at the beginning of each and every session to prevent shared logins or other types of fraud.
If a solution relies on age estimation technologies, there must be mechanisms in place to prevent both false positives and the possibility of a minor circumventing accurate estimation.
Any solution used for age verification must be tested on diversified datasets in order to be nondiscriminatory and comply with the following principles: Accuracy, accessibility and security, data minimization, proportionality, and transparency.
Websites must offer at least one age verification solution that complies with the concept of double anonymity (defined below).
In addition to these general standards, ARCOM has released technical standards that all age verification solutions must meet (below).
Minimum requirements for all age verification systems
Any age verification solution deployed in order to comply with the SREN Law must meet the following minimum technical requirements defined by ARCOM. These are broken into the following categories:
1. Independence of the age verification system provider from the targeted services distributing pornographic content
The solution provider must be legally and technically independent from the pornographic website in question. The solution provider must guarantee that the website will never have access to the data used to verify the user’s age.
2. Confidentiality with regard to targeted services distributing pornographic content
The website or platform itself is not allowed to collect or process the data necessary to perform age verification, including the individual’s age, date of birth, identity, or other personal information.
3. Confidentiality with regard to proof-of-age generation providers
The age verification solution is not allowed to retain users’ personal information, unless the solution grants the user a digital identity or other reusable proof of age. The system must not collect official identity documents if it does not allow for the generation of a reusable proof of age.
4. Confidentiality with respect to any other third parties involved in the age verification process
If third parties (excluding those related to proof-of-age generation) are involved in the age verification process, these third parties must not retain any of the user’s personal data. This can include parties responsible for service billing or management of proof. Exceptions are made when the third party is storing proof at the request of the user.
5. Measures to safeguard the rights and freedoms of individuals by age verifiers
The final decision as to whether or not a user is allowed to access content, based on the determination of their age, must be an automated decision as defined by Article 22 of the GDPR. Otherwise, refusing access may result in legal action.
Further, in order to protect the privacy of the user, privacy measures must be put in place by the age verification solution — not the website itself. These measures must empower users to challenge the result of their age analysis in the event of an error. To facilitate this challenge, the age verification solution should offer users the option of using different attribute providers or different proof issuers.
Specific requirements for double anonymity age verification
In addition to the requirements above, ARCOM has established additional minimum requirements for age verification solutions designed to comply with the double anonymity standard. These requirements must be met in conjunction with the minimum requirements established above.
1. Enhanced confidentiality with regard to targeted services distributing pornographic content
The requirements established in #2 above are supplemented to specify that an age verification solution using double anonymity must not allow the website to:
Recognize a user who has already used the system based on data provided by the age verification process
Know or deduce the source or method of obtaining the proof of age involved in a user's age verification process
Recognize that two proofs of majority come from the same source of proof of age
2. Enhanced confidentiality with respect to issuers of age attributes
The requirements established in #3 above are supplemented to specify that an age verification solution using double anonymity must not allow the solution provider to know the website or service that the user is visiting, for which age verification is being carried out.
3. Enhanced confidentiality with respect to any other third parties involved in the age verification process
The requirements established in #4 above are supplemented to specify that an age verification solution using double anonymity must not allow other third parties involved in the process — such as a third party transmitting proof of age or certifying its validity — to recognize a user who has previously used the system.
4. Population availability and coverage
Websites subject to the SREN Law must provide users with at least two different methods for generating proof of age via a system using double anonymity. An example of this in practice might involve one solution based on age estimation and another based on identity documentation.
Additionally, the website must ensure that an age verification system using double anonymity is available to at least 80 percent of the adult population residing in France.
5. Explicit display of the level of protection of users' privacy
When users are prompted to verify their age, websites must ensure that solutions using double anonymity are clearly marked. Users must not be misled into choosing a less privacy-focused solution.
Penalties for non-compliance with ARCOM’s standards
Non-compliance with ARCOM’s age verification rules can take two forms, each of which carries different penalties.
If a website is found to not comply with ARCOM’s standards, but minors are unable to access pornographic content, ARCOM will notify the website operators that they have a month to bring their age verification measures up to standard. If the website still does not comply, ARCOM is empowered to impose a penalty up to the higher of either:
Two percent of the website’s worldwide turnover (minus VAT) from the previous financial year
150,000 euros
If the website is found in non-compliance again within five years, these penalties are increased to four percent of worldwide turnover and 400,000 euros, respectively.
In cases where non-compliance means that minors can access pornographic content, penalties can be more severe:
Four percent of worldwide turnover excluding VAT (six percent if the website reoffends within five years), or
250,000 euros (500,000 if the website reoffends within five years)
Blocking of the offending website’s domain for a period of up to two years
Comparison to other laws
France is not the only country that has implemented online age verification requirements in recent years. Other age verification laws that you should be aware of if you operate a website or platform internationally include:
Various state-level laws in the United States, including in Utah, Texas, and Mississippi
It’s also worth noting that a number of provisions have been introduced and considered at the federal level within the US, which, if passed into law, could require age verification for certain types of websites or online platforms.
Stay compliant with Persona’s age assurance technology
Here at Persona, we understand just how delicate an operation it can be to deploy an age verification solution. After all, you don’t just have the legal, privacy, and compliance requirements to consider. You also have to think about your business’s growth and conversion goals, in addition to the technical aspects of the solution, and how it would integrate into your website or platform.
Our product and compliance experts have partnered with businesses in a wide range of industries and geographies to successfully deploy age assurance technology around the world.
Want to learn more about how Persona can help you comply with ARCOM’s requirements under France’s SREN Law, such as those for double anonymity, and in other jurisdictions around the globe? Read about how Playboy uses Persona to keep minors off of its creator platform, or sign up for a free, custom demo today.
FAQs
What are age verification, age estimation, and age assurance?
Toggle description visibility
Age assurance and age verification are two related, but slightly different concepts. All of them are used to determine whether or not a user should be allowed to access age-restricted content, platforms, and services.
Age verification is the process of confirming a user’s age using hard evidence. This verification can be achieved using a number of different methods and technologies, including government-ID verification, database verification, selfie verification, and more. In this way, age verification goes beyond the concept of an age gate, which simply asks the user to provide their date of birth with no evidence to back it up.
Age estimation, on the other hand, is the process of estimating a user’s age without requiring hard proof like a government-issued ID. This is typically achieved via machine learning and artificial intelligence, which can analyze a user’s selfie or even their behaviors to approximate their age.
Finally, age assurance is more of an umbrella term that encompasses both age verification and age estimation.
What is ARCOM?
Toggle description visibility
The Regulatory Authority for Audiovisual and Digital Communication (ARCOM) is an independent administrative agency in France responsible for regulating broadcast media (radio and television) as well as digital media within the country. It was created in 2022 by merging two previously separate agencies: the High Audiovisual Council (CSA) and the High Authority for the Distribution of Works and Protection of Rights on the Internet (Hadopi)
As such, ARCOM is responsible for enforcing a variety of laws impacting these industries, including the Law on Securing and Regulating the Digital Space (SREN Law) discussed above.
What is double anonymity age assurance?
Toggle description visibility
Double anonymity age assurance, also called double blind age assurance, is a concept designed to protect a user’s privacy. In order for a solution to be considered “double blind,” it must meet the following requirements:
The website can never know the user’s identity
The age assurance provider cannot know which website the user is visiting
These requirements essentially put up a wall between the user and the website they are visiting, and another wall between the website and the age verification solution.