Muirhead J., Grout V.
Alcohol Change UK, 2020
How do online retailers seek to prevent underage alcohol sales in the UK, how effective are current methods, and how far short are they of a truly effective system?
Summary Online sale of alcohol to under-18s is prohibited by law, but the measures used to prevent this underage cohort buying alcohol vary widely between different retailers. Current methods of age verification online are largely ineffectual, often involving simple ‘honour’ checks, which are easily circumvented, or alternative forms of authentication that can be bypassed. Many companies elect to push the necessary age verification checks offline, requiring delivery drivers to manually check identification and refuse sales as appropriate. However, by this point the young person may have already paid, and when mixed in with a larger online shopping delivery, alcohol purchases (and the need to check identification) may be less obvious.
Online sales of alcoholic drinks are often seen as a smaller market with lower rates of access and less impulse purchasing than conventional in-person sales, and therefore tend to be overlooked by regulators in pursuit of the more visible and localised contraventions of regulations.
Current methods of age verification for the online sale of alcohol have largely been ineffectual. The featured study identified two measures which could be effective, particularly if applied together: the first is introducing a software solution to ‘flag’ items subject to age restriction online, as they would be flagged offline; and the second is using banks’ merchant category codes to identify and decline alcohol transactions made by under-18s.
To ensure age-verification checks are conducted appropriately, there needs to be a step-change in the methods used by retailers to establish sufficient proof that the purchaser is over 18.
The much-anticipated (but abandoned) 2019 regulations under the Digital Economy Act 2017 placed a large emphasis on the protection of minors from inappropriate online content, leading to content providers developing or commissioning age verification services. These used a variety of measures to provide ‘best effort’ protection of under-18s. It would appear that such methods were fairly advanced and that the decision not to proceed with their use was as much political as technological.
The featured study investigated the use of different age verification methods in online alcohol sales, identifying: (a) current solutions and their effectiveness; (b) simple extensions to current solutions; and (c) recommendations for preventing the online sale of alcohol to underage people.
The study commenced at the beginning of 2020, and had a quick turnaround time of three months. Researchers gathered data using the following methods:
• Interviews and discussions with key stakeholders, including: their interpretation of current legislation; strengths and weaknesses of methods to verify age in online alcohol sales; age-verification methods used in other domains (eg, gambling, pornography, weaponry); and new/emergent technologies that could be used.
• Group discussions and questionnaires with university students, many of whom would have recent experience of being under 18. Topics included: personal experience of under-18s obtaining alcohol online; second-hand knowledge of under-18s obtaining alcohol online; awareness and effectiveness of current mechanisms for online age verification; and emergent and future technologies.
• Online experimentation by researchers with alcohol suppliers, retailers and distributors, conventional and electronic payment systems, pre-paid credit cards, and real and imaginary/invented online personas.
Most online systems appear to implement some measures to attempt to prevent the sale of alcohol to minors. Current solutions can be grouped into four main categories, as described below.
Statements of self-confirmation. The most basic measure used by online vendors is the self-confirmation statement: the user is shown a statement either on the web page or as a pop-up window and asked to confirm they are over 18 prior to the order being placed. This interface is simple for developers to implement. However, it assumes that users will be truthful when ordering alcohol online.
Date-of-birth entry. The second type of interface asks the user for their date of birth and performs a check that the date entered is within the permitted age restrictions. Although this type of interface nominally suggests a form of authentication, it still relies on the honesty of the user, and only provides the most trivial of checks, which can be bypassed easily by a minor calculating an appropriate date of birth.
Credit card only. While a debit card can be obtained by people under the age of 18, under-18s are not permitted to sign up to credit agreements such as credit cards according to the terms of the Consumer Credit Act 1974. This age is the same as that required for the purchase of alcohol in the UK, so some retailers use payment via credit cards as proof that the user is over 18. However, this cannot protect against underage sales in all cases. There are exceptions, meaning that under-18s can obtain and/or use credit cards and subsequently buy alcohol. For example:
• Adults can present an under-18 with a legally held credit card in their name where the bill is paid by someone over 18.
• Adults can pre-authorise their credit card for food and drink services such as UberEats.
• Over the past decade, the sale of pre-paid credit cards (which are preloaded with cash prior to use, and can be obtained with minimal checking) has become more common in retail stores. Terms and conditions for pre-paid credit cards often claim that online registration is required before the card can be used online. However, this is often not the case in practice; researchers in the featured study successfully made a number of purchases (including alcohol) with an anonymous/unregistered card.
Checking on delivery. Most supermarket home delivery services have a policy of checking that an order is being received by an over-18 as a proxy for checking the age of the original purchaser. This has been explored many times by the media over the past decade as a rarely-enforced and easily-followed route for minors to purchase and receive delivery of alcohol (1 2). Delivery drivers are instructed to check physical ID in the same manner as would take place in store, applying policies such as ‘Challenge 21’ or ‘Challenge 25’. Food delivery apps, such as Deliveroo, take this approach, passing the responsibility onto their delivery drivers. However, the use of casual workers and lack of formal training beyond in-app ‘advice’ leads to inconsistencies in the way the law is applied.
Research in other domains such as online gambling, online pornography and the sale of weapons has identified the need to work within existing processes to introduce new measures. Rather than change the entire system, a better approach is to improve and build on what is currently in place to increase organisational buy-in and social acceptance. Some possible solutions to enhance online age verification are discussed below.
Token purchase. One solution, proposed in now-abandoned 2019 regulations under the Digital Economy Act 2017, was that people would purchase an individual token containing an access code in a physical retail outlet such as a supermarket or corner shop. Appropriate age verification would take place at the point of purchase, with the code then being used to access age-restricted content. There is a large emphasis placed on the privacy of the purchaser in such an approach. [Other methods, such as banks’ merchant category codes below, create records of purchases, which are tied to people’s personal information.] However, the downside of the tokens not being bound to the personal information of customers is that they have the potential to be passed or sold on, possibly to under-18s.
Mobile phone verification. UK mobile operators already apply a blanket ban on adult content and this is only lifted after the owner has verified their age via in-person ID checks or use of a credit card. There are limitations to using credit cards to verify age ( above).
Multi-factor authentication. Recognising that there is no single one-size-fits-all solution, many age verification service providers have developed processes that allow for multi-factor authentication. This means that purchasers would be able to use one of many methods to demonstrate their age, which accommodates purchasers who do not have particular forms of ID or are unwilling to use them online. However, some methods of verification are easier or less robust than others, so the system is only as strong as its weakest method.
Bank authentication. Each payment made online is processed through a bank where the user must have an account. As banks are highly-regulated institutions, they are required to thoroughly verify the identity of any account holder through the use of government-issued ID and national databases. A small extension could be made to this to allow for additional verification of the card holder when they are making a purchase. For example, certain purchases could require the card holder to be over 18, with this being established using a true/false flag within an online purchase (or online shopping basket).
To detect whether age verification is required, retailers will need to identify whether any individual items within the order are age-restricted products. No additional hardware would be required; the extension could be written into new software. Many supermarkets and large retailers have already identified age-restricted products within their point-of-sale systems.
‘Type 3’ line item data. Merchants can provide three different types of transaction data:
• Level 1 includes basic information, such as the merchant name, date and transaction amount.
• Level 2 includes level 1 data, plus information about the customer, merchant and tax paid.
• Level 3 includes level 1 and 2 data, as well as details for every line item in the transaction. This is known as ‘type 3’ line item data.
Many merchants only provide information at Level 1. The higher levels require more detailed and complex point-of-sale systems and databases, but where this data is provided, the risk associated with transactions is reduced. Large businesses will already have systems to provide the Level 3 data required. However, smaller retailers often only provide basic information as the accounting overhead and requirement for complex systems is too large for their volume of sales.
Enhanced data provided by retailers could be extended to include either an overall indicator that alcohol is included in the transaction, or information on age restrictions for each line item. Banks could then process this data, check the age of the card holder and verify that they should be permitted to complete such a purchase. However, bank systems would need to be updated with this check, ensuring that it would take place as quickly as possible. This would require the deployment of more computing power so that transactions containing age-restricted products are not unduly delayed.
Merchant category codes. Banking systems are currently configured with merchant category codes that allow banks to identify the types of transactions that cards are used for (see image). However, as merchant category codes are designed to describe the purpose of the retailer not the transaction, they are not always useful for identifying alcohol. For example, supermarket sales are classified as a generic ‘grocery store’ transaction, and there is no differentiation between purchases that include or exclude alcohol.
Requiring merchants to use a special ‘alcohol’ code when alcohol is included in a purchase could be an easy way to protect under-18s. The way it could work is that banks would prohibit cards belonging to under-18s from alcohol purchases, without preventing non-alcohol transactions. This type of limitation is already included with many pre-paid credit cards, with the process known as ‘merchant category code filtering’ to prevent abuse by those under-age.
The use of alternate merchant category codes would place the onus on checking whether products are age restricted with the retailer rather than the bank, aligning with the Licensing Act 2003 where the seller is responsible for age verification. This would reduce the complexity for both banks and retailers, as there would only need to be minor system updates. Retailers would not need to update their systems to provide full Type 3 line item data ( above), making this approach scalable for both small and large organisations. Banks would also not need to release the card holder’s age, assuring privacy when a transaction is approved or declined.
Recommendation 1: The law must be clarified.
Despite its best intentions, the current law is ambiguous in relation to how and where safeguards should be applied in order to prevent people under the age of 18 obtaining alcohol online. If the intention is to allow age-checking on delivery as a substitute for online verification, then that should be published as official guidance by the relevant authorities. However, given that such measures can be ineffective, it is to be hoped that the necessary clarification would move the law in the other direction: that robust online age verification at the transaction stage becomes a clear legal requirement.
Recommendation 2: No confidence should be placed in existing safeguards.
There are no effective commonly-applied methods of online age verification. Any legal obligation or assumption based on existing measures is unfulfilled and/or flawed and must be unequivocally recognised as such. Although there are some sophisticated solutions emerging, and arguably ready to be implemented, there are also some simpler and more immediate measures that can be taken (as set out in recommendations 3 and 4 below, which would be most effective if applied together).
Recommendation 3: Items in online ‘shopping baskets’ should be considered individually.
There is a particular problem when alcohol is a part of a larger (eg, grocery) order. The extension of existing systems to ‘flag’ items subject to age restriction online (in a similar manner to those already used offline) are simple and would lead to more effective application of age verification at the point of transaction. This has the advantage of being a ‘software only’ solution.
Recommendation 4: The use of merchant category codes and bank authorisation processes should be extended.
Existing merchant category codes, and their use in authenticating a financial transaction back to a bank, can be extended beyond their existing ranges. At present, whilst a transaction at a pub, bar or similar venue can be identified, the purchase of alcohol within a larger food, gift or groceries transaction cannot. This can be easily rectified in software and would allow the bank authentication process to deal with age-restricted goods if necessary. Alternatively, the current Type 3 line item data system could be rolled out if existing commercial constraints were relaxed.
Recommendation 5: Emerging technologies should be continuously monitored.
There appear to be few disruptive technologies on the horizon that will add to existing approaches over the next few years. In fact, many work both for and against effective online age-verification. For example, artificial intelligence systems that are used visually to judge age can be fooled by other software that artificially ‘ages’ the image being processed. However, as these are rapidly moving fields they should be monitored.
Online sales are often seen as a smaller market with lower rates of access and less impulse purchasing, so are often overlooked by regulators who focus on the more visible and localised contraventions of regulations in shops. The use of appropriate age verification within online alcohol sales largely depends on the retailer:
• Some retailers, and most supermarket home delivery services, have a policy of checking that an order is being received by an over-18 as a proxy for checking the age of the original purchaser. Despite becoming a de-facto standard, the law is unclear on whether this proxy is a suitable choice for verification as the Licensing Act regulates the age of the purchaser, not the receiver of the alcohol products.
• Other retailers use cursory measures that would be easy for minors to bypass, for example asking for confirmation statements, dates of birth, or the availability of a credit card. Many online-only retailers distribute goods through third-party package delivery services, where there may be no mechanisms in place to enforce the relevant age checks on delivery.
To ensure age verification checks are conducted appropriately, there needs to be a step-change in the methods used by retailers to establish sufficient proof that the purchaser is over 18. There are two measures which could be effective, particularly if applied together: the first is introducing a software solution to ‘flag’ items subject to age restriction online, as they would be flagged offline; and the second is using merchant category codes to identify and decline alcohol transactions made by under-18s.
commentary The featured study provided an overview of age verification measures that are being implemented or could be implemented in order to try and prevent people under the age of 18 (the legal age of purchase in the United Kingdom) buying alcohol online. It identified current solutions, simple extensions to current solutions, and recommendations for improving the effectiveness of age verification measures, where ‘effectiveness’ was defined as whether measures achieve what they need to achieve (ie, preventing underage sales).
According to the findings, measures commonly used to verify age cannot reliably prevent underage purchases, but the answer is not necessarily to overhaul the entire system. Research in related domains such as online gambling supports improving and building on current practices and technologies, rather than changing the entire system. The authors suggest that two particular measures may be effective when used in conjunction with each other. The first step would be to introduce a software solution to ‘flag’ items subject to age restriction online, as they would be flagged offline. The second step would be to use merchant category codes to identify and decline alcohol transactions made by under-18s.
Despite its aim being to scope out effective measures, one of the key messages of the study was that focusing on finding effective measures can risk missing the bigger picture: the need to clarify the law, specifically, the law’s ambiguity in relation to how and where safeguards should be applied.
“Most supermarket home delivery services ‘operate’ (or at least, claim to) a policy of checking that an order is being received by an over-18 as a proxy to checking the age of the original purchaser. […] Despite becoming a de-facto standard, the law is unclear on whether this proxy is a suitable choice for verification as the Licensing Act regulates the age of the purchaser, not the receiver of the alcohol products.”
When the Licensing Act 2003 was implemented in 2005 it was billed a mechanism for creating “a more European culture of bars and cafés for older people and families”. It could probably not foresee the changes that would be needed to safely facilitate drinking cultures stemming from online sales.
In a 2014 review of the availability of alcohol on its consumption and related harms, Professor John Holmes and colleagues said:
“The role of the Internet in changing alcohol availability has received little attention. Online retailers deliver alcohol as part of weekly grocery shopping or convenience purchases, provide access to bulk or specialised product purchases, and supply or restock parties. In all instances, availability has increased beyond the detection of the spatial maps used in most analyses, and to date, it is unclear what the extent or focus of policy concern around internet sales should be.”
Summing up their findings for the Institute of Alcohol Studies, Mark Leyshon, then Senior Policy and Research Officer at Alcohol Concern, wrote:
“The role of the internet in changing alcohol availability has received little research to date and it is, at present, unclear as to how exactly this may be impacting on drinking behaviour.”
“Clearly, more research is needed as to whether licensing laws are robust enough to deal with this changing way in which we are choosing to buy alcohol, the extent to which minors are acquiring alcohol via this means, and whether age verification processes are fit for purpose.”
The Chief Medical Officer for England recommends that young people and children under the age of 15 years refrain from drinking alcohol. For young people between 15 and 17 years who do drink alcohol the recommendation is that they do so infrequently, no more than once per week, and not exceeding adult daily limits.
The featured report was funded by Alcohol Change UK, which is funding the 2020/21 update of the Alcohol Treatment Matrix by Drug and Alcohol Findings.
Last revised 30 August 2020. First uploaded 15 August 2020
DOCUMENT 2012 The government's alcohol strategy
DOCUMENT 2016 Modern Crime Prevention Strategy