Age assurance involves strategies to prevent children from accessing inappropriate content and tailoring online experiences based on a user’s age. This dual-purpose approach seeks to strike a balance between safeguarding children and respecting their privacy.

The ICO emphasises that organisations are required to adhere to data protection principles when implementing age assurance methods. This includes ensuring fairness, transparency, lawful processing, minimal data collection, accuracy, limited retention, security and accountability.

The Opinion pays particular attention to age assurance methods employing artificial intelligence. The ICO note that additional data protection requirements apply when using AI driven assurance methods. For example, if the AI method involves the processing of biometric data, the controller must determine whether this amounts to special category data and take all required measures. The ICO note that where profiling is used for age assurance, controllers must balance the risks that are posed by the use of profiling against its benefits in helping to establish the age of users. The Opinion also provides that bias must be addressed and should not be discriminatory.

The Opinion notes that there are four main age assurance approaches:

  • Age Verification: Methods for age verification range from scanning hard identifiers like driving licenses to utilising third-party providers with diverse information sources. The collection of personal information for age verification should be proportionate to the associated risks.
  • Age Estimation: Algorithmic age estimation methods involve: computer vision (estimating age from an image of a person that may be captured in real time. The ICO note this is now the most widely used age estimation approach and has high levels of accuracy and efficacy); other biometric approaches (such as voice analysis); or analysing account profiling (information derived from the person’s activity on the platform). The ICO suggest that as age estimation processes do not require documentary evidence, they could be a more privacy-friendly method than using hard identifiers.
  • Self-Declaration: Self-declaration is where a user states their age without evidence. The ICO discourages the use of self-declaration for high-risk scenarios and where access to adult sites is restricted for underage users, but notes that self-declaration can be minimally intrusive and may be considered for low-risk activities or in conjunction with other methods.
  • Waterfall Techniques: Waterfall techniques involves combining various age assurance approaches, such as combining an age estimation method with a secondary age verification method when a high level of assurance is required. The ICO note that this can provide a cumulative result with a greater level of confidence than when the processes are used in isolation. The ICO caution that waterfall techniques must be carefully designed to ensure they achieve increased accuracy whilst preserving privacy.

In respect of high risk services, the ICO advise that controllers should introduce methods with the highest possible level of certainty. The ICO acknowledges that such certainty will vary across services but that controllers should be able to demonstrate that they have considered a wide range of age assurance options and should be able to evidence the rationale for choosing a particular method.  

The Opinion provides welcome guidance on age assurance and should also be useful to controllers that comply with the Data Protection Commission’s Fundamentals for a Child-Oriented Approach to Data Processing.

Read our previous briefing on Fundamentals and Games: The DPC’s Fundamentals for Processing of Children’s Data here.