The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has published an opinion on age assurance for internet society services (ISS). The opinion aims to explain how a company can use technology in compliance with data protection law in a “risk based and proportionate way.”
Age assurance:
- Ensures that children are unable to access adult, harmful or otherwise inappropriate content when using ISS.
- Estimates or establishes a user’s age so a company can tailor the ISS and implement age-appropriate protections.
Establishing the age of users is important for services subject to the UK’s Age Appropriate Design Code as well as the newly introduced Online Safety Act 2023. As with many legislative changes in the UK over the past year, the focus is on protecting children.
“Privacy risks children face in the online world can have a significant impact,” the opinion says. “The potential severity of these risks means that the Commissioner expects you to take the necessary steps to protect children. Age assurance is a crucial component in this, helping you to provide an age-appropriate experience, or restrict access to underage users where appropriate.”
Three Categories of Action
The ICO expects a compay to adopt an age assurance method based on the risks created for the child by processing personal information and the required level of certainty about the individual’s age. It identifies high risks to children such as large-scale profiling, invisible processing, location tracking and the use of innovative technologies (e.g., smart devices).
The opinion focuses on three categories of actions, explaining what services:
- Must do – their legislative obligations.
- Should do – what the ICO expects them to do to comply with the law.
- Could do as an option or example to comply.
The ICO does not expect implementation of methods that:
- Are not technically feasible.
- Pose a significant and disproportionate economic impact on businesses.
- Create risks to the rights and freedoms of people that are disproportionate to the other processing activities on the service.
A Closer Look at Age Assurance Methods
The opinion describes the variety of age assurance methods and the associated actions for services:
Methods |
Types |
Actions |
Age verification
Method designed to verify the exact age of users or confirm they are over 18
|
Hard identifiers such as a driving licence or passport or through a third-party provider using a variety of information sources. |
Must
- Ensure the personal information you collect about a person to verify their age is proportionate to the risks your service poses.
Should
- Consider offering a choice of age assurance methods, appropriate to the needs of your service and users.
- Consider how to minimise exclusion risks associated with hard identifiers in a way that is appropriate to the risks.
|
Age estimation
Method to estimate age or age range of a user, often by using algorithms.
|
Includes computer vision-based approach, other biometric approach or analysing account profiling or information. |
Could
- Use age estimation approaches for initial onboarding or account creation or for ongoing monitoring.
- Find a more privacy-friendly method than using hard identifiers.
|
Self-declaration
User states their age but is not required to provide evidence.
|
Includes tick boxes for self-affirming. |
Should
- Avoid using a self-declaration age assurance method. It is unlikely to be accurate and effective if children face significant risks from the data processing on your site; or you are choosing to restrict access to an adult site to underage users.
- Assess the potential for unlawful processing of children’s information between an initial self-declaration and identification of an underage user.
Could
- Consider using it for ISS activities that do not pose a high risk to children.
- Increase the effectiveness of self-declaration by applying technical measures such as preventing people from immediately attempting to re-register if they are denied access on first declaration for being underage and closing the accounts of people discovered to be underage.
- Combine self-declaration with techniques that analyse account profiling or information which look for ‘red flags’ that contradict a person’s declared age or age range.
- Ask the user to confirm their age using an alternative age assurance method where there are red flags.
|
Waterfall techniques and age buffers
Combines different age assurance approaches
|
Includes combining an age estimation method with a secondary age verification method when you require a high level of assurance. |
Must
- Allow people to challenge the decision.
- Carefully design waterfall techniques to ensure they increase accuracy whilst preserving privacy.
|
Services
Assessing risk is a key factor in the ICO’s opinion, setting out various considerations for services depending upon the nature of the service and their corresponding risks.
High-risk and age assurance certainty
|
Should
- Introduce age assurance methods that give a high level of certainty on the age of users.
- Focus on restricting access to children if service is inappropriate for children.
- Introduce methods with the highest possible level of certainty on the age of users, noting that certainty will vary due to technical feasibility; whether authenticated or non-authenticated users use your service; and the age range and capabilities of your users.
- Be able to demonstrate that you have considered a wide range of age assurance options.
- Explain your rationale for choosing a particular method, taking into account the level of certainty the method provides.
Could
- Use self-declaration alongside other age assurance methods where you can demonstrate that the combination is effective.
|
Processing children’s personal data which does not pose a high-risk |
Could
- Introduce age assurance methods that process minimal personal information to restrict access for child users who do not meet your terms of service, identify the age of children to ensure the service you offer is appropriate for their age group or provide privacy and transparency information suitable to the specific age of the child.
- Apply the standards of the code to all users in a proportionate way to mitigate further personal data processing risks.
- Supplement method with other more accurate age assurance methods where you establish that the risk levels are higher, and you require a higher level of age assurance certainty.
|
Adult-only sites and age assurance |
Should
- Focus on preventing access by children.
- Apply the principles of the code to all users in a risk-based and proportionate way.
|
Age-gating |
Must
- Ensure that your age-gating page complies with data protection legislation.
|
Data Protection
The opinion also addresses the interplay between age assurance and data protection principles, confirming that data protection must be embedded in the design.
Data Protection Principle |
Actions |
Lawfulness
|
Must
- Identify a lawful basis before you start processing personal data for age assurance purposes.
|
Fairness |
Must
- Be fair and only handle people’s data in a way they would reasonably expect.
- Provide tools so people can challenge inaccurate age assurance decisions.
Should
- Make tools for challenging accuracy accessible and prominent.
- Not process children’s personal data in ways that are obviously, or have been shown to be, detrimental to their health or wellbeing.
- Scrutinise and minimise potential bias.
|
Transparency |
Must
- Be clear, open and honest about how you use personal data for age assurance purposes and how you make decisions.
- Explain clearly to people:
- Why you use age assurance.
- What personal information you need for the age assurance check.
- Whether you will use a third party to carry out the age assurance check.
- How you use the personal data and how it will affect the user’s experience of the platform or service.
- Whether you keep personal data you collect for age assurance and how, why and for how long.
- Their rights, including how they can challenge an incorrect age assurance decision.
Should
- Consider how age assurance fits into your user journey and experience to determine how and when it is best to provide this type of information.
- Only allow parents to exercise rights on behalf of a child if 1) the child authorises them to do so; 2) the child does not have sufficient understanding to exercise the rights themselves; or 3) it is evident that this is in the best interests of the child.
|
Purpose Limitation |
Must
- Only process personal data for specific and legitimate purposes, and not further process it in a manner incompatible with those purposes. Ensure any new use of the personal data is fair, lawful and transparent.
- Be clear about what personal data you process; be clear about why you want to process it; ensure you only collect the minimum amount of personal data you need to establish an appropriate level of certainty about the age of your users; and ensure you do not use personal data collected for age assurance for any other purpose unless the new purpose is compatible with age assurance.
- Build your systems with data protection in mind.
Should
- Not share children’s data unless you can demonstrate a compelling reason, while considering the best interests of the child.
|
Data Minimisation |
Must
- Ensure that the personal data you collect is adequate, relevant and limited to what is necessary for the purpose.
- Apply data minimisation to your chosen age assurance approach.
|
Accuracy |
Must
- Ensure that the personal data you process for the purpose is accurate.
- Have methods in place to mitigate the risks that the personal data you collect may be inaccurate.
Should
- Record age assurance returns as an estimation rather than a matter of fact.
- Test age assurance solutions for accuracy if you are developing them.
- Seek evidence from your suppliers.
- Consider how likely it is that age checks may be bypassed or spoofed and the associated impact.
- Consider how decisions can be challenged or inaccuracies rectified.
- Consider whether further checks are required when a child reaches 13 and 18.
|
Storage Limitation |
Must
- Not keep people’s personal data longer than you need it.
- Retain only the minimum amount of personal data necessary for the purpose.
- Consider challenges to your retention of personal data collected for age assurance.
Should
- Be able to justify how long you keep personal data collected for age assurance purpose.
- Have a policy that sets out retention periods.
- Be proportionate in how frequently you carry out age checks compared to the risks on your service.
- Erase personal data that is no longer required.
|
Integrity and confidentiality (security) |
Must
- Process people’s personal data securely.
- Consider how the system collects or shares information, as well as the personal data involved.
- Consider the state of the art and costs of implementation when deciding which security methods to use.
- Put in place methods that are appropriate to the circumstances and the risk the processing poses.
- Ensure appropriate data security methods are in place through due diligence checks.
Should
- Consider the balance between transparency and security if using AI.
- Ensure that a malicious actor cannot re-identify people given sufficient technical information.
|
Accountability |
Must
- Be able to demonstrate how your age assurance activities comply with data protection law.
- Adopt and implement data protection policies.
- Take a data protection by design and default approach to age assurance.
- Put written contracts in place with third-party age assurance services that process information on your behalf (these may be processors or joint controllers depending on the exact circumstances of the relationship).
- Maintain documentation of your age assurance processing activities.
- Implement appropriate security measures for age assurance processing.
- Record and, where necessary, report personal data breaches.
- Take a data protection by design approach to age assurance.
- Put in place technical and organisational measures to implement the data protection principles effectively and safeguard people’s rights.
- Be able to demonstrate that your approach to age assurance is proportionate to the risks to children associated with a platform or service.
- Implement a data protection impact assessment (DPIA) if your processing is likely to result in a high risk to people’s rights and freedoms.
Should
- Carry out a DPIA at an early stage in the design of any product or service that involves processing personal data; consider if a significant number of children are likely to access your service and use that information in your DPIA to determine which age assurance method to apply.
|
Whilst many of the principles in this opinion may not be new to most internet society services, it is helpful to see the focus of the ICO on this issue. It is also a clear sign that the UK’s Age-Appropriate Design Code and the interplay with the Online Safety Act is at the forefront of the ICO’s agenda. Companies should ensure they have considered the issues and documented their approach to how the business uses age assurance measures.
If you have questions about this development, reach out to our authors (Kelly Hagedorn and Adele Harrison) or another member of the Orrick team.