Age assurance in the digital age - balancing protection and privacy
Access to certain apps and services often hinges on the user's age. This raises the critical question of 'age assurance' and how can we assess, estimate, or verify the age of a potential user in a manner compliant with the General Data Protection Regulation (GDPR)?
The UK Information Commissioner's Office (ICO) is currently investigating how platforms like TikTok, Imgur, and Reddit determine the ages of UK users, not only for the purpose of granting access but also for the potentially lucrative practice of profiling users for marketing. Age assurance must achieve adequate levels of accessibility, reliability, and robustness to meet its intended purpose.
When assessing a user’s age, it's imperative that all the rights of the child are considered and appropriately protected. This includes their right to the protection of personal data, protection from exploitation, their ability to access to information from various sources, and having their views given due weight. Age assurance must be handled carefully, as error may pose specific risks in the field of data protection, as well as potentially impacting rights such as non-discrimination, liberty, security, and free expression.
Technology and innovation play a significant role in age assurance. There are three primary types of age assurance...
- Age estimation
- Age verification
- Self-declaration
As highlighted in the European Data Protection Board (EDPB) Statement 1/2025 on Age Assurance, merely asking the user for their age is of little utility. It assumes a degree of honesty that may not be present.
The EDPB has set out principles for age assurance, aimed at balancing the protection of minors while respecting privacy rights. In all cases where systems and processes are implemented to fulfil age assurance requirements, a Data Protection Impact Assessment (DPIA) will be necessary. The systems and protocols surrounding age assurance must be designed with privacy in mind, in accordance with Article 25 of the GDPR. Only age-related attributes strictly necessary for the specified purpose should be processed, ensuring data minimisation.
Further, in compliance with the GDPR principle of accountability, measures taken, considered and/or implemented must be properly documented. Organisations will need safeguards to prevent the age assurance process from causing unnecessary data protection risks, such as those resulting from identifying, locating, profiling, or tracking individuals. It's also expected that, where both reasonable and possible, a variety of methods for age assurance will be provided. This ensures that a minor is not excluded from a service simply because they are unwilling to engage with a particular portal or sub-processor.
A risk-based approach is essential. The underlying context will be key, and organisations must identify and evaluate the risks posed to a child from the service on offer and from the proposed processing. Additionally, the views of the children must be taken into account, considering also their capacity to make assessments of and accept risk.
In conclusion, age assurance in the digital age is a complex but crucial aspect of protecting minors while respecting their privacy rights. By adhering to GDPR principles, seeking legal assistance where needed, and implementing robust, accessible, and reliable age assurance methods, organisations can navigate this challenging landscape effectively.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.