Age assurance in digital services has attracted increased regulatory focus recently in light of the proliferated consumption of digital services and efforts to protect children online. Our Technology team explains what age assurance means, the scope of associated legal obligations and what organisations need to consider when implementing appropriate solutions.

In Brief

• Recent legislative developments, such as the Digital Services Act and the EU Online Safety and Media Regulation Act 2022, along with recent regulatory enforcement action and decisions make it abundantly clear that controllers must implement appropriate age assurance measures to adequately protect minors when using digital services. We can expect ‘age assurance’ to remain a key priority throughout 2024.
• Age assurance relates to how controllers estimate or verify an individual’s age. The requirement to implement robust and effective age assurance measures is increasingly important now and in particular, on foot of the DSA and OSMR Act. This is because these legislative regimes prohibit online digital service providers from presenting certain content to minors, whereby they know or have reasonable certainty that an individual is a minor.
• Navigating the complex legal landscape relating to age assurance and the protection of minors is no easy undertaking. There is no prescribed method when trying to decipher what appropriate age assurance measures must look like. Instead, what’s appropriate is determined on a case-by-case basis, having due regard to the risks associated with the particular processing activity.

The protection of minors when using digital services has become a key priority for European politicians and legislators. As a result, we are seeing increased focus on the implementation of appropriate and adequate age assurance. This has been reflected in several decisions from the Data Protection Commission (DPC) and the introduction of the EU Digital Services Act (DSA) and Online Safety and Media Regulation Act 2022 (OSMR Act).

But what is age assurance and what are the measures that organisations are obliged to implement?

What is age assurance?

Age assurance simply means different methods of estimating or verifying an individual’s age.

The recent increased focus on age assurance comes from several new pieces of EU legislation – including the DSA and the OSMR. These new laws impose obligations on digital services providers relating to “minors”, i.e. anyone under the age of 18.

Article 28 of the DSA requires online platforms to implement appropriate and proportionate measures which ensure a high level of data protection and safety for minors. In addition, this legislation prohibits providers from presenting personalised advertisements to recipients whereby they know or have reasonable certainty that the recipient is a minor.

The OSMR Act sets out online safety codes which aim to protect users, especially minors, from commercial communications including advertising and promotional content.

The OSMR Act sets out the procedures by which a service is designated as falling within the scope of a specific online safety code, including a list of the factors that must be taken into account. These factors include the levels of risks of harm to users, especially children, which are posed by the availability of harmful online content on a service or a category of services.

Needless to say, the starting point for complying with these new obligations is determining if minors are using your service.

What age assurance measures do you need to take?

None of the relevant pieces of legislation – whether the DSA, OSMR or GDPR - prescribe the methods of age assurance that must be adopted.

However, the DPC has published guidance on the processing of children’s data, also known as the “Fundamentals”, which touches on the issue of age assurance. In this guidance, the DPC explains that there is no one-size-fits-all approach to age assurance. Rather, organisations are expected to implement appropriate age assurance measures by having regard to:

• The state of the art
• The cost of implementation
• The nature of the processing, and
• The risks associated with the processing

To help navigate this difficult undertaking, we’ve set out a three-step process for determining what age assurance measures you should have in place.

Step 1: Identify the risk associated with your processing

The DPC’s Fundamentals clarify that organisations should take a risk-based approach when determining the appropriate age assurance package for their specific processing operations.

Accordingly, the first step in determining what age assurance measures your organisation needs to adopt is to identify the risks associated with your processing. The DPC’s Fundamentals recommend that organisations consider the following, (non-exhaustive) factors when assessing the risk of their processing:

• What personal data is being processed – are you processing a high volume of personal data that can directly identify the data subject, eg the data subject’s full name, age, address, images / videos?

• How sensitive is the personal data –are you processing special category data, eg race/ethnicity/sexual orientation, or other sensitive information like birth status?

• What service is being offered – is your service an educational service, a healthcare service, a social media platform or a gaming app whereby strangers can contact the minor?

• How accessible is the personal data – is the user’s information accessible to the world at large?

Step 2: Assess the ‘state of the art’ relevant to that risk profile

Once the risks associated with your processing activities have been determined, i.e. low, medium or high, you must then look to the market and implement appropriate age assurance measures which have been determined in light of the identified risks.

In this regard, Article 25(1) of the GDPR obliges controllers to implement appropriate technical and organisational measures, taking into account measures which are deemed as “state of the art”. The reference to state of the art imposes an obligation on controllers to consider technological advancements. This means that organisations must assess the appropriateness and effectiveness against relevant technological advancements.

Step 3: Consider drawbacks of relevant age assurance measure

Once you have identified a proposed age assurance solution in light of the risks associated with your processing and the relevant state of the art, you then need to consider whether the solution presents any conflicting privacy issues. These include:

• Data minimisation issues: Certain measures may fall foul of the data minimisation principle under Article 5(1)(c) of the GDPR, and involve the processing of excessive personal data,
• Discrimination / bias issues: Certain measures may have a direct, or indirect, discriminatory effect on minors from different ethnic and socio-economic backgrounds, and
• Freezing effect: Certain measures could have the effect of locking certain minors out of the service.

These considerations can be difficult for organisations to navigate, particularly when balancing the need to implement effective age assurance solutions.

By way of illustration, we examine two types of age assurance measures which may be appropriate for high-risk processing to demonstrate the tensions between the effectiveness, cost and proportionality of different age assurance measures.

Example 1: Hard identifiers

Hard identifiers like those used in the issuance of government-issued IDs or payment cards can also be used to verify an individual’s age. The Fundamentals identify that hard identifiers may be suitable for high-risk processing.

On an assessment of the risk profile and state of the art, this measure benefits from a reasonably high degree of confidence and is a tried and tested method of age verification. It is difficult to circumvent and relatively easy (and low cost) to implement.

However, on the other hand, privacy regulators have raised concerns that this form of age assurance solution falls foul of the data minimisation principle and is potentially excessive. Regulators have also expressed concerns that the collection of hard identifiers presents a risk of exclusion or indirect discrimination, as there may be socio-economic or even political barriers to holding a formal ID document.

Based on these conflicting privacy issues, the collection of hard identifiers has been recommended as a ‘last resort’ and only for very high-risk processing or prohibited items, such as gambling or tobacco.

Example 2: Facial age analysis

Another form of age assurance for high-risk processing is facial age analysis. This method analyses the individual’s real-time selfie to estimate their age based on their facial geometry. Several independent suppliers, such as VerifyMyAge and Jumio, currently provide these services to a variety of companies and firms.

While this solution has been identified as state of the art and endorsed by certain European regulators, there are also significant downsides to its implementation. Academics and industry experts have raised significant concerns about the inherent racial bias of the technology and the potential freezing effect on minors accessing core services. Accordingly, organisations looking to implement this solution will need to carry out a high-level of due diligence to verify the accuracy of the supplier’s solution and their compliance with data protection laws, particularly rules on data retention and further processing.

Conclusion

Age assurance is still an area of both regulatory and technological uncertainty. EU regulators are currently commissioning several studies and projects on this topic, including the euCONSENT proposal, which aims to design and test an EU-wide solution for age verification and parental consent. In addition, the International Standards Organisation is currently preparing a draft international standard of age assurance systems.

While these are helpful developments, it is clear that organisations cannot defer the implementation of effective age assurance measures given the DPC’s recent decisions on this issue. Accordingly, digital service providers should take stock of and (re-)assess their current age assurance measures, or lack thereof, based on:

• The legal obligations that apply to their business
• The risk of their processing activities
• The relevant state of the art, and
• Any conflicting privacy issues

For more information and expert advice on age assurance, please contact a member of our Privacy & Data Security team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.