The European Data Protection Board (EDPB) has issued a Statement on age assurance which provides some helpful clarity on this topical issue.

Age assurance involves strategies to prevent children from accessing inappropriate content and tailoring online experiences based on a user’s age. This dual-purpose approach seeks to strike a balance between safeguarding children and respecting their privacy. There is an increasing requirement for entities to implement age assurance. The EDPB Statement sets out ten principles which seek to reconcile the protection of children and the protection of personal data in the context of age assurance

Full Enjoyment of Rights and Freedoms

The Statement provides that children’s best interests should always be a primary consideration. The EDPB clarify that there is no hierarchy in considering the best interests of the child, rather regard should be had for all the rights of children including their right to data protection, protection from violence, all other forms of exploitation and to have their views given due weight.

Risk-Based Assessment of Proportionality

The EDPB prescribes that age assurance should be implemented in a risk-based and proportionate manner. Service providers must demonstrate necessity and proportionality through risk assessments which consider the potential risks to children, their rights and their evolving capacities.

Service providers must balance users’ rights, including data protection, with the need for safety measures, ensuring these measures are the least intrusive and effective. The EDPB notes that “in many cases, age assurance poses a high risk to the rights and freedoms of data subjects” and as such a data protection impact assessment must be completed.

The UK Information Commissioner’s Office (ICO) issued an Opinion on age assurance in 2024. The Opinion also noted that the collection of personal data for the purpose of age assurance should be proportionate to the associated risks. Read our briefing on Navigating Age Assurance in the Online World: Insights from the ICO.

Prevention of Data Protection Risks

Age assurance should not lead to any unnecessary data protection risks and should not enable service providers to identify, locate, profile or track individuals. Effective measures and safeguards must be implemented to ensure that personal data is processed solely for age assurance purposes and complies with data protection requirements.

Service providers must also provide viable alternatives for users who cannot or do not wish to use specific age assurance methods and must regularly assess the effectiveness and fairness of these methods.

Purpose Limitation and Data Minimisation

Service providers and third parties should only process age-related attributes necessary for specific, explicit and legitimate purposes.  Personal data collected for age assurance should not be repurposed or combined with alternative data for other purposes.

Technical measures, such as privacy enhancing technologies, and organisational measures, such as policies and contractual obligations, should be utilised to prevent data repurposing. This should assist with ensure data minimisation and proportionality.

The EDPB notes that in certain instances a service provider may only need to know if a user is over or under a certain age threshold, which can be implemented through a tokenised approach.

Effectiveness

Age assurance must be adequate to achieve its intended purpose. The EDPB recommends effectiveness be evaluated by reference to:

• Accessibility: Age assurance should be broadly accessible, with alternative methods available for those who may face discrimination. Accessibility legislation should be complied with.

• Reliability: Methods used should provide an adequate and consistent level of accuracy, with redress mechanisms available, in particular when users can be significantly affected by automated decision-making.

• Robustness: Age assurance should be able to handle unexpected situations and address attempts to trick or bypass the system.

Regarding robustness and self-declaration the EDPB notes “robustness has little meaning in the context of the self-declaration of an age-related attribute, since the reliability of such method depends mostly on the goodwill of the user”.

The ICO Opinion also expressed concern about self-declaration and discouraged its use in high-risk scenarios and for restricting access to adult sites for underage users. The ICO acknowledged that self-declaration can be minimally intrusive and suitable for low-risk activities or when combined with other methods.

Service providers should evaluate age assurance methods using the EDPB criteria and could consider cumulating age assurance methods to enhance effectiveness. The ICO Opinion promoted the waterfall technique which involves combining age assurance methods, such as combining an age estimation method with a secondary age verification method when a high level of assurance is required. The ICO noted that this can provide a cumulative result with a greater level of confidence than when the processes are used in isolation. It is worth noting that the ICO cautioned that waterfall techniques must be carefully designed to ensure they achieve increased accuracy whilst preserving privacy.

Lawfulness, Fairness and Transparency

Service providers and third parties must ensure that the processing of personal data in connection with age assurance is lawful, fair, and transparent and has a valid legal basis. Users should be informed about how their data is used, who processes it and their rights. Any communications on age assurance with children must be clear and understandable.

Automated Decision-Making

Automated decision-making must include safeguards for individuals’ rights and interests. Service providers and third parties should provide remedies, redress mechanisms and consider human intervention.

The EDPB refers to Recital 71 GDPR which provides that solely automated decision-making with legal or similarly significant effects should not be used in respect of a child. The EDPB note that exceptions to this should remain under limited circumstances, such as where it is necessary to protect a child’s welfare.

Data Protection for Design and by Default

Data controllers must implement appropriate measures to ensure data protection by design and default throughout the processing lifecycle, utilising the most privacy-preserving methods and technologies.  The EDPB recommends measures that promote user-held data, secure local processing and technologies like zero-knowledge proofs[1] to enhance privacy and data protection.

Security of Age Assurance

The EDPB helpfully recognises that there is “increasing legal pressure” to implement age assurance and that given the number of providers that may be subject to such roles, “the occurrence of security breaches should be expected”.

The EDPB emphasises that entities should focus on prevention of personal data breaches and being able to respond to breaches promptly. Trust models, pseudonymisation, encryption and short retention periods may be helpful measures to mitigate the possible adverse effects of personal data breaches.

Accountability

Service providers and third parties must implement governance methods to ensure accountability and compliance with data protection regulations. The EDPB notes that age assurance should operate under a governance framework which should include clearly defined responsibilities, ensure auditability and promote transparency and trust.

Conclusion

The Statement provides welcome guidance and greater clarity on age assurance and should also be useful to controllers that must comply with the Data Protection Commission’s Fundamentals for a Child-Oriented Approach to Data Processing.

The authors would like to thank Jennifer Floyd for her contribution to this briefing.