Share

6 min read

Writen by Zlatko Delev

Posted on: November 8, 2021

Methods of age assurance for Children’s code

Organizations have a fundamental choice when managing the risks posed to children by their ISS. They may choose to:

* Use age assurance to identify children to a level of certainty proportionate to the risks of their using the ISS, and to ensure that the standards of the code are applied to all child users. For example, by providing a differentiated ISS, or not allowing children to access the ISS; or
* Apply the standards of the code to all users of the ISS if they are unable (or do not wish) to use age assurance.

There are four main approaches to age assurance as described below. Each approach has strengths and drawbacks and can be used to manage different levels or types of risk. In some circumstances, a combination of different age assurance approaches may be effective. This depends on the nature of the risks being addressed and the potential harms to children linked to those risks

The Commissioner emphasizes that the risks and harms faced by children online are real, and that age assurance can be an important part of an appropriate and proportionate response. When deciding how to implement age assurance, organizations should consider whether less privacy-intrusive approaches can achieve the same objective.

1. Age verification
Age verification refers to determining a person’s age with a high level of accuracy by checking against trusted records of data. Approaches to age verification include:
*Hard identifiers: confirming age using solutions that link back to identity documents or officially held data, such as a passport or credit card. This can be done by the user, or another party, for example a parent, guardian, or teacher; and
*third party services: age verification may be outsourced to a third party using any or all of the techniques listed.

Age verification offers a high level of certainty but must be used in proportion to the identified risks to children. There is a risk of indirectly discriminating against individuals who lack the necessary documentation or data, such as credit history. Organizations that do not intend to use age assurance must take alternative measures proportionate to the risk to children, such as applying the code to the whole of their ISS and all of their users.

2.Age estimation
Age estimation refers to the estimation of a person’s age, usually by algorithmic means. It is a catch-all term for a suite of AI-based or AI-assisted technologies that can estimate an individual’s age within a margin of error. It may involve biometric data or profiling or both.

Age estimation:
*can provide more granular determination of age, allowing differentiation of service where this is helpful to users (eg enhancing the age appropriate user experience);
* does not require documentary evidence or checks of official databases and so may be designed in a more privacy-friendly way than age verification;
and
* can be used to verify if users have been wrongly classified as children or adults, and their identity corrected, if employed in ongoing monitoring.

Age estimation techniques can accurately determine whether an individual’s age is within a specified range. The range may be comparatively wide. For this reason, age estimation alone may not provide sufficient certainty for ISS activities which are high risk to children.
Age estimation based on profiling is likely to be privacy intrusive but can offer means to automatically identify under-age users. Age estimation based on biometrics, such as facial or hand geometry, has the potential to be more privacy friendly if data minimization and purpose limitation are applied rigorously.
The market for age estimation has the potential to develop rapidly, and the Commissioner will keep these issues under review. The Commissioner expects these technologies to be developed in line with the principles of data protection by design and by default. They should therefore come to fruition in a data protection-compliant way. The Commissioner will continue to engage with organizations to address age estimation, UK GDPR and code compliance. This builds on the work done in our Sandbox and approval of certification schemes.

2.3.3 Account confirmation
Account confirmation enables an existing account holder to confirm that a user is over or under 18, or the age of the user. The ISS can then provide the user with an age-appropriate version.

For example, in a family account, the main account holder can confirm the age of the people using the other account profiles. The service can then be applied in an age-appropriate way to each user.
Account confirmation is useful for lower risk services, or if done in addition to other age assurance methods. It has limitations that mean it is unlikely to be sufficient when used as the only age assurance measure in high-risk ISS
activities.

This is because it:
*requires active engagement, willingness and a level of IT knowledge from the parent or guardian;
*relies on notifications to parents when action is required, which may lead to fatigue;
* depends on the parents having the capability and capacity to manage their child’s ISS experience (and thus carries some risk of discrimination if relied upon solely);
* may require the parent’s age or identity to be confirmed if they are used to manage access by children to higher risk services;
*can be bypassed by knowledgeable children or by parents willing to put in an inaccurate age to allow a child to use an inappropriate service, putting the ISS at risk of breaching the code; and
* may cause conflict between parents or guardians if there is disagreement between them.

Account confirmation may involve processing the data of both the original
account holder (usually a parent) and the confirmed account holder (usually a child).


Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

Appointment of a DPO in Singapore: What You Need to Know Before 30th September

If your business handles personal data in Singapore, it’s important to be aware of a key deadline

Enterprise Data Protection: Securing Large-Scale Information Assets

Cyber threats and regulatory pressures have made it necessary for businesses around the world to sa

Continuous Data Protection: Ensuring Real-Time Information Security

Continuous data protection (CDP) has emerged as a crucial strategy in safeguarding data assets agai

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us
anytime.

Contact Us
06 GDPR INFO

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy