Introduction
Age assurance is crucial for safeguarding children in the digital realm. Both the European Data Protection Board ("EDPB") and the Information Commissioner's Office ("ICO") have recently issued guidance on implementing age assurance measures. Below we compare the recent EDPB statement on age assurance with the ICO's guidance on the same topic.
Scope and Purpose
The EDPB's statement on age assurance, adopted on 11 February 2025 during its plenary meeting, aims to provide specific guidance and high-level principles derived from the GDPR to protect children's rights and personal data in the digital environment. The ICO's opinion on age assurance focuses on methods to prevent children from accessing inappropriate online content, emphasising compliance with data protection principles and the legislative framework, such as the Online Safety Act.
Principles and Requirements
Lawfulness, Fairness, and Transparency
Both the EDPB and ICO stress the importance of lawfulness, fairness, and transparency in age assurance processes. The EDPB highlights the need for service providers to have a legal basis under Article 6 GDPR and to be transparent with users about how their personal data is used. Similarly, the ICO emphasises the need for a lawful basis, fairness, and transparency, ensuring that users understand how their data is processed and the impact of age assurance methods.
Data Minimisation and Purpose Limitation
The EDPB and ICO both advocate for data minimisation and purpose limitation. The EDPB states that service providers should only process age-related attributes that are strictly necessary for their specified purpose and should not repurpose personal data. The ICO also emphasises collecting the minimum information required for age assurance and not using the data for any other incompatible purpose.
Risk-Based Approach
Both organisations recommend a risk-based approach to age assurance. The EDPB advises service providers to adopt a risk-based approach when designing and operating their services, ensuring that age assurance measures are proportionate to the risks. Similarly, the ICO suggests that the chosen age assurance method should depend on the risks posed by personal information processing activities and the level of age certainty required.
Data Protection by Design and Default
The EDPB and ICO stress the importance of "Data protection by design and default". The EDPB recommends implementing the most privacy-preserving methods and technologies, considering the state of the art, and regularly updating age assurance systems. The ICO also highlights the need for data protection by design, ensuring that age assurance methods are secure, accurate, and proportionate to the risks.
Accountability and Governance
Both the EDPB and ICO emphasise accountability and governance in age assurance. The EDPB suggests implementing a governance framework to ensure compliance with data protection regulations and other legal requirements. Similarly, the ICO stresses the need for accountability measures, such as adopting data protection policies, maintaining documentation, and conducting Data Protection Impact Assessments ("DPIAs") if a service provider's processing is likely to result in a high risk to people's rights and freedoms.
Specific Age Assurance Methods
Age Verification
The EDPB and ICO both discuss age verification methods. The EDPB highlights the need for effective and reliable age verification methods that comply with data protection principles, demonstrably achieving a level of effectiveness adequate to the purpose for which it is carried out. The ICO provides detailed guidance on various age verification approaches, such as using hard identifiers (e.g., driving licences or passports) and third-party providers. The ICO emphasises that the collection of personal information for age verification should be proportionate to the associated risks.
Age Estimation
Both organisations address age estimation methods. The EDPB emphasises the need for accuracy and reliability in age estimation, considering potential biases and discrimination. The ICO outlines different age estimation approaches, such as computer vision-based methods (e.g. via webcam or mobile device camera) and biometric analysis (voice analysis etc.) and stresses the importance of statistical accuracy and fairness. The ICO suggests that age estimation processes could be a more privacy-friendly method than using hard identifiers.
Self-Declaration
The EDPB and ICO both express concerns about the reliability of self-declaration methods (i.e., where a user is asked to state their age, but no further evidence is needed to confirm the veracity of their statement). The EDPB questions the effectiveness of self-declaration in high-risk scenarios, while the ICO advises against using self-declaration for high-risk activities, (the OSA states that a method which requires users solely to self-declare their age is not age verification or estimation since it is based entirely on trust and can be easily circumvented) suggesting it may be used in conjunction with other methods for low-risk scenarios. The ICO notes that self-declaration can be minimally intrusive and may be considered for low-risk activities.
Waterfall Techniques
The ICO introduces the concept of waterfall techniques, which involve combining various age assurance approaches to achieve a higher level of confidence. For example, combining an age estimation method with a secondary age verification method can provide a cumulative result with greater accuracy. The ICO cautions that waterfall techniques must be carefully designed to ensure they achieve increased accuracy while preserving privacy.
Conclusion
The EDPB and ICO provide comprehensive guidance on age assurance, emphasising the importance of lawfulness, fairness, transparency, data minimisation, purpose limitation, and a risk-based approach. Both organisations stress the need for data protection by design and default, accountability, and effective governance. While the EDPB focuses on high-level principles and the broader European regulatory framework, the ICO provides detailed guidance on specific age assurance methods and their implementation. Together, these guidelines offer a robust framework for service providers to follow to ensure they are protecting children's rights and personal data in the digital environment.