An overarching aim of the Children’s code is to ensure that all children are given an age-appropriate level of protection. Age assurance is an important part of the most fundamental standard in the code: considering the best interests of the child.
“In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration.”
While the code does not mandate the adoption of any one solution, age assurance techniques can play an important role in how you achieve this outcome. For example, age assurance may:
- protect children from harms arising from the processing of their personal information;
- enable you to provide information to children, in a way that is appropriate to their age group, about how you collect, process and use their data; and
- protect children from intrusive activities, such as profiling, marketing and behavioural advertising.
However, you must use age assurance carefully as it carries its own types of risk. For example, it:
- may be disproportionately intrusive. For example, some approaches may require access to documentation which can include special category data;
- may introduce risks of inaccuracy. For example, if not implemented effectively some approaches could have a level of accuracy that may result in some young adults being falsely identified as under 18 and denied access to services they are entitled to use. Conversely, an adult may be inaccurately classified as a child and gain access to under 18 only communities;
- may result in exclusion or discrimination of already marginalised groups due to bias, inaccuracy or requirements for official documentation. Those in more disadvantaged socio-economic groups are more likely to lack the documentation they need and be affected by algorithmic bias. Non-white ethnicities and disabled people are over-represented in these groups. People may be unable to use some types of age assurance due to physical or cognitive reasons and risk being excluded from services they are entitled to access; and
- some methods can be circumvented. For example, a child or parent could provide false information in a self-declaration, or a child could log into their parent’s account to complete account confirmation.
2.1 What is an Opinion and why are we publishing this update now?
Article 58(3)(b) of the UK General Data Protection Regulation (UK GDPR) and section 115(3)(b) of the Data Protection Act 2018 (DPA 2018) allow the Information Commissioner to issue opinions to Parliament, government, other institutions or bodies, as well as the public, on any issue about protecting personal information. The Commissioner can issue opinions on his own initiative or on request.
Stakeholders have sought further information to inform their approach to age assurance, which remains challenging for many organisations. In particular, they have asked for more clarity from the Commissioner on:
- the levels of risk arising from different types of processing and the corresponding level of age certainty required to identify child users and mitigate the risks;
- the level of certainty that various age assurance solutions provide, and confirmation of which providers or types of solutions comply with data protection requirements;
- how to collect the additional personal information required for age assurance while complying with the data minimisation principle;
- how to determine if they are likely to be accessed by children, and therefore fall within scope of the code’s age assurance requirements; and
- how other legislative requirements could impact on their need to implement age assurance.
This opinion provides the Commissioner’s current view on these issues, including how you can ensure you use age assurance in a data protection compliant way. It is based on existing legislation, standards, guidance and developments at the time of publication. It may inform the Commissioner’s approach to regulatory action relating to the code and data protection legislation.
When we published the first version of the opinion in October 2021, we committed to review it as part of the planned, overall review of the Children’s code one year after the end of its transition phase. Since we published the first opinion, we have:
- engaged with stakeholders through a call for evidence and focus groups;
- conducted voluntary audits of age assurance providers and ISS to better understand how industry is undertaking age assurance;
- reviewed data protection impact assessments (DPIAs) to understand how ISS identified risks to children, and how decisions were made on what age assurance methods, if any, were used to mitigate those risks;
- undertaken research projects, some jointly with Ofcom, on children’s and parents’ attitudes to age assurance, and on measures of accuracy for age assurance;
- published guidance for ISS on how to determine if they are likely to be accessed by children;
- reviewed the requirement for an impact assessment in line with our Impact assessment framework and decided that impacts are sufficiently addressed through the Likely to be accessed impact assessment and Children’s code impact assessment; and
- engaged with Ofcom to ensure regulatory alignment between the age assurance requirements of the code and the Online Safety Act 2023 (OSA).
The Commissioner reserves the right to make changes or form a different view based on further findings or changes in circumstances. For example, the Commissioner acknowledges that the age assurance market is developing rapidly and will keep these issues under review.
2.2 Scope of this opinion
This opinion is aimed at ISS and age assurance providers. It builds on standard 3 of the code. It describes a risk and standards-based approach to age assurance that will help you choose the right solution for your circumstances.
It will be useful if you seek to use age assurance to conform with the code or prevent high risk data processing being accessed by children. It does not apply to the use of age assurance in physical spaces like retail settings.
This opinion will help you to comply with your obligations under the UK GDPR and wider regulatory frameworks. However, it is not written solely for these circumstances, so you will need to assess the relevance and applicability of this opinion to your circumstances. We are working in co-operation with other regulators to ensure a coherent approach.
2.3 How should this opinion be used?
To help you to understand data protection law and good practice as clearly as possible, this opinion says what organisations must, should and could do to comply.
Legislative requirements
- Must refers to legislative requirements.
Good practice
- Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
- Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.