3. Age assurance methods

There are four main approaches to age assurance. You can use these individually or in combination. You should inform your approach by the risks your data processing creates for children. The following sections describe these methods and their features to help inform your considerations when applying these technologies.

You should ensure that any age assurance system you implement has an appropriate level of technical accuracy, reliability and robustness, whilst operating in a fair way to its users, based on the level of risk posed. We intend to produce future guidance for ISS around the accuracy and overall efficacy of different age assurance methods. You should also check whether solutions you are considering are certified against recognised industry standards.

Age assurance can also create privacy risks. Article 25 of the UK GDPR explains the need for data protection by design and default. When deciding how to implement age assurance, you must consider whether less privacy-intrusive approaches can achieve the same objective.

You must consider other legislative requirements to implement age assurance, including your obligations under the OSA.

3.1 Age verification

Age verification is any method designed to verify the exact age of users or confirm that a user is over 18.

There are different approaches to age verification:

• Verifying the user’s age through scanning a ‘hard identifier’ such as a driving license or passport.
• Verifying a person’s age through a third-party provider, which can use a range of information sources (eg credit card information, banking information or voter registration records).

You must ensure the amount of personal information you collect about a person to verify their age is proportionate to the risks that your service poses.

Age verification does not always require you to collect and store large amounts of personal information. You may be able to verify a user’s age without directly collecting their actual age or date of birth. Many third-party providers supply a ‘yes or no’ response to confirm a user meets the minimum age requirement of a service. Further information on your obligations when using a third party for age verification are outlined in the accountability section.

Verification solutions based on ‘hard identifiers’ could exclude or indirectly discriminate against people who lack the necessary documents or information, such as credit history or passports. They may pose challenges for children, as they are less likely to possess many of the hard identifiers or options that are used in these solutions. Where possible, you should consider offering a choice of age assurance methods, appropriate to the needs of your service and your users. You should consider how to minimise exclusion risks associated with hard identifiers in a way that is appropriate to the risks.

3.2 Age estimation

Age estimation is any method designed to estimate the age, or age-range, of a user, often by algorithmic means.

You could use age estimation approaches for initial onboarding or account creation, or for ongoing monitoring. These approaches estimate the age of a person, rather than confirming whether someone is a specific age (eg through documentary evidence or a trusted third party). As they do not require documentary evidence, you could find this is a more privacy-friendly method than using hard identifiers.

Age estimation systems use a mix of methods, including:

• A computer vision-based approach - this estimates age from an image of the person. The image may be captured in real time by a mobile device camera or webcam. Facial age estimation has seen significant progress and is now the most widely used age estimation approach. It has high levels of reported accuracy and efficacy, albeit with variances in relation to skin tone, sex and age.
• Other biometric approaches - such as voice analysis to estimate a person’s age. This area is continuing to develop, with other biometric approaches launched to market recently and achieving accreditation. Whilst the efficacy of these products is improving, currently they tend not to reach the higher levels of accuracy that would make them appropriate for high-risk scenarios.
• Analysing account profiling or information - information derived from the person’s activity on the platform. This may include analysing their digital footprint, which looks at their interaction or accounts across many different sites. This may be via a person’s email address or mobile phone number, for example. It can also include analysing on-site behaviour once a person is using a service, such as activities, content choices, or friends that suggest the person is below the minimum age of the terms of service. The efficacy of these methods varies.

3.3 Self-declaration

Self-declaration is a method where a user states their age but is not required to provide evidence to confirm it. It is a popular approach because there are relatively few steps to follow, and because it requires minimal personal information. It often takes the form of a tick box to self-affirm that the person meets the age requirements in the terms of service.

The OSA states that a method which requires users solely to self-declare their age is not age verification or estimation. This is because it is based entirely on trust and can be easily circumvented and therefore doesn’t significantly mitigate risk. You should avoid using a self-declaration age assurance method as it is unlikely to be accurate and effective, if:

• there are significant risks to children from the data processing on your site; or
• you are choosing to restrict access to underage users from an adult site.

Self-declaration can be minimally intrusive, and you could consider using it for ISS activities which do not pose a high risk to children, or in conjunction with other methods. It enables you to customise content or processing to the needs of different age groups where there is a low incentive for children to lie about their age.

You could increase the effectiveness of self-declaration by applying technical measures. For example:

• preventing people from immediately attempting to re-register if they are denied access on first declaration for being underage; and
• closing the accounts of people discovered to be underage.

However, even if you apply additional technical measures, the process can still be easily circumvented.

You could combine self-declaration with techniques that analyse account profiling or information which look for ‘red flags’ that contradict a person’s declared age or age range. Where these indicate that a user is below the minimum age of the terms of service, you could then ask the user to confirm their age using an alternative age assurance method.

However, there is a risk that you may be processing the personal information of underage users unlawfully between the initial self-declaration of age and the identification of an underage user. You should assess the potential for unlawful processing of children’s information in these circumstances. This will identify if there is a risk of harm that you should address through an alternative age assurance method.

3.4 Waterfall techniques and age buffers

The waterfall technique combines different age assurance approaches. Waterfall techniques build on the output of successive age assurance approaches to provide a cumulative result with a greater level of confidence than any of these approaches in isolation.

When used correctly, waterfall techniques have the potential to offer high levels of confidence, while providing a privacy respecting approach for users.

A common example is if you combine an age estimation method with a secondary age verification method when you require a high level of assurance.

Some age estimation methods can provide a high level of assurance where the person is clearly over the age threshold. For example, when someone over 40 is looking to access a service for only those over 18 years of age.

The potential for errors may increase for people who are closer to a set threshold (ie the risk of a 16-year-old receiving an estimate they are 18, or a 19-year-old receiving an estimate they are 17).

You could apply an age buffer. This means that a person that is close to the minimum age required to access the service would be required to complete a further age check, using an age verification method.

A use-case scenario for a waterfall technique requiring people to establish they are 18 or over could involve the following:

• An age estimation method is deployed with a buffer of plus seven years.
• All people reported as over 25 pass without further checks.
• All people identified as being under 25 are referred to a secondary age assurance method (ie a choice of credit card check or production of official ID or mobile phone check).

If you choose to use a waterfall technique, you must allow people to challenge the decision.

If you are relying on solely automated decision-making, depending on the impact of that decision on the person, there may be additional data protection requirements.

You must carefully design waterfall techniques to ensure they achieve increased accuracy whilst preserving privacy. A poorly designed waterfall technique risks collecting unnecessary information which provides little additional assurance. This may result in an unjustified level of privacy intrusion which risks non-compliance with the data minimisation principle.

3.5 Age assurance and conformance with standard 3 of the code

We will take into account the products currently available in the age assurance marketplace when considering whether you have conformed with the age-appropriate application standard of the code. We will continue to monitor and evaluate the activity of the Children’s code and associated guidance.

The expectation of “highest possible” certainty on the age of users for high-risk services reflects these commitments. We do not expect you to implement age assurance methods that:

• are not currently technically feasible;
• pose a significant and disproportionate economic impact on businesses; or
• pose risks to the rights and freedoms of people that are disproportionate to the other processing activities on the service.

You should be able to demonstrate that you have considered appropriate age assurance options. You should also evidence disproportionate costs, disproportionate impacts on people, and technical explanations for why you are not using age assurance methods that may provide higher certainty.

The ecosystem for age assurance standards is continuing to develop. We will take into account adherence to such standards when considering whether you are deploying age assurance methods of an appropriate level of certainty.