Parliament has acted to implement laws that transform the way we safeguard children when they access online services, via data protection and online safety legislation. Privacy risks are relevant to all users, but the privacy risks that children face in the online world can have a significant impact. Age assurance is an important tool to manage these risks.
The potential severity of these risks means that the Commissioner expects you to take the necessary steps to protect children. Age assurance is a crucial component in this, helping you to provide an age-appropriate experience, or to restrict access to underage users where appropriate.
Key recommendations for age assurance
You must ensure that your age assurance methods comply with data protection law, meaning that you must:
- assess the data protection risks of the age assurance method(s) you implement;
- base it on good data protection practices, particularly transparency, fairness, lawfulness, accuracy, data minimisation and purpose limitation;
- clearly explain to child users, in an age-appropriate way how their personal information will be used;
- be able to demonstrate that the approach you use complies with data protection law; and
- ensure your approach is compliant with other legislative requirements, including the OSA and the Equality Act 2010.
7.1 Next steps
We will continue to work with stakeholders in the UK and internationally to understand and interpret the legal, technical, and social issues that impact the use of age assurance for online services likely to be accessed by children.
Our work with Ofcom is ongoing, building a coherent approach to our respective regulatory remits outlined in our joint statement.
We will continue our engagement on international standards on age assurance technologies currently being developed by the International Organisation for Standardisation and IEEE (ISO/IEC 27566 and P2089.1). These standards will provide further clarity on technical expectations and processes when implementing a system for use.
The Commissioner intends to replace this opinion with guidance on age assurance in due course. This may include updates on any material legal, technical, or practical developments in this evolving area. He will review the opinion to ensure it is consistent with any changes to data protection law.