The ICO exists to empower you through information.

Age assurance plays an important role in keeping children, and their personal information, safe online. It describes tools or approaches that help estimate or assess a child’s age and therefore allows services to be tailored to their needs or access to be restricted, where required.

Our Children’s code is a statutory code of practice. It sets out how internet society services (ISS) likely to be accessed by children should protect children’s information rights online. We have withdrawn our opinion published in October 2021 and have replaced it with this updated version. This opinion explains how age assurance can form part of an appropriate and proportionate approach to reducing or eliminating the personal information risks children face online and facilitate conformance with the Children’s code.

This opinion is aimed at ISS and age assurance providers to explain how they can use the technology in compliance with data protection law in a risk-based and proportionate way.

Further reading

Please see our guidance for further information about services in scope of the code.

1.1 What is age assurance?

“Age assurance” refers collectively to approaches used to:

  • provide assurance that children are unable to access adult, harmful or otherwise inappropriate content when using ISS; and
  • estimate or establish the age of a user so the ISS can be tailored to their needs and protections put in place appropriate to their age.

We use additional terms throughout this opinion that describe different age assurance approaches:

  • Age verification is any method designed to verify the exact age of users or confirm that a user is over 18.
  • Age estimation is any method designed to estimate the age, or age-range, of a user, often by algorithmic means.
  • Parental confirmation involves someone with parental responsibility confirming the age of a child through an online account.
  • Self-declaration is a method where a user is asked to state their age, but no further evidence is needed to confirm the veracity of their statement.
  • Waterfall techniques are where different age assurance approaches are combined.

1.2 Legislative framework

If an ISS is likely to be accessed by a significant number of children, it is in scope of the code and you should either:

  • establish the age of your users to comply with the code; or
  • apply all standards of the code to all users in a risk-based and proportionate way.

If it is not appropriate for children to access your service, you should focus on restricting access.

Services may also be subject to other age assurance requirements, for example where they are in scope of the Online Safety Act (OSA). User-to-user services, search engines and services which publish regulated provider pornographic content are all subject to age assurance requirements. If you are a service that is in scope of the OSA and you process personal information, you must comply with data protection law.

1.3 What are the Commissioner’s expectations for age assurance under the Children’s code?

The age assurance method you use depends on the risks your personal information processing creates for the child and what level of age certainty is required.

Manage risk

If your personal information processing activities are likely to present a high risk to children’s rights and freedoms, you should either:

  • apply all relevant code standards to all users to ensure risks to children are mitigated; or
  • introduce age assurance methods that give the highest possible level of certainty on users’ age.

High risks to children include:

  • large scale profiling;
  • invisible processing;
  • location tracking; and
  • using innovative technologies, such as smart devices.

In these circumstances, you must complete a data protection impact assessment (DPIA). This helps you assess the data risks to users, particularly children, and explains how you will mitigate these risks.

Apply the data protection principles

When implementing an age assurance method, you must do so in compliance with the data protection principles. You must:

  • Make sure it is fair.
  • Establish a lawful basis to process the information.
  • Be transparent about how you use information.
  • Not use information collected for the purpose of age assurance for any other incompatible purpose.
  • Collect the minimum information required for the process.
  • Make sure the method is accurate.
  • Not retain any information collected by the method for longer than is needed.
  • Make sure the method is secure.
  • Be accountable for your compliance with the law (eg by adopting relevant policies and procedures).

Consider the implications of using AI-driven age assurance methods

There are additional data protection requirements when using artificial intelligence (AI) driven age assurance methods, for example:

  • Some AI driven age assurance methods use biometric data. In many cases biometric data will also be special category data. You must therefore determine if the processing constitutes special category data as per UK GDPR, which is subject to additional protections.
  • Profiling may be used for age assurance (eg by monitoring a users’ interests or use of language). You must balance the risks that are posed by the use of profiling against its benefits in helping establish the age of your users.
  • You must address bias and not be discriminatory.
  • You must make sure that the methods are sufficiently statistically accurate.

The privacy risks children face in the online world can have a significant impact. The potential severity of these risks means that the Commissioner expects you to take the necessary steps to protect children. Age assurance is a crucial component in this, helping you provide an age-appropriate experience, or restrict access to underage users where appropriate. This opinion explains how to do so in a risk-based and proportionate way, whilst respecting users’ privacy.