The ICO exists to empower you through information.

Control measure: An assessment has been completed to consider and document the most appropriate age assurance method(s) based on the risks posed to children’s privacy. Methods are in place to establish age which are appropriate to the privacy risks that arise from the personal information being processed.

Risk: If appropriate age assurance methods are not implemented, then there are a number of risks of harm to children accessing or using the service, from a privacy, society and personal perspective. There is also a risk of reputational damage and lack of user confidence. This may breach recital 38 of the UK GDPR and UNCRC Article 16.

Ways to meet our expectations:

  • Use research to determine whether any age assurance measures may deter children from accessing services, even those designed for them.
  • Assess various options available for verifying the actual age of users or the audience.
  • Consider the risks and apply mitigating controls for predicted or estimated age assurance vs substantiated age checks.
  • Consider which method of age assurance to apply depending on whether the service is used by authenticated or non-authenticated users (eg whether people are logged in). Select appropriate age assurance measure(s) that are sufficiently robust and effective.
  • Avoid solely relying on methods of self-declaration (when a user simply states their age or date of birth but does not provide any evidence to confirm it), if there may be a risk to the child if unverified. 
  • Ensure when you use a self-declaration age gate that:
  • this is proportionate based on the risks to children of accessing the online service;
  • there is clear evidence that it is sufficiently robust and effective; and
  • age gates are not extensions of the online service (ie the age-gating page doesn't allow access to parts of the online service or content before age assurance occurs).
  • Collect the minimum amount of personal information you need to give an appropriate level of certainty about the age of individual people.
  • Consider how the implementation of age assurance could increase the risk of intrusive information collection.
  • Ask for confirmation of age from the main (confirmed adult) account holder to set up child profiles and restrict further access with a password or PIN if there are already registered adult account holders.
  • Use technical measures to discourage false declarations of age (eg prevent people from immediately resubmitting a new age if they are denied access to your service when they first self-declare their age). 
  • Avoid giving people no choice but to provide hard identifiers, unless the processing risks really warrant such an approach. If used, consider the impacts on privacy to the child.
  • Assess the risks of children younger than the minimum age accessing your online service and its content.

Options to consider:

  • Use waterfall techniques to combine different age assurance approaches (eg combining an age estimation method with a secondary age verification method, if a higher level of assurance is required).
  • Apply an age buffer so that a person that is close to the minimum age required to access your service will complete a further age check, using an age verification method.
  • Keep your age assurance solution under review, and consider new alternative solutions and soon-to-be-available age assurance solutions regularly.

 

Control measure: Appropriate technical and organisational measures are implemented to protect personal information that is collected in order to assure age (and ensure this information is not then repurposed).

Risk: If personal information collected for the purposes of assessing a person’s age is not afforded appropriate levels of security protection, there is a risk of a personal data breach or unauthorised disclosure or access. If information is then used for different purposes, this repurposed use could be unlawful. This may breach articles 5(1) (a)(b) & (f) of the UK GDPR.

Ways to meet our expectations:

  • Implement appropriate security measures (eg restricted access or encryption) to protect information you collect for age verification.
  • Assess the likelihood of a security breach or attack (eg a model inversion attack to re-identify a child).
  • Ensure information you collect for age assurance is not re-purposed for other purposes (eg targeting children with advertising for products they might like, or sending them details of birthday offers without explicit consent).

Options to consider:

  • Delete age verification information once you have verified it.
  • Have a sign-off or approval process for introducing new uses of information.
  • Run regular staff awareness exercises to ensure they know the risks of repurposing personal information.

 

Control measure: There has been a clear decision documented about the minimum success criteria for statistical accuracy of any proposed age estimation (AE) or age verification (AV) solutions. The solution is tested against this criteria.

Risk: Without a minimum level of acceptable statistical accuracy, there is a risk that any solution could have an unacceptable level of accuracy, making it unsuitable and ineffective as a reliable AE solution. If due diligence is not undertaken, there are no assurances about the system’s ability to meet accuracy requirements. This may breach UK GDPR article 5(1)(a).

Ways to meet our expectations:

  • Implement measures to provide confidence in the age range that child users fall into.
  • Document the accuracy tolerance levels in either internal design documents or third-party contracts (if the AE is supplied by a third party).
  • Complete due diligence before procuring a third party AE system to understand and confirm the level of statistical accuracy that you can expect.
  • Document and implement a test plan which includes tolerances for errors as a result of testing the solution.

Options to consider:

  • Include accuracy based KPIs or service level agreements (SLAs) in written contracts with third-party suppliers.

 

Control measure: Privacy information is provided at the point of AE or AV activation to explain how automated decisions are made, in a way that people can understand.

Risk: If privacy information is not provided at all, or is not provided in a clear and understandable way, there is a risk that children will not understand why the checks are being made and what the implications are. This may breach UK GDPR articles 12 to 14.

Ways to meet our expectations:

  • Communicate the methods deployed to confirm a person’s age as part of the verification process to ensure transparency.
  • Clarify in the privacy information you provide at the point of the AE or AV check: 
    • why you are doing the checks; 
    • what information you are collecting; 
    • who you are sharing it with; 
    • how long you are keeping it; and 
    • how people can challenge the result of the check.
  • Ensure the information you provide is age appropriate to the user.

Options to consider:

  • Provide focused or bite-sized privacy information relevant to the various information you are collecting.
  • Provide information or explanations using graphics or visual content, to support accessibility.

 

Control measure: If an automated age assurance process is deployed that could potentially deny someone access to the platform or service, there are processes in place for people to: 

  • challenge the outcome; 
  • request a human review of the decision; and 
  • request the information is rectified appropriately.

Risk: If people are unable to challenge the outcome, request a human review of the decision, or ask that the information is rectified, there is a risk of selection bias or discrimination that cannot be challenged. This may breach article 22 of the UK GDPR.

Ways to meet our expectations:

  • Provide a simple way for children to ask you to reconsider an automated decision.
  • Include an element of human interaction and review, if an automated decision is challenged.
  • Give an opportunity for children to provide additional information or gain parental consent to access a system or service, if appropriate.
  • If a challenge is upheld following investigation, review the accuracy of the solution to determine if outputs still fall within acceptable accuracy tolerances.
  • Update any inaccurate personal information you hold to reflect the decision.

Options to consider:

  • Have a simple online contact form for people to request a human review of automated decisions.
  • Include a link to challenge automated decisions or request a human review when you deny access to a platform or service.

 

Control measure: There are checks and contractual agreements in place with third-party provided age assurance solutions.

Risk: There is risk that without appropriate due diligence checks before purchase or deployment, the solution will not meet accuracy, security, transparency or lawful requirements. Without contractual or service level agreements in place, there is no legal basis to challenge solution unsuitability, inaccuracy or poor performance or set out data protection related roles and responsibilities. This may breach UK GDPR articles 26, 28, 5(1)(f).

Ways to meet our expectations:

  • Carry out due diligence checks before using third-party age verification services to satisfy yourself that the level of certainty it confirms age with is sufficient (PAS standard 1296 ‘Online age checking’ may help with this). Also check that it complies with data protection requirements.
  • Check that there are appropriate security measures in place to protect the confidentiality and integrity of personal information.
  • Check that there are appropriate measures in place to protect and enable people’s rights.
  • Ensure written contracts include all the details, terms and clauses required under the UK GDPR.

Options to consider:

  • Regularly test that third party age assurance solutions are in place and work as intended.
  • Ensure contracts are timebound and reviewed regularly.

 

Control measure: Where people are able to register for a service using a pre-existing identity created with a third party (such as allowing people to register using an existing social media or similar identity), there are processes in place to ensure that the age assurance carried out by the third party is sufficient to meet the requirements for the service being registered for. 

Risk: There is a risk that checks could be spoofed or circumvented or that the pre-existing checks may not be sufficiently robust for the online service now being accessed by a child (compared to the original).

Ways to meet our expectations:

  • Carry out due diligence checks before using third-party age verification services to satisfy yourself that the level of certainty it confirms age with is sufficient (PAS standard 1296 ‘Online age checking’ may help with this). Also check that it complies with data protection requirements.
  • Undertake periodic checks of the accuracy and effectiveness of the pre-existing identification to gain assurances that you can continue to rely on it.
  • Consider using additional age checks to confirm the accuracy of the pre-existing identification.

Options to consider:

  • Have a backup age assurance measure in case people circumvent third-party age assurance processes or third parties change their processes unexpectedly.

 

Control measure: If the age of a user has not been established with the appropriate level of certainty, then the standards in the code have been applied to all users, as far as is relevant, in order to ensure appropriate protection.

Risk: There is a risk that by deliberately or unintentionally not determining the age of users, there will be a breach of the code and children's privacy will be put at risk. This may breach all aspects of the code and UK GDPR.

Ways to meet our expectations:

  • Apply all the standards to all people if you have not carried out age assurance checks or they are insufficient. 
  • Implement measures to protect all users within the user journey, or in specific design features, if you are not sufficiently certain whether they are children. 
  • Set the default privacy settings to high for all users.

Options to consider:

  • Keep your age assurance solution under review, and regularly consider alternative options and soon-to-be-available age assurance solutions.