Introduction
- We, the signatories of this statement, are pleased to announce the publication of this joint statement on moving towards a more common international approach to the data protection and privacy implications of age assurance methods.
- This statement sets out some key shared principles for the signatories. These principles are intended as a guide to industry of some of our shared expectations on age assurance practice as it relates to data protection and privacy.
- Local age assurance requirements and standards may vary across different jurisdictions. We therefore remind providers of online services (hereafter, ‘providers’) 1 to consult with the appropriate data protection and privacy enforcement authorities in the countries they operate in when seeking compliance guidance with respect to their data protection and privacy obligations under the law. These principles we outline in this statement aim to further support age assurance that is accurate and effective, while still ensuring a high level of user privacy.
Why are we making this statement?
- Age assurance is the process of establishing, determining, and/or confirming either an age or an age range of a natural person. It is an umbrella term encompassing all methods that help estimate or assess a user's age and therefore allows providers to tailor user experience to the user’s age, or to enforce age-appropriate access restrictions, where legally required.
- Age assurance can be used to protect people, and particularly children, 2 from harms arising from the processing of their personal information online, and ensure this information is not used to serve children content they are too young to access. Additionally, in cases where the processing of children’s data is specifically forbidden, age assurance can help organisations meet their legal obligations.
- Although we recognise the ongoing work of data protection authorities and online safety regulators in the field of age assurance, industry has suggested a need for further regulatory convergence and coordination. 3
- Whilst this statement does not address all the known data protection and privacy questions relating to age assurance methods, it does seek to start addressing these challenges by setting out some initial shared principles from different international regulators in this area.
Aims of the joint statement
- We recognise age assurance is intended to protect children within the digital world, while they explore online and develop, not to block their access to the digital world.
- By publishing this joint statement we aim to set out some key shared principles across industry on age assurance practices as they relate to data protection and privacy, and we therefore urge providers and the suppliers of age assurance services, to take account of these principles in their approach to age assurance.
- We hope these principles will act as a useful starting point for continued conversations around how international consistency and coordination in this area can grow – supporting age assurance that is accurate and effective, while still ensuring a high level of user privacy.
International Age Assurance Working Group
- As a result of the current age assurance landscape, the UK Information Commissioner’s Office (ICO) created an International Working Group in 2022 as a mechanism for data protection authorities to share information on age assurance methods and to learn from each other’s experiences. 4
- The group has been guided by existing work on age assurance policy. This work includes, but is not limited to, the ICO Opinion on Age Assurance, 5 the CNIL (French DPA) Recommendations on online age verification, 6 and the Decalogue of principles from the AEPD (Spanish DPA). 7 Additionally, it takes into account the international standards on age assurance technologies currently being developed by the International Organisation for Standardisation (ISO) 8 and the IEEE Standard 9 already launched, as well as the continuing technical developments in this area, including age-estimation techniques.
- This statement was born as an initiative by some members of the group and reflects the views of its signatories. It is not endorsed by the International Age Assurance Working Group as a whole.
Next steps
- This statement will remain open for signatures after its publication. We invite regulators, who are not members of this group, and who support the shared principles outlined below, to sign this statement.
- The International Age Assurance Working Group will continue to collaborate on age assurance, and to take account of the rapidly evolving technological developments in this area, to reduce the privacy risks people, and particularly children, face in the online world.
1 Services include many apps, programs, connected toys and devices, search engines, social media platforms, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet.
2 This joint statement uses the UN Convention on the Rights of the Child (UNCRC) definition that children are all those under 18.However, we recognise national legislation may require age assurance methods at different ages, such as at the local age of consent. See UNCRC, Article 1.
3 Age Assurance and Age Verification Tools: Takeaways from CIPL Roundtable.
4 Although the group is separate from the Ofcom-chaired International Working group on Age Verification, comprised of online-safety regulators, both groups remain committed to proactive collaboration.
5 Updated Commissioner’s Opinion on age assurance for the Children’s code - ICO
6 Online age verification: balancing privacy and the protection of minors - CNIL
7 Decalogue of Principles: Age verification and protection of minors from inappropriate content - AEPD
8 ISO/IEC CD 27566-1 - Information security, cybersecurity and privacy protection — Age assurance systems — Framework — Part 1: Framework