Principles

1. Age assurance must always be implemented in compliance with data protection requirements ¹⁰ in a risk based and proportionate way to reduce the risk of harm to users, and particularly children.
2. The use of personal information for age assurance must be lawful, fair, transparent, and non-discriminatory. Any personal information collected must be limited to what is necessary for the purpose of age assurance.
3. Any age assurance implemented should be in the best interests of the child, ¹¹ while guaranteeing all users' fundamental right to access information from the internet. ¹²
4. Providers, including the suppliers of age assurance services, should be accountable for their approach to age assurance and for demonstrating that it is privacy preserving, effective, and proportionate.
5. Providers should establish with reasonable certainty whether children are likely to access their platform or website. Where it is inappropriate or unlawful for children to be accessing a website, providers should focus on deploying an effective means of age assurance to prevent children from accessing the site.
6. Providers should assess and document the severity of the potential data protection risks to users, and particularly children, from the age assurance method(s) implemented. ¹³
7. Providers should balance the data protection risks posed by the age assurance method(s) implemented against the best interests of the child, including their rights to safely access diverse information online while being protected from harmful material. ¹⁴
8. Providers should be aware of the state of the art in age assurance technology in order to ensure they implement methods that are effective, while also protecting users’ rights and freedoms, and to keep these methods under review.
9. Providers should be aware that where there is a high data protection risk to users, then relying upon self-declaration alone as a method of age assurance is unlikely to be appropriate as the method can be too easily circumvented.
10. Self-declaration alone should be used only in situations where there is little to no data protection risk to children. Age assurance methods requiring more personal data may be used when legally required or where there is a high data protection risk to children, and when in compliance with local data protection law.
11. Age assurance is one potential technical solution but not the only tool available to protect children online. Parental filters on devices, public education, and awareness campaigns, or applying data protection by design and default principles can potentially, in concert with age assurance methods, play an important role in protecting children online.

¹⁰ For example, Article 5 of the EU and UK General Data Protection Regulation (GDPR) sets out the principles relating to processing of personal data.

¹¹ UNCRC, Article 3: The best interests of the child must be a top priority in all decisions and actions that affect children.

¹² UNCRC, Article 17.

¹³ This could include, for example, carrying out a Data Protection Impact Assessment (DPIA) where required.

 ¹⁴ UNCRC, Article 17. UN Committee on the Rights of the Child, General comment No. 25 (2021) on children’s rights in relation to the digital environment, paragraphs 53-54.