Annex: What we’ve learned about profiling for age assurance
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Profiling for age assurance has a place in the range of technological solutions to ensure adequate protections are in place for children online.
However, it cannot replace a robust age gate, where children under 13 are not permitted on a service.
Introduction
As part of the children’s code strategy, we wanted to know more about how organisations were ensuring their processing of children’s information was lawful, particularly those of under 13s.
As set out in the Commissioner’s opinion on age assurance, self-declaration in isolation as a form of age assurance is not adequate for services where high-risk processing is taking place. We note that profiling is sometimes used in place of, or to supplement, self-declaration. This was identified as an area of interest for us and we issued a call for evidence about this processing.
In our March progress update, we explained that due to the limited information we received through the call for evidence, we would be contacting organisations directly to find out more about how they use profiling for age assurance.
Scope
Age assurance refers to measures that help organisations to estimate or verify the age of their users. They can use age assurance to:
- tailor content and experiences;
- prevent underage users from accessing a platform; or
- remove users from platforms who they discover are underage.
Under UK data protection law, profiling is defined as:
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”1
When profiling is used for age assurance, it is sometimes referred to as ‘age inferencing’. In the context of this summary, this means using profiling, as defined by UK data protection law, to infer or estimate users’ ages.
Profiling systems tend to be proprietary and deployed on larger platforms. We wanted to gain further understanding into:
- how these systems work;
- whether they are effective; and
- the extent to which they are deployed for the removal of under 13 users from platforms in accordance with terms of service.
We contacted six organisations about their use of profiling for age assurance. Two of the organisations stated they do not use profiling for age assurance. Our summary of findings is based on the four responses we received from organisations which deploy profiling for age assurance.
What platforms told us
Deployment of profiling for age assurance
There are a number of age assurance techniques that platforms use, but profiling tends to supplement self-declaration.
Some platforms have multiple profiling models that they use to infer the ages of their users. These models tend to be deployed to infer whether a user is over or under 18, and to tailor their content and experience accordingly.
The tools platforms deploy to analyse indicators that a user could be under 13 include text and audio analysis. This may be a declaration of an age (eg “Happy birthday to me! I am 10 today!”). Certain models also analyse behaviour and traffic indicators (eg visitors to a stream) to infer users’ ages.
Accounts which are flagged as under 13 go through a human review. There is an opportunity for people to verify their age (eg through ID verification or facial age estimation) if they would like to change it to reflect they are older or access certain functionalities.
Data used
Profiling is generally applied to all users on a platform, mostly in a signed-in environment, but also at times in a signed-out environment. The information the models rely on primarily consists of information users provide about themselves, either actively or through their interactions with and on a platform. This may include location, viewing history, searches, friends, networks, and content they view.
User-generated and provided information is used to train and test age inference models, and to profile people. Information used to infer a person’s age may also involve the personal information of third parties (eg their friends and accounts they interact with).
Users with an account tend to provide more information due to their access to more functionalities within a service (eg ability to interact with other users with an account).
The age output generated through profiling is then usually used to:
- tailor the experiences on a service (eg content and advertising), including safety measures; or
- remove underage users from a service after human review.
Time taken
The time a user is profiled before an estimated age is produced differs across services and purposes. Where the intention is to remove underage users, this could rely on a user making an admission of their age in a post. Suspected accounts of under 13 users are flagged for human review. On one of the platforms, human reviews could take place within minutes of reports generated about users who are potentially underage.
Where the intention is to tailor the experience according to an estimated age, the minimum time a model took to assign an age was 4.2 days. There are no maximum time frames for certain models.
Where results are inconclusive, most platforms default to the age a user self-declares at registration, but one platform treats the user as under 18.
In some cases, lower engagement by users may extend the time it takes to make an age inference. In others, the amount of information may not impact the time taken to produce an age inference, but may impact the degree of confidence in the result.
Measurement of statistical accuracy
As profiling technologies are proprietary, platforms use different information and measure statistical accuracy in different ways. They include the following methods, sometimes used in combination:
- setting precision and recall rates2;
- using ‘ground truth’ data3 (which may include third-party information, eg from credit reference agencies);
- regular training and testing of models to identify any patterns that need investigation; and
- human review of accounts flagged by profiling models.
We weren’t provided with specific technical details on how they could measure statistical accuracy, such as:
- thresholds for measuring accuracy;
- how they decided on thresholds;
- statistics which outline how the models are performing against accuracy metrics chosen; or
- error rates they measure the models against.
We’re aware that where profiling is used to tailor experience, models which provide inconclusive results tend to default to self-declared ages which users submit. This means that protective measures for children (eg high privacy settings by default) may not be effectively implemented if a child self-declares as 18+. Or if implemented, the measures may be removed prematurely if a child self-declares as an older child.
Fairness and discrimination
Platforms refer to regular training and testing of models using data from existing users. This captures a diverse population, which ensures representativeness. Where platforms use profiling to identify children below the minimum age on a service for removal, the final decision is based on a human review, rather than an automated decision.
Our view
Profiling has a place in the range of age assurance measures available to platforms to protect children online. Platforms can use profiling as an anti-circumvention tool to identify under 13s who have slipped through robust age gates, if they can demonstrate:
- the necessity and proportionality of their approach; and
- the effectiveness of their model.
However, it is not appropriate to use profiling to make up for a weak or non-existent age gate if under 13s are not permitted on a service. We explore our position in the following use cases.
Use case one: Profiling to supplement a weak age gate (such as self-declaration) to remove access to under 13 children
The focus of our queries was understanding how platforms may use profiling to remove underage children from platforms that are not intended for them.
Profiling for age assurance does not function as an age-gating measure (eg age verification or age estimation techniques which can be used to prevent access to a service or functionality at the point of entry). Profiling requires a user to already be on a service in order to infer an age based on their activity. This means that services which have a minimum age of 13 risk potential unlawful processing. This is because the service will process the personal information of children who are not meant to be on it, before the profiling is able to provide an age inference.
Our guidance on lawful basis says:
“Many of the lawful bases for processing depend on the processing being ‘necessary’. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data. It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods.”
Unless platforms are relying on consent to profile users, including under 13s4, they need to meet the necessity threshold set out in the other lawful bases. It is unlikely that deploying profiling to make up for a weak age gate (eg self-declaration), would meet the necessity threshold, as specified in UK data protection law, because:
- recital 38 of the UK GDPR highlights that children merit specific protection, and organisations should take particular care when profiling children;
- there will be an inevitable time lag before an age inference is provided during which time harms (eg personalised recommendation of harmful content or contact) that may arise from data processing could happen; and
- there are other options in the market that are more robust and provide greater certainty of a user’s age than self-declaration.
Whether a system is effective also impacts the necessity of the processing, and whether the service has a valid lawful basis. The platforms we contacted primarily focus on establishing whether users are over 18, and there is very limited information on performance and efficacy for the age 13 threshold. In addition, there is limited public information about under 13 usage of the platforms we wrote to. Therefore, it is challenging to fully quantify the statistics provided on underage accounts identified and removed compared with the actual number of under 13s accessing these sites.
However, public research indicates that children under the service age thresholds continue to be able to access social media and video-sharing platforms. Ofcom noted that the majority of children aged between eight to 12 were not asked to prove their age on services. This includes the two organisations we’re aware of that use profiling to identify under 13 accounts on their platforms for potential removal after human review. This suggests limited effectiveness of the profiling systems that platforms use to identify under 13 users for potential removal.5
Where the processing can’t be shown to be necessary or effective, it is unlikely there will be a lawful basis for processing.
Our children’s code states that where it is inappropriate for children to access a service, platforms should focus on preventing access. Platforms that do not intend to provide a service to under 13s should ensure they can effectively prevent underage children from accessing their services. In this context, profiling cannot replace a robust age gate where it is required.
Use case two: Profiling to supplement a robust age gate to remove access to under 13 children or tailor experience, or both
If their terms of service state that under 13s should not be accessing their services, platforms must ensure that they deploy robust mechanisms to prevent this from happening and minimise the risk of unlawful processing.
Age assurance measures are not foolproof and even the most robust methods may be circumvented. There is scope for platforms to use profiling as an anti-circumvention measure or to tailor an experience (including content and for safety reasons) after robust age gates which effectively age-assure users.
Platforms deploying profiling have to demonstrate compliance with data protection law. This includes evidencing that these methods are effective for their stated purposes and are necessary and proportionate, when compared to less intrusive methods.
We’ve issued separate guidance on how platforms can comply with data protection law when using profiling for trust and safety purposes, including to comply with requirements under the Online Safety Act (OSA).6
Next steps
This summary is based on our specific fact-finding exercise and our focus on the use of profiling to remove under 13 users.
We’ve been consistent in our message that self-declaration used in isolation is not appropriate for high-risk services. We consider that, as currently deployed, profiling to supplement self-declaration is unlikely to be adequate where the intention is to remove underage children from platforms they should not be accessing. However, there is a role for the technology when used in conjunction with robust and effective age gates.
Any deployment of age assurance technology must consider user privacy and comply with data protection law. We intend to follow up with the platforms deploying profiling for age assurance in the coming months. This will form part of our wider work to understand and drive improvements in the way platforms deploy age gates at account creation.
The age assurance landscape is continuously evolving. We continue to learn from stakeholders about the measures they’re using to keep children, and their information, safe online. We’re keen to hear from platforms that use profiling to infer the ages of their users and learn how this works on your services. If you’d like to share information about how you deploy profiling for age assurance, please contact [email protected].
[2] Our guidance on AI and data protection provides further information on these terms. Precision refers to the percentage of cases identified as positive that are in fact positive (also called ‘positive predictive value’). For example, if nine out of 10 emails that are classified as spam are actually spam, the precision of the AI system is 90%. Recall (or sensitivity) means the percentage of all cases that are in fact positive that are identified as such. For example, if 10 out of 100 emails are actually spam, but the AI system only identifies seven of them, then its recall is 70%.
[3] This refers to information which reflects real-world realities.
[4] According to Article 8 of the UK GDPR, if information society services (ISS) are relying on consent as a lawful basis to process the data of u13 children, the processing will only be valid if it is provided by someone with parental responsibility for the child. Reasonable efforts would have to be made to verify the parental consent.
[5] See How video-sharing platforms (VSPs) protect children from encountering harmful videos; Ofcom Children's User Ages 2024 Wave 3 Chart Pack; and Chart Pack Wave 4 (fieldwork conducted between January to February 2025).
[6] Services must also comply with their duties under the Online Safety Act alongside data protection law. Ofcom has issued guidance for organisations on the implementation of highly effective age assurance. See Quick guide to implementing highly effective age assurance for more resources.