Guidance on Age Assurance

Organisations who are grappling with how best to comply with EU law requirements in respect of age assurance may find guidance materials published recently on the European Commission’s betterinternetforkids.eu website helpful.

The materials come with the health warning, however, that they reflects the views of the authors only are not intended to be relied on as formal legal guidance.  

The stated aim of the materials is to assist digital service providers on making decisions relating to age assurance in connection with compliance with EU laws, such as the AVMSD, the DSA and the GDPR. They consist of a self-assessment questionnaire intended to enable a service provider to determine what level of age assurance it requires and an associated manual.

The press release relating to the launch of these materials included the following statement:

“However, effective implementation of age assurance remains a complex endeavour. Since any approach must be case- and context-sensitive, there is no one-size-fits-all solution. So far, there are few practical guidelines to determine whether age assurance is a proportionate measure, and how best it can be implemented to put the rights and interests of children and young people first.”

A Task Force on Age Verification under the Digital Services Act (DSA) has been established to consider this issue specifically through the lens of the DSA, however its report is not expected to be published before the autumn of 2024. In the meantime, these guidance materials are intended to be used, in conjunction with other assessment tools, by digital service providers who deal with children and are subject to EU laws.

The questionnaire and manual contain useful references to various guidance materials published by a range of organisations on this topic. For example, they refer to the model for assessing risk posed to children by a digital service published by the OECD and the working draft model for identifying what level of age assurance is required, based on such risk, published by the International Organisation for Standardization.  The manual envisages a sliding scale for the level of age assurance required, based on the level of risk posed, which is summarised as follows:

Risk assessment

Level of Assurance

No/negligible

Zero/negligible

Low

Low/basic

Average

Average/medium/standard

High

High/enhanced

Extremely High

Extremely high/strict


The materials contain useful commentary regarding the age assurance methods that may be appropriate in a range of circumstances and explain the differences between some of the main methods, such as age estimation, age verification or self-declaration.  For example, the authors state that:

  • where a digital service provider intends to rely on consent of its users to the processing of their personal data for the provision of information society services (and, as a result, the ‘digital age of consent’ is relevant), age verification will be required.
  • Where a digital service provider is required to take steps to protect minors from harmful consent (e.g. under the AVMSD), the most harmful consent should be subject to age verification measures.
  • Where a digital service provider is subject to a duty of care in respect of minors (e.g. under the DSA), while age assurance may be required in some circumstances, age verification may be disproportionate due to the risk of it having a negative exclusionary effect on children. 

Overall, the authors emphasise that age assurance must be proportionate, taking into account the means used to achieve the intended objective and its impact on the rights of children.

It is notable that the manual cites materials published by two Irish regulatory authorities in this area. The Irish Data Protection Commission’s Fundamentals for a Child-Orientated Approach to Data Processing are mentioned in connection with data protection issues to be considered in the context of age assurance methods. Coimisiún na Meán’s reference in its draft Online Safety Code to video-sharing platform service providers using age estimation or verification measures, or other technical measures to prevent children from viewing age-inappropriate content, is also mentioned. This reflects the particularly prominent roles these two Irish regulatory authorities perform in connection with supervising and enforcing European laws applicable to digital service providers within their jurisdiction.

The final overarching question digital service providers are recommended to consider in the Questionnaire is “Is age assurance compliant with relevant legislation in relation to data protection and privacy, harmful content, platform regulation, and so on?”  Since ensuring compliance with overlapping and increasingly comply legal requirements on this topic is becoming increasingly challenging, this is not an easy question to answer. As the development of further legal guidance and industry standards continue to evolve, these guidance materials offer digital service providers a structured basis to at least seek to address this question.   

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.