The ICO has issued an opinion on age assurance. It reminds readers that the Age Appropriate Design Code (Children’s Code) took effect from 2 September 2021, and that one of the fifteen standards of age-appropriate design is age assurance. It advocates taking a risk-based approach to recognising the individual age of users and applying the Code’s standards to children. The ICO recognises that age assurance may require processing of personal data beyond that involved in the delivery of a core service. However, the risks to children online are very real. The Opinion explains how age assurance can form part of an appropriate and proportionate approach to reducing or eliminating these risks and conforming to the Code.
The Opinion is aimed at providers of information society services (ISS) in scope of the Code, and providers of age assurance products, services and applications that ISS may use to conform with the code. It sets out how the ICO currently expects ISS to meet the Code’s age-appropriate application standard. It outlines a risk-based approach for organisations to apply age assurance measures that are appropriate for their use of children’s data and organisational context.
Age assurance refers collectively to approaches used to: provide assurance that children are unable to access adult, harmful or otherwise inappropriate content when using ISS; and estimate or establish the age of a user so that ISS can be tailored to their needs and protections appropriate to their age. These include age verification and age estimation. Age assurance should be used to minimise risks to children. It should also ensure relevant aspects of the ISS (eg privacy information) which children are intended to access, are appropriate to those users. While the ICO appreciates the developments in age assurance techniques, technology and policy, more needs to be done to ensure that these respect, and comply, with data protection law.
Organisations should build up evidence and record their assessment of risks and decisions they take, including on the age appropriate application standard. This will ensure accountability for the decisions taken and enable organisations to demonstrate their approach, even if it is evolving. This is also evidence the ICO can consider if a complaint is brought about an ISS or it comes to the ICO’s attention otherwise.
Due to the rapidly evolving state of the age assurance market, wider legislative proposals and developing policy landscape, the ICO intends to review the Opinion in line with the planned review of the Children’s Code in 2022. It will work to develop its understanding of emerging age assurance approaches. It is likely that its work with Ofcom will become more extensive given Ofcom’s role as regulator for video sharing platforms and future regulator for online safety. The ICO will work together with Ofcom and other regulators to ensure a coherent approach, particularly if they engage with the same ISS at the same time.
It welcomes engagement from interested parties, particularly about evidence of emerging age assurance techniques and their accuracy. This will help businesses to ensure that age assurance does not degrade the experience of using their ISS at the same time as facilitating the optimal solutions and protections for children.
The Commissioner is also keen to support the development of age estimation approaches and data protection by design. This will build on its work in its regulatory Sandbox and its approval of certification schemes that address age estimation, UK GDPR compliance and conforming with the Code.
The Commissioner emphasises that it will take action if personal data is misused under the guise of, or during processing for, age assurance.
