On 14 October 2021, the ICO published an Opinion on “Age Assurance for the Children's Code”. The Opinion provides additional information on the ICO's expectations regarding age assurance in the context of the Age Appropriate Design Code (“Code”). Compliance with the Code has been required from 2 September 2021.
The ICO has also launched a call for evidence on the use of age assurance in relation to the Code. This is intended to enable the ICO to keep up with technological developments and deepen its understanding of how the industry is responding to the Code and the requirement for age assurance. The call for evidence closes on Thursday 9 December 2021.
We have summarised key points from the Opinion below.
Methods of Age Assurance
The Opinion discusses different methods of age assurance, including
- age verification: determining age with a high level of accuracy by checking against trusted records (e.g. hard identifiers or third party services);
- age estimation: estimating age, usually by using algorithms/AI based or assisted technologies (including discussion of the use of biometrics such as facial or hand geometry);
- account confirmation: where an existing account holder confirms a user is over or under 18, or confirming the age of the user. The ICO states this is appropriate for lower risk services or if used in addition to other age assurance methods; and
- self-declaration: where a user states their age but does not provide any evidence to confirm it. The ICO states this may be suitable for low risk activities or if used in conjunction with other techniques. The ICO also mentions technical measures that can strengthen self-declaration, such as preventing users from immediately attempting to re-register if denied access on their first attempt, or closing accounts of users discovered to be underage.
The Opinion also discusses the risk of age assurance producing discriminatory outcomes, for example age verification can depend on users having access to official documentation or a credit history, which can be an issue for certain groups, as well as the risk of algorithmic bias with age estimation.
Risk and ICO expectations on Age Assurance
The Opinion sets out the ICO’s expectations regarding age assurance depending on the level of risk:
- High risk: if there is likely to be a high risk to children’s rights and freedoms the options are:
- apply all relevant standards of the Code to all users to ensure risks to children are mitigated; or
- introduce age assurance measures that give the “highest possible level of certainty on age of users”
- Medium or Low risk: if the activities of the online service are likely to be medium to low risk to children’s rights and freedoms the options are:
- apply all relevant standards of the Code to all users to ensure the risks to children are low; or
- introduce age assurance measures that give a level of certainty on the age of child users that is “proportionate to the potential risks to children”.
A key theme in the opinion is the importance of conducting a data protection impact assessment (“DPIA”) as part of compliance with the Code standards itself but also in assessing the risk to assist with deciding on the appropriate approach to age assurance.
The Opinion states that organisations must consider the risks to children that arise from the platform or service, determine whether age assurance is required and select an approach to age assurance that is appropriate and proportionate to the risk.
What is “high risk”?
For the purposes of the Code, the ICO considers high risk activities as data processing that:
- falls within the areas the ICO states are “likely to result in high risk” to children (summarised further below); or
- where the provider’s risk assessment indicates risks to children’s rights and freedoms are high.
The ICO explains this is where the likelihood of harm to children occurring is high, or the impact of the harm is not minimal, or there is a reasonable possibility of serious harm occurring.
The Opinion provides further information on what the ICO considers as “likely to result in high risks” to children in this context, which includes:
- Large scale profiling of children (e.g. identifying children as belonging to particular groups, automated decision making, analysing social networks, or to infer interests and behaviours);
- Invisible processing of children’s data not obtained directly from users (e.g. list brokering, data sharing with third parties and online tracking of children);
- Targeting children for marketing and advertising (e.g. personalised marketing content based on children’s data);
- Tracking of children, including a child’s use of an online service and digital proxies for offline activity, such as geolocation (e.g. web and device tracking, fitness and lifestyle monitoring using connected devices and online reward schemes);
- Activities with risks of physical or developmental harm to children (e.g. data that reveals children’s physical location or health, or which could expose children to unsafe or age-inappropriate products and services); and
- Activities with risks of detrimental use (e.g. processing demonstrably against children’s wellbeing, as defined by other regulatory provisions, government advice, or industry codes of practice).
Age Restricted Services
The Opinion makes clear that if a service is age-restricted by law (e.g. alcohol, tobacco, gambling etc.) providers of such services should focus on preventing access to that service by children.
Age Assurance and Data Protection Compliance
The Opinion also discusses the main data protection principles and requirements the ICO expects to be taken into account in the context of age assurance.
In particular, the Opinion discusses age assurance in relation to principles such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability.
The Opinion highlights that data collected for age assurance “should not be re-used for purposes such as profiling for advertising, or in other ways that are incompatible with the purposes for which the data has been collected” and mentions that organisations should not share children’s age assurance data unless there is a compelling reason.
The Opinion states that the Commissioner will continue engaging with stakeholders, including Ofcom, the Children’s Commissioner, Government and industry as emerging age assurance approaches develop.
The ICO has also launched a call for evidence together with the Opinion to continue to develop its approach to age assurance as new technologies and the market continue to evolve.
The Opinion acknowledges that the age assurance market is rapidly developing and therefore the ICO will keep the issue of age assurance under review.
The ICO will review the Opinion as part of its planned, overall review of the Code in September 2022.
We know that age assurance technology and the market are developing rapidly, so we have also issued a call for evidence to further develop and maintain our knowledge in this area. We’re looking for evidence including details on existing or proposed age estimation approaches, novel approaches to age assurance, systems where data protection by design has been applied and the type of economic impact of age assurance approaches.