Joint Statement on a Common International Approach to Age Assurance

September 19, 2024

Introduction

We, the signatories of this statement, are pleased to announce the publication of this joint statement on moving towards a more common international approach to the data protection and privacy implications of age assurance methods.
This statement sets out some key shared principles for the signatories. These principles are intended as a guide to industry of some of our shared expectations on age assurance practice as it relates to data protection and privacy.
Local age assurance requirements and standards may vary across different jurisdictions. We therefore remind providers of online services (hereafter, ‘providers’)^{Footnote 1} to consult with the appropriate data protection and privacy enforcement authorities in the countries they operate in when seeking compliance guidance with respect to their data protection and privacy obligations under the law. These principles we outline below aim to further support age assurance that is accurate and effective, while still ensuring a high level of user privacy.

Why are we making this statement?

Age assurance is the process of establishing, determining, and/or confirming either an age or an age range of a natural person. It is an umbrella term encompassing all methods that help estimate or assess a user’s age and therefore allows providers to tailor user experience to the user’s age, or to enforce age-appropriate access restrictions, where legally required.
Age assurance can be used to protect people, and particularly children,^{Footnote 2} from harms arising from the processing of their personal information online, and ensure this information is not used to serve children content they are too young to access. Additionally, in cases where the processing of children’s data is specifically forbidden, age assurance can help organisations meet their legal obligations.
Although we recognise the ongoing work of data protection authorities and online safety regulators in the field of age assurance, industry has suggested a need for further regulatory convergence and coordination.^{Footnote 3}
Whilst this statement does not address all the known data protection and privacy questions relating to age assurance methods, it does seek to start addressing these challenges by setting out some initial shared principles from different international regulators in this area.

Aims of the joint statement

We recognise age assurance is intended to protect children within the digital world, while they explore online and develop, not to block their access to the digital world.
By publishing this joint statement we aim to set out some key shared principles across industry on age assurance practices as they relate to data protection and privacy, and we therefore urge providers and the suppliers of age assurance services, to take account of these principles in their approach to age assurance.
We hope these principles will act as a useful starting point for continued conversations around how international consistency and coordination in this area can grow – supporting age assurance that is accurate and effective, while still ensuring a high level of user privacy.

International Age Assurance Working Group

As a result of the current age assurance landscape, the UK Information Commissioner’s Office (ICO) created an International Working Group in 2022 as a mechanism for data protection authorities to share information on age assurance methods and to learn from each other’s experiences.^{Footnote 4}
The group has been guided by existing work on age assurance policy. This work includes, but is not limited to, the ICO Opinion on Age Assurance,^{Footnote 5} the CNIL (French DPA) Recommendations on online age verification,^{Footnote 6} and the Decalogue of principles from the AEPD (Spanish DPA).^{Footnote 7} Additionally, it takes into account the international standards on age assurance technologies currently being developed by the International Organisation for Standardisation (ISO)^{Footnote 8} and the IEEE Standard^{Footnote 9} already launched, as well as the continuing technical developments in this area, including age-estimation techniques.
This statement was born as an initiative by some members of the group and reflects the views of its signatories. It is not endorsed by the International Age Assurance Working Group as a whole.

Next steps

This statement will remain open for signatures after its publication. We invite regulators, who are not members of this group, and who support the shared principles outlined below, to sign this statement.
The International Age Assurance Working Group will continue to collaborate on age assurance, and to take account of the rapidly evolving technological developments in this area, to reduce the privacy risks people, and particularly children, face in the online world.

Principles of the joint statement

Age assurance must always be implemented in compliance with data protection requirements^{Footnote 10} in a risk based and proportionate way to reduce the risk of harm to users, and particularly children.
The use of personal information for age assurance must be lawful, fair, transparent, and non-discriminatory. Any personal information collected must be limited to what is necessary for the purpose of age assurance.
Any age assurance implemented should be in the best interests of the child,^{Footnote 11} while guaranteeing all users’ fundamental right to access information from the internet.^{Footnote 12}
Providers, including the suppliers of age assurance services, should be accountable for their approach to age assurance and for demonstrating that it is privacy preserving, effective, and proportionate.
Providers should establish with reasonable certainty whether children are likely to access their platform or website. Where it is inappropriate or unlawful for children to be accessing a website, providers should focus on deploying an effective means of age assurance to prevent children from accessing the site.
Providers should assess and document the severity of the potential data protection risks to users, and particularly children, from the age assurance method(s) implemented.^{Footnote 13}
Providers should balance the data protection risks posed by the age assurance method(s) implemented against the best interests of the child, including their rights to safely access diverse information online while being protected from harmful material.^{Footnote 14}
Providers should be aware of the state of the art in age assurance technology in order to ensure they implement methods that are effective, while also protecting users’ rights and freedoms, and to keep these methods under review.
Providers should be aware that where there is a high data protection risk to users, then relying upon self-declaration alone as a method of age assurance is unlikely to be appropriate as the method can be too easily circumvented.
Self-declaration alone should be used only in situations where there is little to no data protection risk to children. Age assurance methods requiring more personal data may be used when legally required or where there is a high data protection risk to children, and when in compliance with local data protection law.
Age assurance is one potential technical solution but not the only tool available to protect children online. Parental filters on devices, public education, and awareness campaigns, or applying data protection by design and default principles can potentially, in concert with age assurance methods, play an important role in protecting children online.

This statement is endorsed by the following regulators:

Information Commissioner’s Office - United Kingdom
Gibraltar Regulatory Authority
National Privacy Commission – The Philippines
Office of the Privacy Commissioner of Canada
Agencia de Acceso a la Información Pública – Argentina
Transparency, Public Information Access and Personal Data Protection Institute of State of Mexico and municipalities (INFOEM) – Mexico

Footnotes

Footnote 1

Services include many apps, programs, connected toys and devices, search engines, social media platforms, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet.

Return to footnote 1

Footnote 2

This joint statement uses the UN Convention on the Rights of the Child (UNCRC) definition that children are all those under 18.However, we recognise national legislation may require age assurance methods at different ages, such as at the local age of consent. See UNCRC, Article 1.

Return to footnote 2

Footnote 3

Age Assurance and Age Verification Tools: Takeaways from CIPL Roundtable.

Return to footnote 3

Footnote 4

Although the group is separate from the Ofcom-chaired International Working group on Age Verification, comprised of online-safety regulators, both groups remain committed to proactive collaboration.

Return to footnote 4

Footnote 5