On February 11, 2025, the European Data Protection Board (EDPB) adopted a statement (Statement) on age assurance. The Statement comes at a formative time in the development of age assurance practices, as EU and UK regulatory frameworks increasingly require companies to take steps to identify and protect child users of online services. The Statement outlines key privacy principles that should be followed when developing and deploying age assurance processes, together with the risks to individuals’ rights that can arise.

EU-UK Age Assurance Legal Landscape

“Age assurance” is an umbrella term describing various methods that can be used to determine an individual’s age or age range. The Statement identifies three primary categories of age assurance, which include age estimation, age verification, and self-declaration. The Statement touches on when companies should implement age assurance, citing the Audiovisual Media Services Directive, the General Data Protection Regulation (GDPR), and the Digital Services Act (DSA) as key examples of laws that can require such steps to be taken. However, it also notes that implementing age assurance for all users and for all content is unlikely to be required when potential privacy impacts are considered.

In the UK, the Online Safety Act (OSA) introduces requirements for certain service providers to implement age assurance, and otherwise references the practice as a means for companies to comply with their duties to protect children from harmful content. The UK Information Commissioner’s Office published an opinion on age assurance in 2024 which, similar to the Statement, outlines the specific risks that can arise from age assurance, noting that the practice can be disproportionately intrusive in some circumstances. However, the opinion notes that age assurance can also protect children from harms arising from the processing of their personal information and from activities such as profiling and behavioral advertising. The opinion states that services can use “waterfall techniques” to verify a user’s age (e.g., age gate plus AI-based techniques that assess whether a user’s reported age is aligned with their on-site behavior).

Key Issues for Companies to Consider

When implementing age assurance, the Statement recommends companies:

  1. Take steps to assess the necessity and proportionality of using age assurance, for example by carrying out a Child Rights Impact Assessment (CRIA) which assesses compliance with principles of the United Nations Convention on the Rights of the Child. The Irish Data Protection Commission’s Fundamentals for a Child-Oriented Approach to Data Processing similarly recommends that companies conduct a CRIA as part of a child-oriented Data Protection Impact Assessment (DPIA).
  1. Conduct a DPIA, which identifies risks arising from the processing and contains measures to mitigate those risks. For example, a natural person required to verify their age to access adult content would not expect the service provider to use age assurance to determine their identity or precise geographical location or to monitor, evaluate, or infer personal aspects of their identity. As a result, data minimization controls should be in place to limit the data collected, how long it is retained and who can access it.
  1. Provide alternative age assurance methods for users who do not wish to use a specific method (e.g., ID verification in addition to credit card authorization), and assess the effectiveness of age assurance based on whether it is:
    1. accessible (it should be broadly accessible and not exclude groups of people, such as those without an identity document or mobile phone),
    2. reliable (any method must have a consistent level of accuracy), and
    3. robust (self-declaration of age is unlikely to be robust).
  1. Provide users with a means to challenge decisions taken through age assurance processes if they believe that their age has not been properly determined or estimated.
  1. Ensure that the privacy notice which accompanies the age assurance is in language that is clear and understandable to children.
  1. Implement short retention periods where possible. For example, companies can implement a “no log” policy which records that a user’s age has been verified but does not store details (such as ID documents) captured through the assurance process itself.

Conclusion

Amid developments in online safety laws, the Statement serves as a helpful reminder of the privacy issues that companies need to consider when implementing age assurance processes, including whether they should be implemented at all. For more information on the protection of minors online in the EU and the UK, refer to our alert here. Companies that offer services online and that are considering age assurance should review their current compliance strategies to ensure they are incorporating the key issues that the EDPB mentions in the Statement.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex digital regulation and privacy compliance in the UK and EU. For more information, please contact Cédric Burton, Nikolaos Theodorakis, Tom Evans, Laura Brodahl, or another member of the firm’s data, privacy, and cybersecurity practice.

Matthew Nuding contributed to the preparation of this post.