Age Assurance for Internet Society Services (ISS): What to Know About a New UK ICO Opinion

Must

• Ensure the personal information you collect about a person to verify their age is proportionate to the risks your service poses.

Should

• Consider offering a choice of age assurance methods, appropriate to the needs of your service and users. 

• Consider how to minimise exclusion risks associated with hard identifiers in a way that is appropriate to the risks. 

Could

• Use age estimation approaches for initial onboarding or account creation or for ongoing monitoring.
• Find a more privacy-friendly method than using hard identifiers. 

Should

• Avoid using a self-declaration age assurance method. It is unlikely to be accurate and effective if children face significant risks from the data processing on your site; or you are choosing to restrict access to an adult site to underage users.
• Assess the potential for unlawful processing of children’s information between an initial self-declaration and identification of an underage user.

Could

• Consider using it for ISS activities that do not pose a high risk to children.
• Increase the effectiveness of self-declaration by applying technical measures such as preventing people from immediately attempting to re-register if they are denied access on first declaration for being underage and closing the accounts of people discovered to be underage.
• Combine self-declaration with techniques that analyse account profiling or information which look for ‘red flags’ that contradict a person’s declared age or age range.
• Ask the user to confirm their age using an alternative age assurance method where there are red flags.

Must

• Allow people to challenge the decision.
• Carefully design waterfall techniques to ensure they increase accuracy whilst preserving privacy.

Should

• Introduce age assurance methods that give a high level of certainty on the age of users.
• Focus on restricting access to children if service is inappropriate for children.
• Introduce methods with the highest possible level of certainty on the age of users, noting that certainty will vary due to technical feasibility; whether authenticated or non-authenticated users use your service; and the age range and capabilities of your users.
• Be able to demonstrate that you have considered a wide range of age assurance options.
• Explain your rationale for choosing a particular method, taking into account the level of certainty the method provides.

Could

• Use self-declaration alongside other age assurance methods where you can demonstrate that the combination is effective.

Could

• Introduce age assurance methods that process minimal personal information to restrict access for child users who do not meet your terms of service, identify the age of children to ensure the service you offer is appropriate for their age group or provide privacy and transparency information suitable to the specific age of the child.
• Apply the standards of the code to all users in a proportionate way to mitigate further personal data processing risks.
• Supplement method with other more accurate age assurance methods where you establish that the risk levels are higher, and you require a higher level of age assurance certainty.

Should

• Focus on preventing access by children.
• Apply the principles of the code to all users in a risk-based and proportionate way.

Must

• Ensure that your age-gating page complies with data protection legislation.

Must

• Identify a lawful basis before you start processing personal data for age assurance purposes.

Must

• Be fair and only handle people’s data in a way they would reasonably expect. 
• Provide tools so people can challenge inaccurate age assurance decisions.

Should

• Make tools for challenging accuracy accessible and prominent.
• Not process children’s personal data in ways that are obviously, or have been shown to be, detrimental to their health or wellbeing.
• Scrutinise and minimise potential bias.

Must

• Be clear, open and honest about how you use personal data for age assurance purposes and how you make decisions.
• Explain clearly to people:
  • Why you use age assurance.
  • What personal information you need for the age assurance check.
  • Whether you will use a third party to carry out the age assurance check.
  • How you use the personal data and how it will affect the user’s experience of the platform or service.
  • Whether you keep personal data you collect for age assurance and how, why and for how long.
  • Their rights, including how they can challenge an incorrect age assurance decision.

Should

• Consider how age assurance fits into your user journey and experience to determine how and when it is best to provide this type of information.
• Only allow parents to exercise rights on behalf of a child if 1) the child authorises them to do so; 2) the child does not have sufficient understanding to exercise the rights themselves; or 3) it is evident that this is in the best interests of the child.

Must

• Only process personal data for specific and legitimate purposes, and not further process it in a manner incompatible with those purposes. Ensure any new use of the personal data is fair, lawful and transparent. 
• Be clear about what personal data you process; be clear about why you want to process it; ensure you only collect the minimum amount of personal data you need to establish an appropriate level of certainty about the age of your users; and ensure you do not use personal data collected for age assurance for any other purpose unless the new purpose is compatible with age assurance.
• Build your systems with data protection in mind.

Should

• Not share children’s data unless you can demonstrate a compelling reason, while considering the best interests of the child.

Must

• Ensure that the personal data you collect is adequate, relevant and limited to what is necessary for the purpose.
• Apply data minimisation to your chosen age assurance approach.

Must

• Ensure that the personal data you process for the purpose is accurate.
• Have methods in place to mitigate the risks that the personal data you collect may be inaccurate.

Should

• Record age assurance returns as an estimation rather than a matter of fact.
• Test age assurance solutions for accuracy if you are developing them.
• Seek evidence from your suppliers.
• Consider how likely it is that age checks may be bypassed or spoofed and the associated impact.
• Consider how decisions can be challenged or inaccuracies rectified. 
• Consider whether further checks are required when a child reaches 13 and 18.

Must

• Not keep people’s personal data longer than you need it.
• Retain only the minimum amount of personal data necessary for the purpose.
• Consider challenges to your retention of personal data collected for age assurance.

Should

• Be able to justify how long you keep personal data collected for age assurance purpose.
• Have a policy that sets out retention periods.
• Be proportionate in how frequently you carry out age checks compared to the risks on your service.
• Erase personal data that is no longer required.

Must

• Process people’s personal data securely.
• Consider how the system collects or shares information, as well as the personal data involved.
• Consider the state of the art and costs of implementation when deciding which security methods to use.
• Put in place methods that are appropriate to the circumstances and the risk the processing poses.
• Ensure appropriate data security methods are in place through due diligence checks.

Should

• Consider the balance between transparency and security if using AI.
• Ensure that a malicious actor cannot re-identify people given sufficient technical information.

Must

• Be able to demonstrate how your age assurance activities comply with data protection law.
• Adopt and implement data protection policies. 
• Take a data protection by design and default approach to age assurance. 
• Put written contracts in place with third-party age assurance services that process information on your behalf (these may be processors or joint controllers depending on the exact circumstances of the relationship).
• Maintain documentation of your age assurance processing activities.
• Implement appropriate security measures for age assurance processing.
• Record and, where necessary, report personal data breaches.
• Take a data protection by design approach to age assurance.
• Put in place technical and organisational measures to implement the data protection principles effectively and safeguard people’s rights.
• Be able to demonstrate that your approach to age assurance is proportionate to the risks to children associated with a platform or service.
• Implement a data protection impact assessment (DPIA) if your processing is likely to result in a high risk to people’s rights and freedoms.

Should

• Carry out a DPIA at an early stage in the design of any product or service that involves processing personal data; consider if a significant number of children are likely to access your service and use that information in your DPIA to determine which age assurance method to apply.