The European Data Protection Board (EDPB) has released comprehensive guidelines for implementing age assurance systems in digital services, establishing ten fundamental principles that balance child protection with data privacy requirements under GDPR. The development comes amid growing global momentum for stronger age verification requirements, as demonstrated by recent initiatives across U.S. states and similar regulatory frameworks in Australia and the UK.
The framework emphasizes that age assurance mechanisms must respect fundamental rights, with children’s best interests as a primary consideration. Service providers are required to adopt a risk-based approach, conducting Data Protection Impact Assessments (DPIAs) and Child Rights Impact Assessments (CRIAs) where necessary. The requirements complement recent developments in the EU, where T-Systems and Scytáles are developing an age verification solution for the EU Digital Identity Wallet program.
Under the guidelines, age verification systems must prevent unnecessary tracking and profiling while adhering to data minimization principles. The EDPB recommends implementing tokenized approaches where third-party providers verify age, with service providers receiving only binary age threshold confirmations. The approach is consistent with recent industry trends, such as Mastercard’s shift toward tokenization for enhanced security and privacy.
The guidelines stipulate that age assurance systems must be broadly accessible and offer alternative methods to prevent discrimination. Service providers must maintain clear communication about their age verification processes, particularly ensuring that information is presented in child-friendly formats.
For automated systems, the framework requires implementation of human intervention and appeal mechanisms. The guidelines emphasize data protection by design and default, recommending the use of Privacy Enhancing Techniques that favor user-held data and secure local processing. The approach matches the UK’s Government Digital Service principles for privacy-centric digital identity verification.
Security requirements include the implementation of appropriate technological and organizational measures to detect and respond to breaches. The EDPB emphasizes that providers should anticipate potential breaches and maintain capabilities to promptly restore system availability.
“The proposed principles seek to reconcile the protection of children and the protection of personal data in the context of age assurance. Priority has been given to address the requirements concerning the main principles stated in Article 5 GDPR,” states the EDPB document.
“Service providers must ensure that they have an applicable legal basis under Article 6 GDPR to process personal data in the context of age assurance. For example, they may need to deploy age assurance in order to comply with a legal obligation, taking into account that age assurance must be proportionate to the legitimate objective pursued,” the guidelines specify.
Sources: PPC Land
Follow Us