The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has published an opinion on age assurance for internet society services (ISS). The opinion aims to explain how a company can use technology in compliance with data protection law in a “risk based and proportionate way.”
Age assurance:
- Ensures that children are unable to access adult, harmful or otherwise inappropriate content when using ISS.
- Estimates or establishes a user’s age so a company can tailor the ISS and implement age-appropriate protections.
Establishing the age of users is important for services subject to the UK’s Age Appropriate Design Code as well as the newly introduced Online Safety Act 2023. As with many legislative changes in the UK over the past year, the focus is on protecting children.
“Privacy risks children face in the online world can have a significant impact,” the opinion says. “The potential severity of these risks means that the Commissioner expects you to take the necessary steps to protect children. Age assurance is a crucial component in this, helping you to provide an age-appropriate experience, or restrict access to underage users where appropriate.”
Three Categories of Action
The ICO expects a compay to adopt an age assurance method based on the risks created for the child by processing personal information and the required level of certainty about the individual’s age. It identifies high risks to children such as large-scale profiling, invisible processing, location tracking and the use of innovative technologies (e.g., smart devices).
The opinion focuses on three categories of actions, explaining what services:
- Must do – their legislative obligations.
- Should do – what the ICO expects them to do to comply with the law.
- Could do as an option or example to comply.
The ICO does not expect implementation of methods that:
- Are not technically feasible.
- Pose a significant and disproportionate economic impact on businesses.
- Create risks to the rights and freedoms of people that are disproportionate to the other processing activities on the service.
A Closer Look at Age Assurance Methods
The opinion describes the variety of age assurance methods and the associated actions for services:
Services
Assessing risk is a key factor in the ICO’s opinion, setting out various considerations for services depending upon the nature of the service and their corresponding risks.
Data Protection
The opinion also addresses the interplay between age assurance and data protection principles, confirming that data protection must be embedded in the design.
Whilst many of the principles in this opinion may not be new to most internet society services, it is helpful to see the focus of the ICO on this issue. It is also a clear sign that the UK’s Age-Appropriate Design Code and the interplay with the Online Safety Act is at the forefront of the ICO’s agenda. Companies should ensure they have considered the issues and documented their approach to how the business uses age assurance measures.
[View source.]
Tyler Fields is your internet guru, delving into the latest trends, developments, and issues shaping the online world. With a focus on internet culture, cybersecurity, and emerging technologies, Tyler keeps readers informed about the dynamic landscape of the internet and its impact on our digital lives.
