[Access official publication on EDPB Website]
Adopted on 11 February 2025^[Minor corrections to the formatting of this document were made on 24 February 2025. Further minor changes were made to paragraphs 16 and 22 point b on 1 April 2025.]
The European Data Protection Board has adopted the following statement:
1. BACKGROUND AND PURPOSE OF THIS STATEMENT
-
The European regulatory framework calls for the increased protection of children in the digital environment. For example, the Audiovisual Media Services Directive^[Directive (EU) 2018/1808 of the European Parliament and of the Council of 14 November 2018 amending Directive 2010/13/EU on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive) in view of changing market realities, https://eurlex.europa.eu/eli/dir/2018/1808/oj], which Member States have transposed into their national laws, highlights the possibility to implement age verification measures (Articles 6a and 28b), the GDPR introduces minimum age requirements for consenting to the processing of personal data in the context of information society services (Article 8), the Digital Services Act^[Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) , https://eur-lex.europa.eu/eli/reg/2022/2065/oj] references age verification as a risk mitigation measure (Article 35(1)), and a number of Member States have implemented minimum age requirements for performing legal acts, exercising certain rights or accessing certain goods and services into their own national law.
-
In addition, different national and European initiatives, such as Better Internet for Kids (BIK+), identify age assurance as one solution to improve childrenâs well-being online through a safe, age-appropriate digital environment in line with the European Digital Rights and Principles^[Better Internet for Kids, Guide to age assurance, https://better-internet-for-kids.europa.eu/en/age-assurance-guide-oldest].
-
Based on the definition provided in the research report Mapping age assurance typologies and requirements,^[Raiz Shaffique, M., & van der Hof, S. (2024). Mapping age assurance typologies and requirements. Research report, Part of the Better Internet for Kids (BIK) project coordinated by European Schoolnet (EUN) and commissioned by the European Commission.] this document will use âage assuranceâ as âthe umbrella term for the methods that are used to determine the age or age range of an individual to varying levels of confidence or certaintyâ. The same report mentions three primary categories of age assurance: age estimation, age verification and self-declaration.
-
Age assurance poses specific risks to data protection with the potential to adversely impact not only natural personsâ right to the protection of their personal data, but also other rights and freedoms^[About the potential impact of age assurance on rights and freedoms, see, e.g.: âRoadmap for age verificationâ (Australian eSafety Commissionner, 2023) https://www.esafety.gov.au/sites/default/files/2023-08/Age-verification-backgroundreport.pdf?v=1731644498261, âA safe internet by default for children and the role of age verificationâ (AEPD, 2024) https://www.aepd.es/guides/technical-note-safe-internet-by-default-for-children.pdf or âTrustworthy Age Assurance?â a study commissioned by the Greens/EFA Cluster on Green and Social Economy at the European Parliament (2024) https://www.greensefa.eu/en/article/document/trustworthy-age-assurance] such as the right to non-discrimination, the right to the integrity of the person, the right to liberty and security, and the right to free expression and information.
-
In recognition of the importance of a consistent approach at EU level on the topic of age assurance, the EDPB wishes to provide specific guidance and high-level principles stemming from the GDPR that should be taken in consideration when personal data is processed in the context of age assurance.
-
The proposed principles seek to reconcile the protection of children and the protection of personal data in the context of age assurance.
-
Priority has been given to address the requirements concerning the main principles stated in Article 5 GDPR (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, confidentiality, integrity, and accountability), and to ensure these data protection principles are properly implemented and remain robust over time, as set out under Article 25 GDPR âData protection by design and by defaultâ and Article 32 GDPR âSecurity of processingâ.
-
This statement is focused on the principles applicable to different online use cases, including when a minimum age is prescribed by law or otherwise for buying products, for using services that may harm children or for performing legal acts; and when there is a duty of care to protect children (for example, to ensure that services are designed or offered in an age- appropriate way).
-
The EDPB may also consider issuing â whenever relevant and in other documents â additional guidance on specific use cases.
2. PRINCIPLES TO DESIGN GDPR-COMPLIANT AGE ASSURANCE
2.1 Full and effective enjoyment of rights and freedoms
Age assurance must respect the full complement of natural personsâ fundamental rights and freedoms, and the best interests of the child should be a primary consideration for all parties involved in the process.^[In particular, the Universal Declaration of Human Rights, the European Convention on Human Rights, the Charter of Fundamental Rights of the European Union, and the UN Convention on the Rights of the Child.]
-
When implementing age assurance, service providers should ensure that they consider not only the impact on the right to the protection of personal data, but on all fundamental rights of natural persons.
-
In the specific case of children, the best interests of the child^[The UN Committee on the Rights of the Child has clarified that the best interestâs principle âis aimed at ensuring both the full and effective enjoyment of all the rights recognized in the Convention and the holistic development of the childâ. General comment No. 14 (2013) on the right of the child to have his or her best interests taken as a primary consideration (art. 3, para. 1), https://www2.ohchr.org/English/bodies/crc/docs/GC/CRC C GC 14 ENG.pdf] should be a primary consideration for all parties involved in age It is important to note that there is no hierarchy in considering the best interests of the child, and regard should be had for all childrenâs rights including their right to the protection of personal data, to protection from violence and all other forms of exploitation to access information from a variety of sources and to have their views given due weight.
2.2 Risk-based assessment of the proportionality of age assurance
Age assurance should always be implemented in a risk-based and proportionate manner that is compatible with natural personsâ rights and freedoms.
-
Service providers should adopt a risk-based approach when designing and operating their services. The necessity and proportionality of using safety measures such as age assurance should be demonstrated, taking into account the associated risks. The necessity could be demonstrated by conducting an assessment to identify and evaluate the risks that a particular service poses for children, such as exposure to harmful contact or As part of this assessment, service providers may also consider the rights of children, the opportunities provided by the digital environment, the views of the children as well as their evolving capacities in order to ensure age-appropriate participation.
-
Service providers must also respect their usersâ rights and freedoms, including the right to the protection of their personal data, balancing these with the need for safety measures which should always be the least intrusive of those available and which should always be effective. In many cases, age assurance poses a high risk to the rights and freedoms of data subjects, which would therefore require that a Data Protection Impact Assessment (âDPIAâ, Article 35 GDPR) be conducted before processing, taking into account the nature, scope, context and purposes of the The DPIA should include a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller. It should also contain an assessment of the necessity and proportionality of the processing, identify risks arising from processing personal data for the purpose of age assurance and contain measures to mitigate those risks.
-
The DPIA should guide the design and implementation of appropriate technical and organisational measures for data protection compliance. This risk-based approach is crucial when balancing the potential interference with natural personsâ rights and freedoms against the intended objective in this particular context, namely childrenâs safety. The scope, extent, and intensity of this interference in terms of impact on rights and freedoms must always be carefully assessed. For example, a service provider processing personal data to check the age of all their users when accessing all their content or services, even when the content or services are suitable for all audiences and devoid of any risk, would not pass the necessity and proportionality tests.
2.3 Prevention of data protection risks
-
Age assurance should not lead to any unnecessary data protection risks for natural persons. In particular, age assurance should not provide additional means for service providers to identify, locate, profile or track natural
-
Service providers and any third party involved in age assurance should implement effective measures and safeguards to prevent this process from causing unnecessary data protection risks such as those resulting from identifying, locating, profiling, or tracking natural persons. The processing of personal data for age assurance should not provide additional means to fulfil purposes unrelated to the age assurance itself. This requires the selection of age assurance approaches that fully comply with the principle of data protection by design and by default (see section 2.8) and implementing measures that guarantee the principle of fairness, ensuring that personal data are not processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to data
-
For example, a natural person required to verify their age to access adult content would not expect the service provider to use age assurance to determine their identity or precise geographical location or to monitor, evaluate or infer personal aspects of their identity. This fact is particularly relevant for compliance with the data protection principles under Article 5(1), including fairness, transparency and purpose limitation, and the rules under Article 6(4) relating to subsequent uses of personal data. Similarly, following the principles of purpose limitation and data minimisation under Article 5(1), the age assurance process should not enable the further targeting or profiling of users, including for both commercial (e.g. personalised advertisements) and malicious targeting (e.g. grooming, bullying, stalking or harassment). The EDPB recalls that, under Recital 75, there may be particular risks to data protection rights when personal data relates to vulnerable natural persons, in particular of children. In general, it should not be possible to learn more than necessary about a natural person and their actions by profiling this person based on the information used in the age assurance process. This should be ensured, to the greatest extent possible, also in the event of a data
-
Power imbalance situations should be avoided to prevent service providers from forcing individuals to face unnecessary data protection risks due to their lack of agency. When this is not possible, these situations should be recognised and accounted for with suitable countermeasures.For example, viable alternatives to prove their age should be provided to users who cannot or do not wish to use a specific method of age assurance. Furthermore, service providers should regularly assess whether the selected methods and technologies, including those provided by third parties, are functioning in line with their purposes and adjust them to ensure fairness in the processing. Third parties involved in age assurance should also seek to support service providers in complying with their obligations, by not introducing unnecessary data protection risks and by notifying any relevant changes to their policies, designs, services, etc. in a timely manner.
2.4 Purpose limitation and data minimisation
-
Service providers and any third party involved in age assurance should only process the age-related attributes that are strictly necessary for their specified, explicit and legitimate purpose.
-
In most cases, the purpose of age assurance is to make age-related access control decisions, prevent online harm for children, offer an appropriate design or experience according to age, etc. Regardless of the use case, the purpose of the personal data processing should be specific and explicit (Article 5(1)(b) GDPR). Once personal data are collected, they shall not be further processed or combined with additional data in a way that is incompatible with those purposes. Technical measures such as Privacy Enhancing Technologies (âPETsâ) should be used to limit the possibility of repurposing personal data. Organisational measures, such as policies and contractual obligations, which limit the reuse of personal data, should also be deployed.
-
An age-related attribute is any attribute indicating that a natural person is a certain age, over or under a certain age or within an age range. The purpose specification will determine the relevant and necessary age-related attributes to be collected. Doing this will also allow the controller to assess the proportionality of the age assurance process. The advantages resulting from this process should not be outweighed by any disadvantages concerning the exercise of fundamental rights (see section 2.2 above).
-
The controller should therefore only collect personal data that are necessary, adequate, and relevant for the purposes that are intended to be In this way, data minimisation helps to substantiate and operationalise the principles of necessity and proportionality. For example, the service provider may only need to know whether the user is over or under an age threshold. This could be implemented by a tokenised approach based on the participation of a third-party provider, in which the service provider only sees the functional result of the age assurance process (e.g. âoverâ or âunderâ the age threshold). Different approaches may be relevant when the service provider needs to know if the user is within a particular age range or born in a specific year.
2.5 Effectiveness of age assurance
-
Age assurance should demonstrably achieve a level of effectiveness adequate to the purpose for which it is carried
-
The means by which age assurance is carried out should be adequate to achieve the purpose of the processing. In particular, the effectiveness of any legally mandated age assurance measure should be considered as a precondition to satisfy the principles of necessity and proportionality.
-
The effectiveness of age assurance should be evaluated on several aspects, including:
- Age assurance should be broadly accessible for natural persons to verify their age or prove they meet an age-related requirement. When certain categories of individuals are at risk of being discriminated against by a specific age assurance method, for example because they do not own a suitable identity document or mobile phone or because of a disability, alternative methods for age assurance should be made available, when reasonably possible, with adequate levels of privacy, safety and security. Age assurance solutions should also comply with any applicable legislation on accessibility.
- According to the accuracy principle (Article 5(d) GDPR), any method whose purpose is to determine whether a natural person meets an age-related requirement should provide an adequate and consistent level of accuracy when determining whether or not they meet said requirement. Appropriate redress mechanisms should be made available, particularly when users can be significantly affected by automated decision- making, such as when their age-related attributes have not been properly established (see section 2.7 below).
- Age assurance should be able to deal with unexpected situations and resist reasonably likely attempts to trick or bypass the system. It should be noted that robustness has little meaning in the context of the self-declaration of an age-related attribute, since the reliability of such method depends mostly on the goodwill of the user.
In addition, service providers implementing age assurance and any third parties involved in the process should be able to demonstrate its effectiveness and be transparent about the means by which they reach appropriate levels of accessibility, reliability and robustness (see section 2.10).
2.6 Lawfulness, fairness and transparency
-
Service providers and any third party involved in age assurance should ensure that the processing of any personal data for the purposes of age assurance is lawful, fair and transparent to
-
Service providers must ensure that they have an applicable legal basis under Article 6 GDPR (and, if relevant, applicable exception laid down in Article 9(2)) to process personal data in the context of age assurance. For example, they may need to deploy age assurance in order to comply with a legal obligation (Article 6(1)(c) GDPR), taking into account that age assurance must be proportionate to the legitimate objective pursued and the requirements set out in Article 6(3)
-
Furthermore, service providers must be transparent with users about how exactly their personal data is being used and by whom. This is particularly important when there are multiple parties involved in the age assurance Before any personal data is processed for the purposes of age assurance, users must be informed (pursuant to Articles 12, 13 and 14 GDPR), amongst other things, about:
- what personal data will be processed and how;
- whether third parties will be involved in the process, and if so, who they are and who the controllers and processors are in this scenario;
- if their data will be shared with others or transferred to a third country;
- how long their personal data is going to be retained or, if this is not possible, the criteria to determine the storage period;
- what their rights are in relation to their personal data (Articles 15 to 22 GDPR), including how they can challenge an incorrect decision made as a result of age assurance.
-
Transparency in the context of age assurance is particularly important when it comes to children. Service providers must ensure that they convey transparency information to children, when concerned, in a way that is clear and easy for them to
-
The concept of transparency is fundamentally linked to fairness. If service providers are not clear and transparent about how they are processing natural personsâ information for age assurance, then it is unlikely that this processing can be considered fair, which in turn makes it unlikely that this processing is In particular, if a provider offers different methods for users to verify their age, they should be transparent about the impact that each method has from a data protection perspective.
2.7 Automated decision-making
-
Any occurrence of automated decision-making in the context of age assurance should comply with the GDPR. If applicable, service providers and any third party involved should provide suitable measures to safeguard natural personsâ rights and freedoms and legitimate
-
The EU legislator has opted for a broad definition of automated decision-making that requires examination on a case-by-case basis. Automated decisions can be involved at different stages in the age assurance process, either for accessing the content or service, or through the methods deployed to prove
-
Fully automated age assurance can produce legal effects on the natural persons concerned â for example on the exercise of their freedom of expression â or, at the very least, can significantly affect them in a similar way. The effect of automated age assurance on natural personsâ rights can vary according to the type of content or services involved.
-
Therefore, service providers and any third party involved in age assurance should provide remedies and appropriate redress mechanisms for users whose age-related attributes are not properly Depending on the architecture of the age assurance process, they must identify who the data subject should contact to exercise their rights.
-
Service providers and any third party involved should pay particular attention when children are concerned. As stated in Recital 71 of the GDPR, âsolely automated decision-making [âŠ] with legal or similarly significant effects [âŠ] should not concern a childâ. Exceptions to this rule should remain under limited circumstances, such as where it is necessary âto protect their welfareâ. In any case, service providers and any third party involved should implement suitable measures â e.g. viable alternatives, redress mechanisms, and, where applicable, human intervention â with information adapted for children, when
2.8 Data protection by design and by default
-
Age assurance should be designed, implemented and evaluated taking into account the most privacy-preserving available methods and technologies in order to meet the requirements of the GDPR and effectively protect the rights of data
-
Under Article 25 GDPR, data controllers involved in age assurance should implement appropriate technical and organisational measures and necessary safeguards to provide effective implementation of all data protection principles and, consequentially, data subjectsâ rights and freedoms. The requirement for controllers to have data protection taken into account by default at design stage of any processing activity of personal data also applies to processors and throughout a processing lifecycle.
-
Considering the diversity and severity of the risks associated with age assurance systems, especially when identity documents or special categories of personal data such as biometric data are processed, the utmost attention should be paid to avoid any unnecessary access to, processing, sharing and storage of personal data. Age assurance systems and any legal or technical instrument setting out requirements for such systems should also be regularly revised and updated, if necessary, to take into account the quickly moving landscape of privacy enhancing technologies in the field of digital identity
-
As mentioned in the EDPB guidelines on data protection by design and by default, the reference to âstate of the artâ in the context of Article 25 GDPR imposes an obligation on data controllers to consider the current progress in technology that is available in the market when determining the aforementioned appropriate technical and organisational measures. Standards, best practices and codes of conduct that are recognised by relevant stakeholders can be helpful in determining such measures. However, the appropriateness of these measures should be verified for each particular processing
-
Consequentially, the EDPB recommends that, based on the state of the art in age assurance at the time this document was prepared, due consideration is given to technologies and architectures favouring user-held data and secure local processing (device-based), allowing properties such as unlinkability (from different partiesâ point of view and even in the case of collusions or data breaches) and selective disclosure of personal data under the control of the data subject. In addition, the use of approaches such as those relying on batch issuance of single-use credentials or cryptographic protocols such as zero-knowledge proofs should be made available for the data subjects in cases where age assurance may involve high risks to their
2.9 Security of age assurance
-
Service providers and any third party involved in age assurance should implement appropriate technical and organisational measures to ensure a level of security appropriate to the
-
The GDPR requires both controllers and processors to have appropriate technical and organisational measures in place to ensure a level of security appropriate to the risk posed to the personal data being processed (Recital 83 and Article 32). The nature, sensitivity, and volume of personal data that can be involved in age assurance highlight the potential adverse effect that a data breach could entail.
-
Trust models are crucial to prevent data breaches in age assurance contexts, as they define how the different parties can verify each otherâs identities and They facilitate secure communication and data exchange among participants who may not have prior relationships. In addition, pseudonymisation and encryption of personal data may be helpful measures to mitigate the possible adverse effects of data breaches. Fulfilling the storage limitation principle and using short retention periods may also be essential for security in age assurance, reducing the exposure surface. A no-log policy may be considered a valuable safeguard: once the userâs age is verified, no record of the personal data used for the age assurance process is kept.
-
In practice, given the increasing legal pressure to implement age assurance and the number of providers that may be subject to such rules, the occurrence of security breaches should be expected. It should be ascertained whether all appropriate technological protection and organisational measures to be in place to establish immediately whether a breach has taken place, which then determines whether the notification obligation is engaged. A key element of any data security policy is being able, where possible, to prevent a breach and, where it occurs, to react in a timely manner. Therefore, the ability to promptly restore the availability of age assurance after a security breach should also be considered as essential. Similarly, it is crucial to ensure the resilience of the age assurance ecosystem, favouring the existence of different alternatives and loosely coupled parties that do not depend so much on each other that the failure or breakdown of one would cause significant access
-
While security measures are of the utmost importance in age assurance, they do not guarantee that authorised or unauthorised access to personal data will not impact the rights of natural persons. They cannot replace the application of the principles of necessity, proportionality or data protection by design and by
2.10 Accountability
-
Service providers and any third party involved should implement governance methods that allow them to be accountable for their approach to age assurance and for demonstrating their compliance with data protection regulation and other legal
-
Given the involvement of different stakeholders, age assurance governance plays a crucial role in its accountability. Age assurance should operate under a governance framework, ensuring that all processes and systems are designed, implemented, revised, documented, assessed, used, maintained, tested or audited in a way that meets data protection regulations and other legal requirements. This framework should include, at least, the data protection policies (Article 24(2) GDPR) and the prioritisation and decision-making processes required to achieve compliance objectives and to manage the risks appropriately over the entire age assurance lifecycle.
-
For example, the governance framework should delineate who is responsible and how, from a controller/processor perspective, for which exact activities or operations within the processing. It should also ensure that age assurance is effectively auditable by authorities and relevant stakeholders. The governance framework is essential for accountability, but also for transparency and trust in age assurance. Data subjects are more likely to trust methods that are transparent about their operations, decision-making,
-
Furthermore, part of the governance framework involves ensuring effectiveness (section 5), data protection by design and by default (section 2.8), and security (section 2.9) of age assurance.
For the European Data Protection Board The Chair
(Anu Talus)