Apple recently announced that it was rolling out age checks on its devices. Against this background, Ofcom and the Information Commissioner's Office (ICO) have published a joint statement about how online services can comply with the Online Safety Act 2023 (OSA) and UK data protection legislation when implementing age assurance. This follows their letters to tech firms earlier this month, where they called for them to make sure that age gating works.
Ofcom and the ICO take a tech-neutral approach, so they don't require tech companies to use any specific age assurance technology. Services have the freedom to choose the method most appropriate to their circumstances, including their size, user base, and available resources, as long as the method is effective and proportionate to the risks involved.
Asking users to confirm their age, for example, by ticking a box, is not an effective means of age assurance and should not be relied upon in isolation. Similarly, age verification through online payment methods that do not require the user to be 18 or over (such as debit cards) and general contractual restrictions on user age are not considered capable of being highly effective.
Age assurance methods must be robust enough to address the risk of users circumventing them. Neither regulator expects services to deploy age assurance methods that are not technically feasible or that pose risks to rights and freedoms which outweigh the benefits.
What the Online Safety Act requires
Under the OSA, user-to-user services that are likely to be accessed by children and that allow potentially damaging content such as pornography, self-harm, suicide, and eating disorder content must use highly effective age assurance (HEAA) to prevent children from encountering that content. The same applies to services that publish or display their own pornographic content.
Age assurance processes should meet four criteria to be considered highly effective (technical accuracy, reliability, robustness and fairness), as well as being accessible and interoperable, so that the process is easy to use and works for all users.
Methods that Ofcom considers capable of being highly effective include, but are not limited to, those listed in the guidance, while certain methods, such as self-declaration in isolation, debit card verification, and general contractual restrictions, are expressly excluded.
Importantly, the OSA does not require services to set a minimum age for access. However, services that choose to do so must state this clearly in their terms of service and apply it consistently. Where a service does not use HEAA to enforce its minimum age, it should assume that underage children are present and must take this into account in its children's risk assessment. For services that are among those most used by children, Ofcom has specifically recommended the use of HEAA to enforce minimum age policies effectively.
What data protection law requires
The ICO is keen that services prevent underage access and comply with its Children's Code.
Where a service is not suitable for children under a certain age — including where a minimum age such as 13 is stated in the terms of service — the focus should be on preventing those children from accessing the service. This is because there will generally be no lawful basis for processing the personal data of children who are not meant to be on the service. The ICO expects services to use appropriate, current and viable technologies to enforce minimum age requirements, with examples including facial age estimation, digital ID, or one-time photo matching. In addition, the ICO considers that profiling is not currently an effective method for preventing underage access.
Where a service is suitable for children or children above a certain age, the focus must be on ensuring that their experience is age-appropriate in line with the ICO's Children's Code. If personal information processing activities are likely to present a high risk to children's rights and freedoms, services should introduce age assurance methods that give the highest possible level of certainty on a user's age. If a service does not have a level of certainty about the age of its users that is appropriate to the risks, it must apply the Children's Code standards to all users as a default baseline of protection.
Regardless of the method chosen, services must comply with the UK GDPR data protection principles. In practice, this means collecting only the information strictly necessary to confirm a user's age or age range, being transparent about how age assurance data is used, providing users with clear privacy notices, and ensuring users can challenge inaccurate decisions. Services should also conduct Data Protection Impact Assessments and keep them under review as risks evolve.
Certification and assurance
To support compliance, the ICO has worked with industry to develop approved data protection certification schemes. Services can use the Age Check Certification Scheme to help identify age assurance providers that meet UK data protection standards.
Looking ahead
Ofcom and the ICO have stated that they will continue to collaborate on age assurance and respond to future developments as appropriate. Services should treat this joint statement as a clear indication of the direction of travel: the regulatory bar for protecting children online is rising, and both regulators intend to hold services to account.
