Age assurance and privacy: Regulatory trends in youth online protection
Contributors:
Jonathan Tam
CIPP/C, CIPP/US
Tech and AI Partner
Baker McKenzie
Elizabeth Denham
Chair
Jersey Data Protection Authority
Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Lawmakers and regulators around the world are intensifying their focus on protecting children and teenagers online. Although the goal of protecting the privacy and safety of young people online is widely shared, approaches to achieving it vary significantly across jurisdictions.
A pivotal point of debate is whether online service providers should be explicitly required to implement age assurance mechanisms to estimate, verify or confirm users' ages, and then tailor users' online experiences accordingly.
United Kingdom
The primary regulatory requirements for age assurance in the U.K. are contained in the Age Appropriate Design Code 2021 and the Online Safety Act 2023.
Age assurance plays a significant role in keeping children and their personal information safe online. It describes approaches or tools that help estimate or assess a child's age and, therefore, allows services to be tailored to their needs or access to be restricted where required.
The U.K. AADC — the first-ever statutory code of practice for protecting children's data — mandates a risk-based approach to age assurance, requiring services to effectively apply standards to children and youth, and establish or estimate age with a level of certainty commensurate on risk. It is regulated by the U.K. Information Commissioner's Office and mandates 15 design standards to protect children's data.
Contributors:
Jonathan Tam
CIPP/C, CIPP/US
Tech and AI Partner
Baker McKenzie
Elizabeth Denham
Chair
Jersey Data Protection Authority