Recommendations on Age Verification for Publishers
Article 8 of the GDPR states applicable conditions to child consent:
Processing of personal data of a child is lawful where the child is at least 16.
Where the child is 13 but younger than 16, processing of personal data is lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. The age limit is set by each Member State.
Data controllers shall make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the child, taking into consideration available technology.
For example, France has set the minimum age at 15, Italy and Spain at 14, the UK at 13, and Germany at 16.
Consult your legal counsel to know what age limit is applicable to your country.
Based on the EU Data Protection Authorities guidance (e.g. DPC, ICO, CNIL) on this matter, organizations should comply with the standards and expectations when the services provided by the organization are directed at, intended for, or likely to be accessed by children. A service that is intended to be accessed by children will generally be self-evident from the manner in which the service markets, describes, or promotes itself (e.g. educational websites, online games, and associated forums, etc.).
However, services which have mixed-user audiences (i.e., including children) may be less obvious. In this regard, “likely to be accessed by a child” means that this is more likely than not.Hence, currently the scope of “intended for or likely to be accessed” is very broadly interpreted by Data Protection Authorities.
In addition to the “privacy by design” and “by default” principles, there are a few best practices emerging on age verification such as:
Birthdate check or entry: The least invasive but most passive form of age-gating, is to have the user self-verify they are of a certain age prior to information collection. If a user enters a birthdate less than 13 or 16 years, then (depending on jurisdiction) sites or apps would either bar them from site/app usage or data collection, or ask for the email verification of a parent or guardian.
Identity verification tools: Many businesses employ third-party identity verification software to ensure consumers are who they say they are. This kind of technology could help with age verification.
AI-based methodologies: Deploying an AI technology on-site or in-app could allow to reverse or expunge information collected from a user exhibiting signs of child-like behavior. If the technology ‘thinks’ the user is a minor, this action could trigger an age-verification event on-site.
Protecting children’s digital rights is a major goal of data protection authorities all over the world. Recent initiatives and decisions show there is a higher risk of fines and penalties for failing to implement measures to protect children’s digital rights.
As independent data controllers or joint data controllers (depending on the services we provide),Publishers and LiveRamp could also be in the scope of a data protection authority decision.
Please find examples below:
Irish data protection authority (DPC) regarding Instagram (December 7, 2021): The DPC has submitted a draft decision to the EU data protection authorities about an investigation into Instagram’s handling of children’s data.
Dutch ruling regarding Tiktok (April 9, 2021): TikTok was fined EUR 750,000 by the Dutch data protection authority for failing its duty to inform and protect minors on its social media platform (art. 12 GDPR).
US Federal Trade Commission regarding OpenX (December 15, 2021): The US FTC requires OpenX to pay $2,000,000 to settle allegations that the company illegally collected personal information from children under 13 without parental consent, constituting a direct violation of a federal children’s privacy protection law.