In October 2024, the Office of the Privacy Commissioner for Bermuda (PrivCom) joined the UK Information Commissioner’s Office (ICO) and other global protection and privacy authorities and regulators in signing the Joint Statement on a Common International Approach to Age Assurance. In autumn 2024, PrivCom also joined the International Age Assurance Working Group and has been learning from research, policy development, and enforcement action by regulators globally.

Definition of a child under PIPA

Under section 16 of the Personal Information Protection Act 2016 (PIPA), a child is defined as an individual under the age of 14. Children’s personal information is afforded increased protection under PIPA. Organisations providing digital or electronic services that use personal information about children must obtain verifiable consent from a parent or a guardian before they collect or otherwise use that information. They also must display easily understandable privacy notices, establish age verification procedures, and ensure that no sensitive personal information is elicited from a child.

So, what is age assurance?

Age assurance is the process of establishing, determining, and confirming either an individual’s age or an age range. It is an umbrella term encompassing all methods that help estimate or assess a user's age. Age assurance technologies and methods allow providers to tailor user experience to the user’s age, or to enforce age-appropriate access restrictions to age-inappropriate content, products, or services where required legally or otherwise. Age assurance includes three main areas:

·         age verification, that is, establishing age from an official document;

·         age estimation, that is, analysing features that vary across age groups;

·         age inference, that is, establishing the user’s approximate age without involving the use of personal information such as date of birth. Examples may include situations where a person is registered at primary school and is therefore of primary school age or where someone is a registered pilot, which means they are over the age of 21.

Age assurance can play an important role in keeping children and their personal information safe online. The most frequently used age assurance methods and technologies include the following:

1.      Date of birth self-declaration

Users enter their date of birth manually. This method requires minimal collection of personal information but may be unreliable since users can easily misrepresent their age.

2.      Document-based verification

Users upload a government-issued ID (for instance, passport, national identity card, driving licence) for age verification. Some systems may use AI to check authenticity. This method is more accurate and reliable than self-declaration, but organisations must handle and store sensitive personal information carefully and have the necessary security protocols in place to avoid breaches of personal information. A downside of this method is that according to the 2018 ID4D Global Dataset published by the World Bank, over 1 billion people do not own an identification document. Some services implement privacy enhancing technologies (PETs) that document verification without storing the information.

3.      Facial age estimation

In this method, AI analyses photo or video footage of a user’s face to estimate their age. These technologies often do not require storing personal information, thus reducing the risk of data breaches and identity theft. Some privacy-protecting systems process images locally or delete them immediately after verification. With facial age estimation, it is of vital importance to train the AI system on unbiased data from a wide variety of ethnic and racial groups in order not to perpetuate racial bias, inequality, and discrimination.

4.      Email address age estimation

This method entails an email address being submitted either by the platform via an Application Programming Interface (API) or inputted manually by the user. This triggers verification of ownership of the email address by issuing an Open Time Password (OTP) that must be clicked by the user. The email address is then analysed using proprietary algorithms and external data sources. This process entails reviewing sites and applications where the user has previously used the same email address. Examples of previous uses of the email address may include situations when the user was engaging with financial institutions, mortgage lenders, utility providers, etc. The search then returns an estimated age of the user.

5.      Credit card or payment-based verification

Users verify their age by making a small payment with a credit card, which is typically issued only to adult users. This method does not require sharing sensitive personal information or documents. However, credit card ownership varies greatly between different countries. According to 2021/2022 survey data from the World Bank, Canada, Israel, and Iceland were the only countries with credit card ownership higher than 74% at the time. However, countries such as Bangladesh and Morocco had a credit card penetration of only around 1%.

6.      Third party identity verification services

This method entails users logging in through a trusted third-party service (e.g., government digital ID, mobile carrier authentication etc.) that confirms their age without revealing additional personal information. The benefit of this methods is that it limits the amount of personal information shared with the service provider, reducing risks of unauthorised access, misuse, or breaches of personal information.

Conclusion

There is no one size fits all approach to age assurance. Different technologies and methods may be appropriate to different circumstances. Organisations should consider the circumstances of when they need to use age assurance technologies and what is necessary under those specific circumstances. This is the case particularly when it comes to protecting the personal information of children and/or sensitive personal information. To protect individuals’ personal information, privacy-enhancing technologies and methods in age assurance incorporate Privacy by Design by balancing key fair privacy principles like accuracy, transparency, fairness, accountability, data minimisation, and information security.