On February 16, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP held a virtual roundtable to discuss the role of age assurance and age verification tools as part of its Children’s Data Privacy Project. Representatives from CIPL member companies, data protection authorities, civil society and experts exchanged views on the effectiveness of different methodologies and emerging best practices to shield minors from harmful or inappropriate content.
Key Takeaways from the Discussions:
1. When it comes to age assurance, the methodology and timing of deployment depend on the nature of the service and the risk to children, including likelihood and severity.
The features and designs specific to a given service and the level of potential risks to children, including the likelihood and severity of such risks, are critical factors in determining whether age assurance is required, which methodology is most appropriate and how and when it should be deployed.
2. There is no silver bullet. No methodology is better than another, but one could be more appropriate and effective for the specific use case.
Each age assurance methodology has unique strengths and weaknesses. To select the most suitable one, an evaluation of its effectiveness in mitigating and addressing specific risks and harms is necessary. Regulatory expectations must take into account the practical and technical feasibility of different methods and their impact on user experience.
3. To perform proper risk assessments, organizations need guidance on adequate age assurance criteria and risk taxonomy.
Existing regulatory guidelines and continuous regulatory engagement are useful tools. However, appropriate risk assessments are still a challenge for companies looking to design and implement repeatable and systematic processes.
4. To be effective, the design and deployment of age assurance tools should continuously research and consider children’s behavior and motivation.
Children may falsify their age in order to access online services. Understanding the motivations behind this behavior can support better design, transparency and trust, ultimately leading to a more successful and appropriate approach to age assurance.
5. Age assurance is only one of the tools available to keep children safe online; it cannot be used in isolation.
Organizations cannot rely on age assurance alone. To ensure compliance with various legal requirements, organizations will need to employ a multifaceted approach that includes for instance privacy and safety by design and default, appropriate user-centric transparency, content moderation, personalization of content, parental consent or family-specific controls and age-appropriate services. The best interest of the child must be a key consideration.
6. Constructive engagement and information sharing are essential for developing standards and certifications for age verification and assurance.
Many organizations, especially larger ones, have made significant investments and commitments to develop best practices for age verification and assurance. However, as research and knowledge evolve, it is imperative that all stakeholders (industry, policymakers, regulators and civil society) continue to engage in ongoing dialogue regarding expectations and progress.
Read the full takeaways summary here.
Future CIPL roundtables on the Children’s Data Privacy Project will address the risk-based approach to the protection of children online, transparency, consent and other legal grounds for processing and personalization.