What business needs to know about age ID verification as regulators step up legislation
By Liudas Kanapienis, CEO and co-founder of Ondato
From the first of January this year, age checks for people visiting adult websites became mandatory under a new law passed by the U.S. state of Louisiana. There is much debate about the political motivation, social advisability, and technological practicality of this move, but it demonstrates the growing willingness of governments to step in and regulate online activity to protect minors from harm.
It is a trend that is gaining momentum and now puts more pressure on businesses and service providers to find trustworthy age verification solutions.
For sure, the internet is evolving. The era of total anonymity might be coming to an end.
The spread of regulatory action
Louisiana is not a one-off. As the internet has become an increasingly important part of people’s lives, the potential threats to young people have proliferated as well, and the attempt to regulate these threats through legislation has risen up the political agenda.
The new law joins a burgeoning list of interventions by legislators. The Children’s Online Privacy Protection Act (COPPA) in the United States is a federal law that already requires online service providers to ensure that children are not able to access inappropriate content or services. And in December, a bill that would require age verification, as in Louisiana but on a national level, was introduced to the U.S. Senate.
In Australia, the Children’s eSafety Act 2014 requires online service providers to take reasonable steps to prevent minors from accessing harmful content. In Canada, the Protecting Children from Internet Predators Act is a federal law that imposes reporting requirements on internet service providers and other organizations that provide access to the internet, to help identify and prevent online sexual exploitation of children.
In Europe, the situation is not quite so clear cut. The EU’s General Data Protection Regulation (GDPR) does not specifically require online service providers to prevent minors from accessing inappropriate or harmful material. However, GDPR does require service providers to obtain the consent of a child’s parent or guardian before collecting, using, or processing the personal data of a child under the age of 16. This requirement could be interpreted as requiring online service providers to implement age verification systems or other measures to ensure that minors are not able to access inappropriate content.
It seems likely that the EU will come under increasing pressure in 2023 to clarify its legal position on age verification.
What are governments likely to demand from business?
Under the new Louisiana legislation, people that visit adult websites must prove they are over 18 via an ID app. The app requires a driver’s license or an official state identity card to establish a person’s age.
Elsewhere, the practical challenges of implementing age verification have been exposed by the UK’s experience. The Digital Economy Act 2017 made the United Kingdom the first country in the world to require porn websites to implement age verification systems to prevent minors from accessing their sites. However, the scheme was eventually dropped in 2019 amid fears that the data collected might contravene the EU’s General Data Protection Regulation (GDPR) and potentially give certain players an unfair market advantage.
The same year, the UK government introduced the Online Harms White Paper, which outlined proposals for a new regulatory framework to hold online companies accountable for the safety of their users and to protect them from a range of harms, including cyberbullying, child sexual exploitation, and the dissemination of extremist content. While the draft legislation — now called the Online Safety Bill — is still under debate, it is likely to place increased emphasis on robust and secure ID verification processes. This could potentially lead to new requirements or guidelines for businesses and organizations that handle sensitive personal data, including those that perform digital ID verification.
How to deploy age verification
One possibility is that the legislation could require businesses to implement stronger measures for verifying the identity of their customers or clients. But how do you do that?
At one time, people used to talk as if there were a binary choice between manual and digital verification systems and processes. And maybe there was once. But not anymore. Manual age verification, where a potential customer or user fills out a form and then waits for someone to cross check all the details, is just too cumbersome and slow.
A manual system, that is one that is processed by humans, already uses multiple digital technologies. For example, initiation of the process is likely to be online, rather than face to face. And methods of validating age in a manual process are also likely to be digital – as opposed to automated. The customer is likely to be asked to take a selfie (on a digital smartphone) and transmit it, probably with a digital photo of a driving licence or government-issued ID, online or by email. The verifier extracts relevant details like the date of birth and name using optical character recognition (OCR) and performs document authenticity checks. Additional layers of checking might include the use of credit cards, mobile phone accounts or some other form of 3rd party database, such as credit bureau data, to confirm age.
All of these steps are digital and are capable of being wrapped into a fully-automated, end-to-end process where humans only intervene to handle exceptions. The technology to achieve this is now mature and is available either to blend into an organization’s internal structure or as an outsourced 3rd party ID verification service.
Business users of automated technology also have access to the latest use of biometric technologies, such as facial recognition, fingerprint scanning, or voice recognition, to confirm that an ID item being submitted as proof of age actually belongs to the person requesting access to online content or services, such as online gambling, alcohol sales, or adult websites. There are also digital apps, like the LA Wallet, which rely on biometric login plus prior registration to prove age, perhaps with a QR code component that can be presented as proof of age.
The latest advance in biometrics are AI age estimators, which also wrap in facial recognition — to detect liveliness and exclude spoofing with images or recorded video — and document verification as additional safety guards. Accuracy can be 95-plus percent from biometric data alone.
Automated ID verification is more acceptable to consumers
While blockchain is likely to be important in the future, biometric age verification is the most likely tool to be adopted in today’s efforts to protect minors. It is a mature technology that is widely available and well understood and an effective way to protect minors from accessing potentially harmful material online.
There is no longer any technological excuse for not having these tools. It’s not a difficult task any more. The software exists and can be embedded by any platform really easily and quickly using APIs. The best providers of that software also offer integrated, automated workflows, so that getting thousands or hundreds of thousands of users onboarded quickly is not a big deal.
And, being fully automated, it also is likely to be more acceptable to users of adult websites, who tend to be reluctant to expose their identity to another human. This, in turn, makes it more palatable to businesses, many of which have been afraid of losing customers as a result of enforced ID checks and have not been in a hurry to implement it.
Fully automated processes, without human intervention, are the solution here. Consumers can remain relaxed as nobody is reviewing photos. At the same time, the business provider can relax too, without the fear of a drop in customers. Businesses obviously do not want to lose customers and will do everything they can to keep them.
If widespread adoption is legislators’ goal, then automated systems that reassure consumers and business owners alike are the most effective way to achieve that.
ID checks at adult websites might be only the tip of the iceberg in a rapidly changing digital landscape. Business leaders would do well to prepare right now by getting familiar with the available technology options and by developing plans in the event that the regulatory landscape changes overnight.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.