FTC passes on biometric age estimation approval request from Yoti and partners

The U.S. Federal Trade Commission has declined to approve biometric age estimation as a method of verifying parental consent under the Children’s Online Privacy Protection Rule (COPPA).

Commissioners voted 4-0 to deny the application, but left room for it to be refiled in the future. Specifically, the FTC notes a forthcoming report from the National Institute of Standards and Technology.

The request to consider adding “privacy-preserving facial age estimation” to the list of approved methods was submitted last year by Yoti, the Entertainment Software Rating Board and Kids Web Services Ltd., collectively referred to by the FTC as “the ESRB group.”

The FTC published the application on July 20, 2023, and over the period of a month received more than 350 public comments. The Commission notes that those opposed referred to “concerns about privacy protections, accuracy, and deepfakes.” Comments in support noted similarity to previously-approved methods and the sufficiency of the technology’s privacy protections.

The Commission took extra time to consider its decision, and was asked to wait for an additional 90 days so that it could consider an evaluation of Yoti’s age estimation model by NIST. That request was rejected, although the Commission notes that it expects “this report will materially assist the Commission, and the public, in better understanding age verification technologies,” including facial age estimation.

NIST’s publication of the evaluation is anticipated for April 10 at the Global Age Assurance Summit in Manchester, UK, Yoti Co-founder and CEO Robin Tombs said in a LinkedIn post.

“We do recognise it will be helpful to both the FTC and all other interested parties, including members of the public, to understand independent test results across years of age, gender & ethnic groups from a collection of vendors, before the FTC makes a very important decision whether to allow parents to choose to use facial age estimation to provide verified parental consent & businesses accept such evidence to comply with #COPPA,” Tombs writes.

He also points to Yoti’s efforts to be transparent about the effectiveness of its age estimation technology, such as through releasing internal assessments. Tombs also argues that when given a choice of age verification methods, a “high majority” choose facial age estimation.

Facial recognition, which involves identifying the individual, and therefore has at least some additional risk to privacy, was approved by the FTC as a way to verify parental consent way back in 2015.

The Commission says that it has insufficient assurance a 90-day extension would allow it time to properly analyze test results, and that without them it is not able to reach a decision. The next step then, is for the application to be refiled after the NIST evaluation is made public, so it can go through another round of public comments and decision-making.

“In declining the application at this time, the Commission is taking no position on the merits of the ESRB group’s application,” the FTC says.

Article Topics

biometric age estimation  |  biometric testing  |  COPPA  |  face biometrics  |  facial age estimation (FAE)  |  FTC  |  NIST  |  selfie biometrics  |  Yoti