Regulators pitch alternative methods at day 2 of Global Age Assurance Standards Summit

A variety of approaches to age verification were on display during Day 2 of the Global Age Assurance Standards Summit. Presenters representing regulatory bodies from different countries wrestled with questions about what age assurance is, what it is not, and how to balance the digital rights of kids with safeguards designed to keep them away from adult content.

In her keynote, “Towards Global Regulatory Standards for Age Assurance,” children’s digital rights activist Beeban Tania Kidron makes a salient point about why age assurance is not widely implemented, despite being an easy lift.

“It’s always felt to me rather pathetic, that an industry that knows how tall you are, where you live, the makeup of your family and likely how many steps you took in 2023 — this industry, for whom personalization is a core business — that they claimed age assurance was an insurmountable boundary,” says Baroness Kidron, a member of the UK’s House of Lords who founded the 5Rights Foundation, a non-profit dedicated to children’s digital rights.

She believes that the only reason Instagram can know someone likes (for example) red Nikes, but still claim that they don’t know their age, is “because it’s not in their interest to know.”

“If they know that they’re dealing with a twelve-year-old boy,” says Kidron, “then they also know that flooding his feed with porn or passing his image to an infinite number of people is not what they should be doing.” Kidron considers age assurance to be a basic part of the KYC process.

“Which brings us to the knotty problem of, can it be done,” she says. “The short answer is, yes.”

Germany’s ‘regulated self-regulation’ system aims for flexibility

So, how? Speakers from regulatory bodies in Spain and Germany spoke about the respective approaches their nations take to regulation.

Martin Drechsler, managing director of the German Association for Voluntary Self-Regulation of Digital Media Service Providers (FSM) outlined the self-regulatory approach to age assurance in German – what he calls “the system of ‘regulated self-regulation.’”

Companies can choose to become members of the non-profit private members association, which began as a kind of legal consultancy providing shortcuts for those facing allegations of infraction. Now, though, FSM focuses on “giving advice to our members finding common ground and setting standards together so that companies can provide family friendly online services and robust safety measures while being legally compliant.

Drechsler says “the law itself did not and still does not give too many details on how to provide for effective age verification or age insurance, which is good, because the law would not become outdated too quickly. But this is also bad, because the different actors are somewhat left alone when trying to find out what would be sufficient.” The FSM tries to fill that gap, and they also prize flexibility. “In essence, we try not to formulate too strict or narrow standards,” says Drechsler. “We would rather leave them open and flexible in order to allow for innovation.”

“Our legal position as a regulated self regulator enables the FSM to enter a creative and constructive dialogue with our members at a very early stage of the product development.”

Drechsler believes the digital identity and age verification sectors are “holding our breath to see how effective the European Digital Services Act and the British Online Safety Act will be. However, when it comes to age verification and age assurance, there can never be one size fits all. It is always very challenging to define a clear and final set of rules. And the example from Germany clearly shows this.”

Spain adapts GDPR for decalogue of age assurance principles

The Spanish Data Protection Authority’s (AEPD) proposals for age verification solutions emphasize the importance of preserving privacy while ensuring accuracy. Matra Beltran, chief of the scientific unit in the innovation and technology division of the AEPD, says the AEPD’s decalogue of principles is based on GDPR.

The decalogue provides guidelines to ensure the principles “while protecting the best interests of the child.” Centered on lawfulness, fairness and transparency, it begins from the core idea that “the system for protecting minors from inappropriate content must guarantee that the identification, tracking or location of minors over the Internet is impossible.”

Beltran highlights testing done on the AEPD’s decalogue to try and spur innovation. “We are a data protection authority. We don’t want to produce commercial solutions,” she says. “But we wanted to propose something as an element of analysis and as a source of inspiration, helping providers to understand what they can do and what they cannot do. And we also wanted to bring something new to the table, because when analyzing the market, we found that all the available solutions are very similar, always repeating the same technical models. In our case, we wanted to solve the age verification problem without leaving the users’ devices.”

More about the decalogue can be found on AEPD’s website.

Article Topics

AEPD  |  age verification  |  Global Age Assurance Standards Summit  |  legislation  |  regulation  |  standards