Age assurance shouldn’t lead to harvesting of kids’ data: Irish privacy watchdog

Age assurance requirements for pornography sites and platforms hosting extremely violent content will become mandatory in Ireland this July.

Media regulator Coimisiún na Meán published its 32-page Online Safety Code in October 2024. This summer, it comes into effect, activating the age assurance rule as well as restrictions on harmful content such as cyber bullying and promotion of eating disorders, self-harm and suicide. The code covers massive platforms including YouTube, TikTok, Pinterest, Reddit, Tumblr, Facebook, Instagram, LinkedIn, and X (formerly Twitter).

The Irish Examiner quotes Online Safety Commissioner Niamh Hodnett, who says, “through all of these actions, we want to ensure that children and young people can enjoy the benefits that media brings to them, and that regulated entities take proportionate steps to protect them from being harmed.”

Some companies have pushed back against the age assurance regulation in court. Judicial reviews requested by Reddit and Tumblr failed. Another one is set for July, to address allegations by X that Coimisiún na Meán is guilty of “regulatory overreach.”

Biometrics providers remove need for DIY age assurance

While Ireland’s privacy watchdog doesn’t go that far, it has expressed its belief that, in trying to keep kids off restricted sites, age verification tools should not collect huge amounts of children’s data.

In a report from MLex, Irish Data Protection Commissioner Dale Sunderland says “it’s not a sustainable position for companies to have to do their own age verification by gathering extreme amounts of data to verify ages” – a position any reputable age assurance provider would surely agree with. As they would with Sunderand’s follow-up statement: “I think there are solutions which provide for appropriate age assurance and age verification using the minimum amount or very little personal data.”

The private sector, however, might flinch at the suggestion that the EU’s effort to develop an age assurance app in the leadup to the full implementation of the EU Digital Identity (EUDI) Wallet could help companies comply with regulations. Recently announced initiatives in the EU and UK have some questioning the wisdom of governments becoming competitors to companies that have been paid to be certified under their trust frameworks. The Irish DPC is among those working with the European Commission to develop the EU’s app.

It also served as co-rapporteur for a recent statement adopted by the European Data Protection Board (EDPB), which lists ten principles for the compliant processing of personal data when performing age assurance.

Yoti: be precise about what data is necessary

Yoti has published a new blog on the question of age assurance, which includes the advice that organizations should establish exactly what data is needed.

“Accurate age verification is vital for ensuring that people have age-appropriate experiences. When deciding which age assurance methods to use, businesses should determine how definite they need to be about users’ ages. Does the platform need to know an exact date of birth? Or is it enough to just know whether they’re over or under a particular age threshold?”

“Establishing this should help businesses to work out what personal data they need to collect. A suitable balance will ensure age-appropriate experiences whilst protecting users’ privacy.”

Article Topics

age verification  |  biometrics  |  data privacy  |  Ireland  |  regulation  |  social media  |  Yoti