New York’s proposed age assurance rules ‘clearest and smartest’ to emerge

A new proposal in New York State that aims to lay out age assurance rules for social media is getting rave reviews from top voices in the biometrics and digital identity industry.

The Office of the New York State Attorney General (OAG) says it has issued a Notice of Proposed Rulemaking (NPRM) for the Stop Addictive Feeds Exploitation (SAFE) for Kids Act. Signed into law in June 2024, SAFE targets algorithms that personalize feeds for teen users and are designed to be addictive.

“These feeds can track tens or hundreds of thousands of data points about users to create a stream of media that can keep minors scrolling for dangerously long periods of time,” the OAG says. “Consistent with robust research from child mental health experts, the Legislature found that these hours spent on social media have caused harm to New York minors including depression, anxiety, suicidal ideation and self-harm.”

The Act prohibits addictive feeds for young users and bans platforms from sending notifications between the hours of 12 a.m. and 6 a.m. OAG has been charged with “promulgating regulations” that “identify ‘commercially reasonable and technically feasible methods’ to determine that a user is not a minor before providing them with an addictive feed or nighttime notification,” and “identify methods of obtaining verifiable parental consent for an addictive feed or nighttime notification.”

Show us the numbers: minimums set for accuracy, circumvention

What has won the particular praise of age assurance providers, however, are the Act’s “standards for effective, secure, and privacy-protective age assurance.” Unlike some other online safety legislation – like the UK’s much-discussed Online Safety Act (OSA) – SAFE gets specific on numbers for minimum accuracy levels and minimum percentage rate for detecting method circumvention.

Up front, it defines “Accuracy Minimum” as: “(1) a rate of false positives for an age assurance method that is equal to or less than the following: 0.1 percent of minors ages 0 to 7; 1 percent of minors ages 8 to 13; 2 percent of minors ages 14 to 15; 8 percent of minors age 16; 15 percent of minors age 17, excluding failures or refusals by a user to provide requested data and inconclusive age assurance outcomes; and (2) a rate of detecting method circumvention for an age assurance method that meets or exceeds 98 percent.”

These are the kind of very clear guidelines for performance that providers have been asking for since the age assurance conversation began. In a post on LinkedIn summarizing the proposal, Yoti CEO Robin Tombs calls it “by far the clearest and smartest set of age checking regulations that deliver privacy preserving, highly effective age assurance.”

It’s not just the statistical specificity that appeals, either; Tombs has a long list of things that OAG has clarified. These include crucial practices like “operators must implement data minimisation and deletion,” statements on certification like “every age assurance method must be certified annually by an accredited independent third party under international standards (ISP/IEC 27566, IEEE 2089.1 or other),” and recognition that zero knowledge proofs (ZKP) and double blind age verification methods show significant promise.

‘Rules are inclusive, robust, and privacy preserving’: Verifymy

Verifymy has also taken note of New York’s proposal.

“While the law is driven by evidence that algorithmically-curated feeds fuel depression, anxiety and other harms, the heart of the new guidelines is about practical, privacy-preserving age assurance to make those protections real,” says a blog from the company, which calls SAFE’s approach to age checks “encouraging.”

“The rules are inclusive, robust, and privacy-preserving, without being overly restrictive. Rather than relying only on traditional identity documents for age checks, they embrace innovative age estimation and inference (for example, checks based on a user’s email address), while recognising that accuracy is highest for younger children and naturally more nuanced for 17-year-olds close to adulthood”.

Privately, efficient, effective age assurance can be done in NY

Perhaps most significantly in a global context, the OAG provides, by way of its own extensive research and consultation, a statement that backs up the findings of Australia’s Age Assurance Technology Trial (AATT), which has faced questions about its methodology.

“OAG can confirm that today, the age assurance market includes a robust variety of products that perform at a high accuracy rate, easily integrate with online platforms, handle large user volumes, and prioritize the preservation of user privacy and protection of user data,” says the NPRM.

“Age assurance products can be selected and customized to meet different business models, user populations, and compliance obligations. Age assurance providers are already servicing clients in the U.S. and globally, including many of the largest social media platforms, and are supported by a trade association, standards bodies, and providers of certification and testing.”

It also reiterates the often-stated point that the age assurance industry is aware its technology isn’t perfect, but continues to refine and improve it.

To Robin Tombs, the OAG’s rules are “smart, clear details relating to commercially reasonable and technically feasible methods of age assurance.”

“I suspect they will get copied by many AV regulators around the world over the next 1-3 years.”

Article Topics

age verification  |  biometrics  |  digital identity  |  double-blind age assurance  |  New York  |  social media  |  Stop Addictive Feeds Exploitation (SAFE) for Kids Act  |  VerifyMy  |  Yoti