Progress on age assurance since enforcement deadline ‘substantial,’ says ICO

A recent webinar from Shufti Pro sees the UK firm digging into the age assurance question, exploring how platforms can comply with age verification mandates without compromising privacy or user experience.

Moderated by Sofia Perez Flores, the panel assembled for “Age Assurance in Practice: Global Frameworks and Client Experiences” includes Alan Goode of Goode Intelligence, who collaborated on Biometric Update’s 2025 Online Market Report and Buyer’s Guide for the UK age assurance market. Also present is Iain Corby, executive director of the Age Verification Provider’s Association (AVPA), and Michael Murray, head of regulatory strategy for the UK Information Commissioner’s Office (ICO), alongside Shufti’s VP of Product Tom Gadsden.

Collectively, they address what Corby calls a “tsunami” of age assurance legislation around the world. This includes the UK’s Online Safety Act (OSA), which commenced enforcement in July; the EU’s Digital Services Act (DSA); Australia’s pioneering “social media ban” for users under 16, which takes effect in December; and the 24 states in the U.S. that have imposed some version of age verification requirements on adult content and social media sites. Brazil has introduced biometric verification standards and nations like Canada, New Zealand, Singapore and India are looking at how to approach the issue.

Global standard on age assurance comes into force within weeks

The panel effectively sets out to sort out what all of it means for businesses, and everyone else. How can compliance be achieved without deterring legitimate adult users? And what’s next?

The short answer from Iain Corby is, international standards. He says the industry has been conscious that different jurisdictions are passing different laws. “And so, we figured out one of the best ways to try to get some alignment was using international standards. This is something that people understand and apply around the world. There’s a good international infrastructure to share those standards and to audit and certify people against them.”

A course of work that has included the creation of the Global Age Assurance Standards Summit is finally coming due. Corby says the ISO/IEC standard on a framework for age assurance,  27566-1, “will finally come into force next month.”

“So that will hopefully allow us to then negotiate with people who are passing legislation or the regulators who are then developing the detail around it to say, could you please just point to these standards, and at least as a sort of underlying baseline requirement for everybody they should be compliant to those standards. And then you can add on the specific requirements for each particular jurisdiction.”

The ISO standard won’t solve everything; Corby notes the messy situation in the U.S., where laws can vary from state to state; “you could end up with 200 different regimes in just one country and clearly that’s not going to be efficient for anybody involved.”

The question of where in the stack to put age assurance measures also continues to be contested territory, as stakeholders at various levels (device, operating system, app store, content provider) make their case for why someone else should be responsible.

VPNs remain a big problem, but Ofcom is clamping down

The ICO’s Michael Murray is presented with the question of virtual private networks (VPNs), and the spike in their use in the wake of age assurance laws, presumably as a way to skirt around them.

“Offcom and the ICO are aware of the public debate about how VPNs may be used by children to bypass online safety protections and age assurance measures that services are put in place to meet their obligations,” he says. “We’re working together to explore the issue to try to understand the evidence base behind it, to understand the impacts on people’s online safety and privacy since OSA checks came into force.”

Murray notes the “many legitimate reasons why people may want to use a VPN. But he also points out what Corby has often argued: simply because the workaround exists, that doesn’t negate legal responsibilities. “Organizations should remember that they continue to have responsibilities under the OSA and under the UK GDPR to have accurate and effective age assurance.”

“Contravention – whether that’s a VPN use or other methods of contravention – should be something that they consider and discuss with their age assurance providers.”

Alan Goode speaks about the 2025 Online Biometric Age Assurance Market Report & Buyers Guide, which shows that organizations were already trying to adapt to the new regimes before enforcement.

Since July, “deployment of age assurance solutions has greatly accelerated, in particular for the adult content industry,” which, according to AVPA, has posted an additional 5 million age checks daily since the OSA rules became mandatory. He also notes how “popular digital identity and age assurance apps are constantly appearing at the top of the leaderboard in both Google Play and Apple stores.”

And that’s just the UK, and just for adult content. Goode says further growth is inevitable, as online safety laws and age check legislation spread across the world map and across sectors like online gambling, video games and e-commerce.

Gadsden notes the importance of liveness detection as an additional layer, specially for age estimation, to ensure models aren’t providing highly accurate age estimates of fake people.

The consensus is, momentum is growing – but myths persist. Corby says the most persistent are the idea that age verification leads to honey pots of data. He notes that age verification is not identity verification – age assurance providers are only interested in your age – and notes the continuing evolution of double-blind methods.

He also notes the problem of customers engaging age assurance providers – then asking them to turn off certain authentication settings. “We’re now trying to insist that our members have to be very, very clear with their clients, that if they don’t use the full scope of services then they’re not going to be compliant with the regulation.”

As for the VPN question, Corby echoes Murray in saying that it’s possible to detect VPN use, and age assurance providers are working on solutions.

Speaking for the ICO, Murray says the overall progress since July 25th has been “substantial.”

“We can even see that in our statistics, which show how many 15 to 17 year olds are on adult sites, for example. Those numbers have dropped. Or how much time they’re spending on those sites, and those have dropped significantly, as well showing that potentially they’re only able to get to the landing page and not deep into the site.”

“I think overall the impact of the OSA coming online and the 25th of July – AV day so to speak – has been significant, and the whole sector and Ofcom should be very proud of what they’ve achieved.”

Compliance across the board will take time, and flexibility will be needed from all parties as government and industry work out the knots. The ICO and Ofcom are working on a new joint statement that addresses a minimum age requirement and how both the ICO’s data protection remit and Ofcom’s online safety remit relate to that minimum age.

Digital majority age pops up in Jutland Declaration

A report in MLex has more on the concept of a minimum age, as applies to the EU. It says the Jutland Declaration, a non-binding political declaration spearheaded by the Danish Presidency of the Council of the EU, has been amended in its final draft to align more closely with “the EU approach to age verification,” including the role of the European Digital Identity Wallet and a “digital majority age.”

What it boils down to for online services, says Murray, is that “you need to know if children are on your service.” Compliance means paying attention to risk assessments, hiring a trustworthy age assurance provider, improving age assurance protections as necessary, and defaulting to strict settings for data privacy.

“How do you put in place a system that promotes accuracy, transparency and security while protecting users personal information? These are the questions you should be asking yourself.”

Article Topics

age verification  |  AVPA  |  biometric age estimation  |  Digital Services Act  |  Goode Intelligence  |  Information Commissioner’s Office (ICO)  |  ISO 27566-1  |  Ofcom  |  Shufti