[Access official publication on EDPB Website]

<aside> 💡

Executive Summary

Context & Purpose

• The EDPB issued this statement to provide specific guidance on age assurance in response to increased regulatory focus on protecting children in digital environments
• Age assurance encompasses methods to determine age or age range, including age estimation, age verification, and self-declaration

Key Principles

• Age assurance must be risk-based and proportionate, with service providers required to demonstrate necessity through proper risk assessment
• The process should not create additional data protection risks or enable tracking, profiling, or identification beyond what's strictly necessary for age verification
• Services must only collect age-related data that is strictly necessary for their specific purpose, adhering to data minimization principles

Implementation Requirements

• Age assurance systems must be accessible to all users, providing alternative verification methods when needed, while maintaining consistent accuracy levels
• Services must implement appropriate security measures and consider privacy-enhancing technologies, favoring user-held data and secure local processing
• Organizations must maintain clear governance frameworks ensuring accountability and demonstrable compliance with data protection regulations </aside>

Adopted on 11 February 2025

The European Data Protection Board has adopted the following statement:

1. BACKGROUND AND PURPOSE OF THIS STATEMENT

1. The European regulatory framework calls for the increased protection of children in the digital environment. For example, the Audiovisual Media Services Directive, which Member States have transposed into their national laws, highlights the possibility to implement age verification measures (Articles 6a and 28b), the GDPR introduces minimum age requirements for consenting to the processing of personal data in the context of information society services (Article 8), the Digital Services Act references age verification as a risk mitigation measure (Article 35(1)), and a number of Member States have implemented minimum age requirements for performing legal acts, exercising certain rights or accessing certain goods and services into their own national

2. In addition, different national and European initiatives, such as Better Internet for Kids (BIK+), identify age assurance as one solution to improve children’s well-being online through a safe, age-appropriate digital environment in line with the European Digital Rights and Principles.

3. Based on the definition provided in the research report Mapping age assurance typologies and requirements, this document will use “age assurance” as ‘the umbrella term for the methods that are used to determine the age or age range of an individual to varying levels of confidence or certainty’. The same report mentions three primary categories of age assurance: age estimation, age verification and self-declaration.

4. Age assurance poses specific risks to data protection with the potential to adversely impact not only natural persons’ right to the protection of their personal data, but also other rights and freedoms such as the right to non-discrimination, the right to the integrity of the person, the right to liberty and security, and the right to free expression and

5. In recognition of the importance of a consistent approach at EU level on the topic of age assurance, the EDPB wishes to provide specific guidance and high-level principles stemming from the GDPR that should be taken in consideration when personal data is processed in the context of age

6. The proposed principles seek to reconcile the protection of children and the protection of personal data in the context of age

7. Priority has been given to address the requirements concerning the main principles stated in Article 5 GDPR (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, confidentiality, integrity, and accountability), and to ensure these data protection principles are properly implemented and remain robust over time, as set out under Article 25 GDPR “Data protection by design and by default” and Article 32 GDPR “Security of processing”.

8. This statement is focused on the principles applicable to different online use cases, including when a minimum age is prescribed by law or otherwise for buying products, for using services that may harm children or for performing legal acts; and when there is a duty of care to protect children (for example, to ensure that services are designed or offered in an age- appropriate way).

9. The EDPB may also consider issuing – whenever relevant and in other documents – additional guidance on specific use

   2. PRINCIPLES TO DESIGN GDPR-COMPLIANT AGE ASSURANCE

   2.1 Full and effective enjoyment of rights and freedoms

10. Age assurance must respect the full complement of natural persons’ fundamental rights and freedoms, and the best interests of the child should be a primary consideration for all parties involved in the

11. When implementing age assurance, service providers should ensure that they consider not only the impact on the right to the protection of personal data, but on all fundamental rights of natural

12. In the specific case of children, the best interests of the child should be a primary consideration for all parties involved in age It is important to note that there is no hierarchy in considering the best interests of the child, and regard should be had for all children’s rights including their right to the protection of personal data, to protection from violence and all other forms of exploitation to access information from a variety of sources and to have their views given due weight.

    2.2 Risk-based assessment of the proportionality of age assurance

13. Age assurance should always be implemented in a risk-based and proportionate manner that is compatible with natural persons’ rights and freedoms.

14. Service providers should adopt a risk-based approach when designing and operating their services. The necessity and proportionality of using safety measures such as age assurance should be demonstrated, taking into account the associated risks. The necessity could be demonstrated by conducting an assessment to identify and evaluate the risks that a particular service poses for children, such as exposure to harmful contact or As part of this assessment, service providers may also consider the rights of children, the opportunities provided by the digital environment, the views of the children as well as their evolving capacities in order to ensure age-appropriate participation.

15. Service providers must also respect their users’ rights and freedoms, including the right to the protection of their personal data, balancing these with the need for safety measures which should always be the least intrusive of those available and which should always be effective. In many cases, age assurance poses a high risk to the rights and freedoms of data subjects, which would therefore require that a Data Protection Impact Assessment (“DPIA”, Article 35 GDPR) be conducted before processing, taking into account the nature, scope, context and purposes of the The DPIA should include a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller. It should also contain an assessment of the necessity and proportionality of the processing, identify risks arising from processing personal data for the purpose of age assurance and contain measures to mitigate those risks.

16. The DPIA should guide the design and implementation of appropriate technical and organisational measures for data protection compliance. This risk-based approach is crucial when balancing the potential interference with natural persons’ rights and freedoms against the intended objective in this particular context, namely children’s safety. The scope, extent, and intensity of this interference in terms of impact on rights and freedoms must always be carefully assessed. For example, a service provider processing personal data to check the age of all their users when accessing all their content or services, even when the content or services are suitable for all audiences and devoid of any risk, would not pass the necessity and proportionality tests.

    2.3 Prevention of data protection risks