Evaluates and implements age verification methods like facial estimation, digital ID checks, self-declaration, and AI analysis for online services. Balances accuracy, privacy, and compliance with GDPR, ICO, UK OSA.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin children-privacy-skillsThis skill uses the workspace's default tool permissions.
Age verification and age estimation are distinct but complementary approaches to determining whether a user is a child for the purpose of applying appropriate data protection safeguards. Age verification provides a definitive confirmation of age through documentary or transactional evidence. Age estimation provides a probabilistic assessment of age using technological methods such as facial ana...
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
Age verification and age estimation are distinct but complementary approaches to determining whether a user is a child for the purpose of applying appropriate data protection safeguards. Age verification provides a definitive confirmation of age through documentary or transactional evidence. Age estimation provides a probabilistic assessment of age using technological methods such as facial analysis, behavioural analysis, or device signals. The selection of an appropriate method requires balancing accuracy, privacy impact, accessibility, and proportionality. This skill covers the full spectrum of available methods, their regulatory context under the GDPR, UK AADC, COPPA, and emerging legislation such as the EU Digital Services Act (DSA) and the UK Online Safety Act 2023, and provides implementation guidance based on ICO and CNIL recommendations.
"The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology."
The "reasonable efforts" standard is context-dependent. The EDPB has not prescribed specific technologies but expects controllers to adopt verification proportionate to the risk of the processing.
"Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users." The ICO guidance states that the level of certainty required depends on the risks to children from the processing. Higher risks demand more robust age assurance methods.
Section 11(3) requires providers of regulated user-to-user services and search services to use "proportionate systems or processes" designed to prevent children from encountering primary priority content that is harmful to children. Ofcom's codes of practice specify age verification as a recommended measure for pornographic content and age estimation for broader content categories.
Providers of online platforms accessible to minors must put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors on their service. This includes age verification for services with content restrictions.
France's law to regulate and secure the digital space requires age verification for access to pornographic websites, mandating technical solutions certified by CNIL that verify age without identifying the user. The CNIL-approved reference system requires a "double-blind" architecture where the identity verification provider and the content provider cannot link the user's identity to the content access.
Description: User uploads or presents a government-issued identity document (passport, national ID card, driver's licence) which is verified against document security features and optionally against government databases.
Technical Implementation:
Accuracy: Very high (99%+ when combined with liveness detection)
Privacy Considerations:
Accessibility: Excludes individuals without government-issued ID (estimated 1.5 million UK adults lack photo ID per Electoral Commission 2021 data). Not appropriate as the sole method.
Use Cases: Age-restricted content (gambling, alcohol, adult content), high-risk services
Description: Machine learning models estimate a user's age from a facial image captured by the device camera. The estimation provides an age range (e.g., "over 18" or "13-17") rather than a precise age.
Technical Implementation:
Accuracy: Mean Absolute Error (MAE) of 1.5-3 years depending on the model and demographic. Accuracy varies by: age group (lower accuracy for children under 8 and adults over 65), ethnicity (documented bias in some commercial systems), lighting and image quality.
Privacy Considerations:
Key Providers: Yoti (Age Estimation), VerifyMyAge (EstimateMyAge), Privately SA
ICO Position: The ICO has stated that facial age estimation technology that processes images locally, does not store images, and does not identify the individual can be a proportionate method for age assurance. The ICO conducted a joint audit with the Australian Information Commissioner (OAIC) of Yoti's age estimation technology in 2022 and concluded it met data protection requirements when implemented with appropriate safeguards.
Description: User authenticates through a trusted digital identity provider (eID, digital wallet, Open Banking) that confirms age without disclosing full identity to the relying party (service provider).
Technical Implementation:
Accuracy: Very high (dependent on the identity provider's verification of the underlying identity)
Privacy Considerations:
Use Cases: EU/EEA services preparing for eIDAS 2.0 Digital Identity Wallet; UK services using DIATF-certified providers
Description: User declares their age through a date-of-birth field or age-range selector. The declaration is treated as the baseline, supplemented by risk-based measures to detect false declarations.
Technical Implementation:
Accuracy: Low as a standalone method. Children commonly misrepresent their age online. Ofcom's 2023 research found that 33% of UK 8-17 year olds have a social media profile despite being below the platform's minimum age.
Privacy Considerations: Minimal data collection (only declared date of birth). No biometric processing. No identity document collection.
Use Cases: Low-risk services as a first-line screening measure, always combined with additional safeguards for medium and high-risk services
Description: User's age is inferred from possession of a credit card (typically issued only to adults 18+) through a monetary transaction.
Technical Implementation:
Accuracy: Moderate. Establishes that the person has access to a credit card, which correlates with being over 18. Does not verify the specific age of the cardholder. Children may use a parent's card.
Privacy Considerations: Payment card data is subject to PCI DSS requirements. The service should not store full card details. Only the transaction confirmation and a binary "has credit card" flag should be retained.
Description: The mobile network operator confirms the user's age bracket based on the subscriber information associated with the SIM/eSIM, without disclosing the user's identity to the requesting service.
Technical Implementation:
Accuracy: High for determining over/under 18, since MNO registration typically involves ID verification. Lower certainty for granular age (e.g., distinguishing 13 from 15) as MNOs may not record precise birth dates.
Privacy Considerations: The service learns only the age bracket. The MNO learns which service the user is accessing (unless intermediary architecture prevents this). DPIA recommended for the MNO's processing.
| Method | Accuracy | Privacy Impact | Proportionate For |
|---|---|---|---|
| Document-Based | Very High | Very High (ID collection) | Age-restricted products (gambling, alcohol) |
| Facial Age Estimation | High (MAE 1.5-3y) | Medium (on-device) to High (server-side) | General online services, social media |
| Digital Identity | Very High | Low (attribute-only disclosure) | Any service; best privacy-accuracy balance |
| Self-Declaration | Low | Very Low | Initial screening; low-risk services only |
| Credit Card | Moderate | Medium (payment data) | Supplementary verification for parental consent |
| MNO Verification | High | Low-Medium | Mobile-first services; supplementary check |
| Risk Level | Criteria | Examples |
|---|---|---|
| High | Direct messaging with strangers, user-generated content visible to strangers, age-restricted content, monetisation features targeting children | Social media, dating apps, gambling, online marketplaces |
| Medium | Content personalisation, in-app purchases, community features with moderation, educational services with profiling | EdTech platforms, gaming, streaming services |
| Low | Static content delivery, no social features, no data sharing, no profiling | Informational websites, single-player offline games |
| Risk Level | Minimum Verification | Recommended Approach |
|---|---|---|
| High | Document-Based OR Facial Estimation + Liveness | Document-based with digital identity as alternative |
| Medium | Facial Age Estimation (on-device) OR Self-Declaration + Risk Signals | Facial age estimation with escalation path |
| Low | Self-Declaration + Neutral Prompt | Self-declaration with cookie-based re-entry detection |
For each selected method, document:
BrightPath Learning Inc. operates an educational platform classified as Medium risk (educational content with progress tracking and personalisation, no social features with strangers).
Implemented Approach: Layered Verification
Data Retention for Age Verification:
Published standard providing a framework for implementing age-appropriate design in digital services, including guidance on age assurance methods and their application across different risk contexts.
Working draft standard for age assurance systems covering both age verification and age estimation. Addresses accuracy, privacy, accessibility, interoperability, and governance requirements.
The revised eIDAS Regulation mandates that EU Member States offer digital identity wallets to citizens by 2026. The wallet will support selective attribute disclosure, enabling users to prove they are over a specific age without revealing their full identity or date of birth. This will become the preferred age verification method for EU services.