Age Assurance and Age Verification

While there are “no universally recognized legal definitions” for these terms, age assurance is generally used as an umbrella term to describe online operators’ methods to vet the ages of users and implement age restriction laws online.¹ Any—or a combination of the following—age assurance techniques can be used to determine a user’s age range or a binary statement about their age (such as this person is or is not 21+ years old):

• Age-gating/age-screening, or asking a user to self attest their age through checking a box or inputting a date of birth to confirm they are or older than the necessary age to access content;
• Age estimation, or estimating a user’s age by analyzing their online profile, activity, history, or facial data;
• Third-party verification, or trusting a third-party to verify a user’s age, using methods such as referencing linked accounts, vouching of age from parents or other users, or inspecting hard identifiers such as government-issued identification; and
• Age verification, or directly inspecting identifiers such as government-issued identification or biometric data to confirm a user’s age.

The terms age assurance and age verification are often used interchangeably—though this can cause confusion, particularly when implementing legal mandates. Age assurance includes a variety of methods to “establish, determine, or confirm a user’s age with some level of confidence,” according to the Digital Trust & Safety Partnership.² These methods offer varying degrees of accuracy, authenticity, reliability, and verifiability. Age verification is a subset of age assurance, which implies authenticating and confirming a user’s age with a higher level of certainty, often through the use of government-issued identification. As such, age verification in practice often means identity verification, requiring a user to disclose their identity beyond their age.

It is important to note that identity verification has implications for user privacy that differ from the implications of age verification. Identity verification requires a user to provide personally identifiable information about themselves to establish and verify their identity. Or as the National Institute for Standards and Technology (NIST) defines it, “the process of confirming or denying that a claimed identity is correct by comparing the credentials…of a person requesting access with those credentials previously proven…and associated with the identity being claimed.”³

On the other hand, age verification can simply mean establishing or verifying a person’s age. The Age Verification Providers Association (AVPA) defines age verification as “the process of checking the age of an internet user, without necessarily needing to know their identity.”⁴ This distinction around identity is critical. Requiring a user to disclose their identity is in itself a privacy intrusion, and online handling and processing of data can put personal information at risk. Additionally, forced identity disclosure can create a chilling effect on speech and exclude people who lack appropriate identification from online spaces and services.⁵ Online operators implementing age restrictions currently must rely on either age assurance techniques or age verification through the use of a government-issued ID—which in practice poses the same challenges and risks as identity verification. To help maintain these distinctions, this report will use strict age verification to refer to age verification methods that do not require verifying a person’s identity. However, the reality is that limitations in today’s technology do not enable this type of strict age verification.

Young online users are subject to the Children’s Online Privacy and Protection Act (COPPA), which requires online operators to obtain parental consent for their collection, use, or disclosure of personal data for children under 13 years old.⁶ To, presumably, avoid being subjected to COPPA requirements, social media platforms—as well as many other websites—often require account holders to be older than 13 years of age.

As such, current age assurance practices mimic the approved methods of parental consent outlined by the Federal Trade Commission’s COPPA standard for acceptable methods of obtaining parental consent.⁷ These methods include signing and submitting a consent form; using a credit card, debit card, or online payment system; calling a toll free number; connecting via video conference; providing a copy of government-issued ID that can be checked against a database; answering multiple knowledge-based questions; and verifying a photo ID with a real-time photo using facial recognition technology.

Each age assurance method and implementation strategy comes with its own trade-offs for user rights, data privacy, and security. Below is a non-exhaustive survey of age assurance methods, categorized by the underlying age assurance techniques outlined above. These methods are listed generally in order of lowest to highest level of assurance, broadly reflecting AVPA’s levels of age assurance and levels of assurance outlined in NIST’s Digital Identity Guidelines.⁸ However, levels of assurance will vary based on accompanying implementation practices.