How does AV differ from identity verification?
AV operates in parallel but is not sub-component of identity verification; the primary distinction is that AV limits the release of personal data to only confirmation that a user meets a minimum age (e.g. 18+) or is within a defined age-range (e.g. 16-18).
You don’t need to share your identity simply to prove your age.
Age Verification (AV) is distinct from Identity Verification (IDV) because AV discloses to the relying party (e.g. a website selling age-restricted goods, services or content) only age-related personal data (attributes) to allow for the application of age-restrictions. It is not therefore necessary for the relying party to know the identity of their customer in order to know with a defined ‘level of assurance’ (confidence), the age of their customer.
Identity providers (IDPs) can selectively release only age attributes and therefore offer age verification. It is also possible for an age verification provider (AVP) to issue age attributes without retaining any knowledge of the identity of the customer; personal data is only required for the initial age verification process. Indeed, some methods of age verification do not require any personal identity data even at the outset e.g. facial analysis
Age verification offers unique benefits in certain situations where it is not necessary or not desirable for the relying party to access personal data. For example, when assessing if a customer is a child without the relying party needing to process the personal data of children, or for when adults wish to access age-restricted websites without disclosing personal data to those sites.
- Until websites and platforms know the age of their users, it’s impossible to provide any extra protection for children.
- When we use the term “know” we need to be specific; UK government policy, and UK Information Commissioner (ICO), now talk about “age assurance” which is a term that covers a wide range of methods for assessing someone’s likely age which range from very weak – inputting your claimed age or date of birth – to more scientific – facial analysis, social proofing – and ultimately to age verification. But for critical applications, where accuracy is essential, only age verification (based on the BSI Standard PAS 1296:2018) should be relied upon.
- There is also the question of who conducts the age verification. There is a strong vested interest for those providing access to age restricted goods, services and content, or advertising these, in maximising the potential number of customers qualified as old enough. There is a good argument that age verification should be conducted independently.
- Independence also offers the opportunity to protect personal data better, as the data supplied to verify age is only used for that purpose, and in the case of several leading AV suppliers, not retained after the check is complete.
- There is a Catch 22 situation for websites wishing to avoid the regulatory burden of processing children’s data – they need that data to determine which of their users are children. By using third party AV providers, they can avoid accessing any personal data belonging to children in the first place.
- (The ICO acknowledges this conundrum: “We recognise there is a tension between age assurance and compliance with GDPR, as the implementation of age assurance could increase the risk of intrusive data collection.”)
- Moreover, many adults are reluctant to share personal data when it is not necessary to do so. It may lead to spam, ID theft, fraud etc. If the requirement is prove your age, you may quite reasonably not wish to divulge your identity in order to do so.
- And critically the whole process of AV is subject to independent audit and certification against the standards for AV, data security and data protection, to avoid abuse and build public trust.
So in summary, we distinguish AV from ID by virtue of the limited personal data that is shared with relying parties in the process i.e. you do not need to know someone’s name to know they are old enough to be served beer. Some may see AV as a subset of ID, but we see it distinctly because of the general reluctance many have to share personal data, and the complexity associated with processing children’s data.