How does Age Verification differ from identity verification?
You can prove your age online using a wide range of methods; identity verification is only one of the options, and is not necessary if all you need to do is confirm your age or age-range (e.g. ‘over 18’, ‘under 13’).
Age verification allows you to prove your age online without the requirement to share any personally identifiable information (your identity) when buying goods, using services or accessing content.
You don’t need to share your identity simply to prove your age online.
Or to put it a little more technically…
To allow for the application of age-restrictions (e.g. the sale of age-restricted goods, services or content) Age Verification (‘AV’) discloses only age-related personal data (‘age attributes’) to the service they are trying to access (‘relying party’). It is not necessary for the relying party to know the full identity of their customer, they simply need to know the age, or age-range, of their customer.
Identity providers (‘IDPs’) can offer reusable ‘digital identity wallets’ and allow a consumer to share only age attributes and therefore offer age verification to prove their age. It is also possible for an age verification provider (AVP) to issue age attributes without retaining any identity knowledge of the customer; personal data is only required for the initial age verification process. Indeed, some methods of age verification do not require any personally identifiable information even at the outset e.g. age estimation via facial analysis, where the customer doesn’t login and their image* is instantly deleted.
Age verification offers unique benefits in situations where it is not necessary or not desirable for the relying party to access personal data. For example, when assessing whether a customer is a child without the relying party needing to process the personal data of children; also, when adults wish to access age-restricted websites without disclosing their personal data to those sites.
So, in summary, we distinguish AV as being the minimal data set that is shared with relying parties in the process i.e. you do not need to know someone’s name to know they are old enough to be served beer. And whilst age is undeniably an attribute of identity, the key feature for many sites is just to receive what they need.
* images are biometric data which are legally considered to be sensitive personal data; but images need not be retained by AV providers once age assurance has been undertaken.