How does AV differ from identity verification?
Age can be proved in a wide range of ways, only one of which is as a sub component of identity verification.; The primary distinction is that AV limits the release of personal data to only confirmation that a user meets a minimum age (e.g. 18+) or is within a defined age-range (e.g. 16-18).
You don’t need to share your full identity simply to prove your age.
To allow for the application of age-restrictions (e.g. the sale of age-restricted goods, services or content) Age Verification (AV) only discloses age-related personal data (attributes) to the relying party. It is not necessary for the relying party to know the full identity of their customer in order to gain a defined ‘level of assurance’ (confidence), they simply need to know the age of their customer.
Identity providers (IDPs) can offer reusable digital identity wallets and allow a consumer to share only age attributes and therefore offer age verification to prove their age. It is also possible for an age verification provider (AVP) to issue age attributes without retaining any identity knowledge of the customer; personal data is only required for the initial age verification process. Indeed, some methods of age verification do not require any personal identity data even at the outset e.g. age estimation via facial analysis, where the customer doesn’t login and their image is instantly deleted.
Age verification offers unique benefits in situations where it is not necessary or not desirable for the relying party to access personal data. For example, when assessing whether a customer is a child without the relying party needing to process the personal data of children. Also when adults wish to access age-restricted websites without disclosing personal data to those sites.
- Until websites and platforms know the age of their users, it’s impossible to provide any extra protection for children.
- When we use the term “know” we need to be specific; UK government policy, and UK Information Commissioner (ICO), now talk about “age assurance” which is a term that covers a wide range of methods for assessing someone’s likely age which range from very weak – inputting your claimed age or date of birth – to more scientific – biometric age estimation, social proofing – and ultimately to age verification. But for critical applications, where accuracy is essential, only age verification (based on the BSI Standard PAS 1296:2018) should be relied upon.
- There is also the question of who conducts the age verification. There is a strong vested interest for those providing access to age restricted goods, services and content, or advertising these, in maximising the potential number of customers qualified as old enough. There is a strong argument that age verification should be conducted independently.
- Independence also offers the opportunity to protect personal data better, as the data supplied to verify age is only used for that purpose, and in the case of several leading AV suppliers, not retained after the check is complete.
- There is a Catch 22 situation for websites wishing to avoid the regulatory burden of processing children’s data – they need that data to determine which of their users are children. By using third party AV providers, they can avoid accessing any personal data belonging to children in the first place.
- (The ICO acknowledges this conundrum: “We recognise there is a tension between age assurance and compliance with GDPR, as the implementation of age assurance could increase the risk of intrusive data collection.”)
- Moreover, many adults are reluctant to share personal data, particularly when it is not a legal requirement. It may lead to spam, ID theft, fraud etc. If the requirement is to prove your age, you may quite reasonably not wish to divulge your full identity details each time in order to do so.
- And critically the whole process of AV is subject to independent audit and certification against the standards for AV, data security and data protection, to avoid abuse and build public trust.
So in summary, we distinguish AV as being the minimal data set that is shared with relying parties in the process i.e. you do not need to know someone’s name to know they are old enough to be served beer. And whilst age is undeniably an attribute of identity, the key feature for many sites is just to receive what they need.