The Age Verification Providers Association (AVPA) has submitted detailed feedback to the European Commission on its draft guidelines under Article 28 of the Digital Services Act (DSA), which aims to improve the online safety of minors. While we support the overarching goal, we have serious concerns about the current approach and the implications for innovation, privacy, and inclusion.
What’s the problem?
The draft guidance risks narrowing the definition of effective age assurance by favouring specific methods, such as ID-based verification, while ignoring accessible, privacy-preserving alternatives such as facial age estimation. This approach confuses method with outcome and may shut down a growing, standards-based market for innovative age assurance technology.
Key messages from our submission:
- Don’t prescribe methods – The draft guidance wrongly implies that age verification (e.g. using ID documents) is generally better than estimation (e.g. facial or hand movement analysis). What matters is how accurate and reliable the outcome is, not how it’s achieved.
- Define what “effective” means – Terms like “highly effective”, “accuracy”, and “trusted ID” are not clearly defined. We urge the Commission to adopt international standards such as IEEE 2089.1 and ISO/IEC 27566-1 to set clear outcome based performance thresholds for different levels of risk.
- Clarify use of double-blind systems – While France sometimes requiries while Italy always requires double-blind privacy models, the EU guidance doesn’t say when or why these should be used. Without proper ecosystem support, double-blind AV is difficult to implement both commercially and with sufficient confidence in the accuracy of the age check.
- Be clear about what compliance requires – for both Very Large Online Platforms, and for services regulated by a Member State when their users may be from multiple jurisdictions. Is a German KJM approved age-check based on facial estimation sufficient to for an Italian AGCOM-regulated digital service?
- Avoid distorting the market – A publicly funded EU AV App must not crowd out private sector solutions. Interoperable tools like AgeAware from euCONSENT and AgeKey from Opale are already live and standards-compliant. They should be carefully considered, not sidelined.
- Involve the right stakeholders – We call for a dedicated working group of regulators, providers, civil society and privacy experts to revise the guidelines together.
We fully support the Commission’s goal of protecting minors online but believe it can only succeed through a flexible, standards-based approach that encourages innovation while safeguarding rights.
You can read our full submission below
Detailed Feedback on Article 28 DSA Guidelines for the Protection of Minors