The Age Verification Providers Association has submitted a response to the government’s national consultation, ‘Growing Up in the Online World‘, which will inform legislation expected to set new requirements for social media platforms, AI chatbots and other online services used by children.
As a trade body representing the suppliers of age assurance technology, AVPA takes a policy neutral position on the underlying political questions – whether a minimum age should be set, and at what level. Those are decisions for government and parliament. Our role is to ensure that whatever framework is chosen is technically grounded, practically enforceable and genuinely effective at protecting children.
Our central message is that the same technical infrastructure is required whether the policy outcome is a ban on under-16s accessing social media or a system of graduated, age-appropriate protections. In either case, independently certified age assurance – deployed at the point of access, not upstream at device or app-store level – is the essential foundation. The question is not whether the technology exists. It does, it works and it is affordable. The question is whether platforms will be required to deploy it and to have that deployment independently verified.
The Australian experience, documented in our own lessons learned report and in YouGov survey data commissioned for 7News, shows what happens when they are not. Despite a legal minimum age of 16 being in force, 55% of 13-15 year olds in Australia were still using TikTok, 49% Instagram and 73% YouTube. The technology to prevent this existed. The legal obligation existed. What was absent was a requirement for independently certified age assurance, without which self-assessed compliance is meaningless, compounded by the challenges many regulators face in delivering tough enforcement at speed.
Our response addresses a number of practical issues that we consider central to making any new framework work in practice.
- On implementation, we set out why age checks must happen at the point of access to restricted content – what we call the proximity principle – rather than upstream at app-store or device level. An age check at installation is the equivalent of checking identity at the point of deciding to enter the building industry rather than at the construction site gate. App-store approaches also fail entirely for browser-based access, progressive web apps and shared devices, and concentrate sensitive age data in a small number of powerful intermediaries.
- On accessibility, we argue that platforms must be required to offer multiple certified methods and to fund backstop options such as CitizenCard or PASS-accredited professional attestation at no cost to the user. The burden must sit with the platform, not the individual.
- On VPNs, we set out why restricting children’s access to VPNs is unnecessary and counterproductive. VPN-aware age assurance – using the technical and behavioural indicators already deployed by broadcasters and regulated gambling operators – is both more proportionate and more effective.
- On government digital identity, we raise a concern we consider significant. Proposals that would make government-issued digital ID the primary or default mechanism for age assurance risk crossing a line that age assurance policy has deliberately avoided. A requirement for age confirmation must not become, in practice or in public perception, a requirement to present identity to access online services. That conflation would be corrosive to public trust in the entire framework and would deter uptake, particularly among those most concerned about surveillance. It is also operationally unworkable: government digital identity schemes are not designed for use by minors. The EU’s own experience makes this plain — the European Digital Identity Wallet could not serve under-18s and required a separate age verification app to deliver anonymous checks for minors. France has deliberately launched a standalone age verification app to avoid any confusion with its national identity wallet. The UK should follow the same principle: age confirmation and identity verification are distinct functions and must remain so, with age assurance delivered through a competitive, independently certified private sector rather than concentrated in a single state-issued credential.
The full response is available below:
Loading...
Reload document 
Open in new tab