Levels of assurance

There are different levels of reliability and accuracy required by the various legislation – referred to as “levels of assurance.”

Broadly these fall into two categories:

  • Strict verification is where an actual date of birth is required to be legally compliant. This is either because the law specifies an exact age, or the level of risk of harm to a child is high enough to warrant the strongest forms of due diligence about their age. An example of a specific age is the Digital Age of Consent” where if you are 12 years and 11 months old in the UK, it will not be legal for a website to process your data on the basis of consent without your parents’ approval. Likewise, to sign a contract that can be enforced, you must be at least 18 years-old. A day short, and the other party will fail in court so the contract is worthless

 

  • Basic age verification allows for an estimate of a user’s age to be sufficient to keep regulators happy. The Age-Appropriate Design Code is the best example. The ICO goes as far as setting out five age-bands as guidance, but services can choose their own age bands, and indeed, they may specify overlapping bands.

This means that if they use an estimation technique proven to be accurate within +/- 1 ½ years, they could use that successfully to split content between two age groups – 0-14 or 10-17. If the estimate suggests a child is 12, then they could be as young as 10 ½ or as old as 13 ½ so would be permitted to see the content suitable for the the older age-range. But if it estimates them to be only 8, then they would be restricted to the younger age-range. In this example, the service has determined, based on a risk analysis, that it is not an unacceptable risk for a few 8 ½ year-olds to see the content in the older age range.

Other examples could be the processing of children’s data based on legitimate interest where the nature of the processing is not a significant risk to a child of 8½ but would normally be more reasonably considered acceptable once they reach 10.

The UK Online Safety Bill is also a proportionate requirement, with risk assessments guided by the regulator through published risk profiles for different types of service, and codes of conduct for each new duty. But there is a wide degree of discretion for the services to determine what level of protection, if any, is required for children of different ages. This introduces, again for lower levels of potential harm, the opportunity to use softer estimation techniques.