Presently, reputable online dating services are covered only by a voluntary code created by the Online Dating Association.
Dating services are not designed for children and are not offered to anyone under 18. Dating services have arrangements in place to prevent access by under 18s and will take action if they do find anyone underage on their services.” Source
“Most dating services do not have an issue with underage users. However, services should be vigilant to the possibility of underage users, and if a problem is identified, take steps to tackle the issue. It is up to the service to determine an effective and practical approach for their particular service. There are a number of bodies offering means by which people can verify their digital identity and be tagged accordingly on-site.
Operators should be alert too to the possibility of under 18s trying to join a site. Automated and human profile checking and monitoring thereafter and the limits to the use of a service by those without a paid subscription might generally provide an adequate package of prevention. Services which are more niche in nature and possibly more likely to prompt younger and too young users should give thought to the value of additional messages of deterrence.” Source
UK only: Age Appropriate Design Code (in force today, but grace period in operation in the UK until 2 September 2021)
This new statutory guidance requires dating sites to consider how they could risk the moral, physical or mental well-being of children under 18. And if so, to put in proportional measures to safeguard children and young people. Dating Services are in scope for the Age Appropriate Design Code if they do not have proportionate and effective meaures in place to ensure that children and young people under the age of 18 cannot access them at all.
Dating sites which do not wish to be in scope for the Code need to adopt rigorous age verification. Relying on age estimation measures will not be sufficient unless applied with a wide margin for error, given the inexact nature of artificial intelligence based age assurance techniques. So for example, analysing facial images of account holders could give an indication – if the image is actually of the user which is of course not guaranteed without further checks – that a user is over 25, so is therefore very unlikely to be under 18. But if the estimate generated is of 19 or 20, then there is still a strong risk that the user is in fact under 18. While estimation is becoming better all the time, it is never going to produce an exact age, allowing a user to join on their eighteenth birthday for example.
In some circumstances, estimation may be acceptable because the potential harm to someone a couple of years below a site’s minimum age is sufficienty low as to be acceptable. But where adults can interact with minors online, there is a risk of the inappropriate exchange of explicit images, videos or conversations etc. and in more extreme cases, of adults grooming underage users. Indeed, research shows that “sexting” is increasingly a problem between minors as well. As dating sites are designed to facilitate physical encounters, there may also be a physical risk if children under 18 agree to meet others (of any age) through a dating service.
Dating services need to conduct a child data protection impact assessment and determine honestly if users under 18 can access their site; and if so, what the specific risks are to those users; and what limits or protections need to be added for children to make the site age appropriate.
Sites may consider that where they have evidence of children using their service, but that those children are over the age of consent, there may not be any need to alter the nature of the functionality or content offered. But such sites will need to ensure that all users are at least 16 through age verification. This only addresses the specific risk arising from underage sex, and there are of course other risks that should be documented and addressed.
Our advice is that dating sites clearly require age verification to be in place to keep children from using the service. The rigor required is a matter for the judgement of the sites concerned – giving consideration to the nature of the content on the site, the number of users under 18 found by empirical research to be using it, etc. But given the reputational risk if a child is harmed by using your service, we recommend at least a standard level of assurance, and you may wish to go beyond that to an enhanced level check to ensure that fake images cannot be used. See our page on levels of assurance for an explanation of the methods of age verification that achieve these degree of confidence in an age check.
EU wide: GDPR (in force today)
You must be sure that your users are at least old enough to give consent for their personal data to be processed, if you rely on consent under Article 8 of GDPR, as a basis for processing some or all personal data you obtain from your users. (Remember, personal data even includes just an IP address.) In the UK, this “age of digital consent” is 13 but it varies between EU member states so if you have users in the EU, you will need to also determine their location and apply the relevant age as part of this check. But any service which uses consent as the basis of processing data, must consider the risk that where it does not know with certainty the age of the user, that user may be too young to give such permission without their parents giving consent.
Dating sites process special category data (e.g. racial or ethnic origin, political opinions, health information, sexual orientation). This requires extra care not to disclose such data unless it is allowed under Article 9 – for example with explicit consent or where the user has made the data public themsevles. If you are relying on the latter, do read the ICO’s detailed advice on this here but it is more likely you rely on explicit consent, so keep in mind this is only valid on its own in the UK if given by someone over 13.
USA: Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Rule seeks to put parents in control of what information commercial websites collect from their children online. It applies globally to sites providing a service to users located in the USA.
You’re covered by COPPA if:
- Your website or online service is directed to children under 13 and collects personal information from them – this is unlikely to affect adult dating services;
- Your website or online service is directed to a general audience, but you have “actual knowledge” you’re collecting personal information from a child under 13. The FTC has said that an operator has actual knowledge of a user’s age if the site or service asks for – and receives – information from the user that allows it to determine the person’s age. For example, an operator who asks for a date of birth on a site’s registration page has actual knowledge as defined by COPPA if a user responds with a year that suggests they’re under 13. An operator also may have actual knowledge based on answers to “age identifying” questions like “What grade are you in?”; – you are at risk if you ignore a US based user telling you directly or indirectly they are under 13
- You run a third-party service like an ad network or plug-in and you’re collecting information from users of a site or service directed to children under 13.Third-party sites or services may have actual knowledge under COPPA, too. For example, if the operator of a child-directed site directly communicates to an ad network or plug-in about the nature of its site, the ad network or plug-in will have actual knowledge under COPPA. The same holds true if a representative of the ad network or plug-in recognizes the child-directed nature of the site’s content. Another way an ad network or plug-in may have actual knowledge: If a concerned parent or someone else informs a representative of the ad network or plug-in that it’s collecting information from children or users of a child-directed site or service. – you should consider carefully your use of third parties
Websites and online services covered by COPPA must post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children.
Online Safety Bill (only draft legislation, not yet passed by Parliament)
As dating sites allow users to interact and share content such as photographs, they are in scope for the Online Safety legislation.
As dating sites are also “likely to be used by Children” they must comply with the further duties applicable. (Remember, children are defined as under 18-years-old.) It is not enough to simply exclude minors as a matter of policy through your terms and conditions – you will need to put in place measures to exclude them. (This phrasing mirrors the Age Appropriate Design Code above.)
The largest sites may be considered Category 1 sites, with additional duties placed on them to protect adults from harm. The test for scale has not yet been set, but larger dating service may find themselves subject to these extra rules.
Please read our briefing on the Online Safety Bill for further explanation of these new duties.