Current Region:

Alternatives to AV – device-based age verification apps

January 17, 2024

The Spanish data protection authority, the Agencia espanola protección datos (AEPD) recently developed three proofs of concept for applying age verification on devices.  One was for gaming consoles, the other two for Android and iOS based devices.

The concept is straightforward:  The user has an age verification app on their device which establishes a record of the user’s age, perhaps from the age attribute stored in the their European digital identity wallet, currently being developed as part of the eIDAS2 initiative.

Apps and browsers on that device can then ask the AV app whether the user meets an age qualification for access to each age-restricted piece of content or functionality.

While this is an interesting and novel approach, we are not convinced it will prove to be a more effective option than online age assurance where the website or platform is primarily responsible for ensuring an age-appropriate experience for children, for a number of reasons:


The first challenge would be adoption.  All browsers and apps with any age-restricted aspect to them would need to be reconfigured to adopt this new approach, and operating systems and device manufacturers would need to be on board too.  This would probably require a concerted effort by legislators across multiple jurisdictions, and if major markets such as the USA were not aligned, it may be difficult for another country or even several countries, to demand such a comprehensive re-design.  Even the EU may struggle to secure cooperation and could find services withdraw rather than comply unless the US is in lock step.


Even if cooperation was achieved, voluntarily or by law, a lengthy period for adjustment would be required by so many component parts of the Internet eco-system.  It is hard to see how this new regime could be achieved in anything less than five years, possibly longer by the time the approach is agreed, legislation is passed, technology developed and regulations enforced.


The next question is around digital exclusion.   As regulators act to protect children, it is doubtless becoming more complex and expensive to maintain compliance.  Many digital services may take the cheaper alternative of simply excluding children altogether.  An app-wide solution makes this total exclusion very straightforward – just set your minimum age to 18 in the app store and worry no more about making your platform safe for its users.  Meanwhile children are locked out of many educational and developmental opportunities which may still, in the most part, be entirely suitable for their age.  Only the platforms themselves can apply age-assurance to deliver age-appropriate content, blocking some altogether, or limiting some functionality for the youngest children while giving more options to older teens.


This is also not a comprehensive answer.  The proofs of concept have only tackled games consoles and two mobile operating systems.  But what about all the other connected devices increasingly available in our homes – from TVs to fridges.  Children access the Internet in many different ways, but particularly from PCs and laptops so there at least needs to be a further proof of concept for these.

Shared Devices:

In households where devices are shared among family members, an age verification app on one device may not prevent a child from accessing adult content on another device without such restrictions. Additionally, children may use friends’ devices that are set for use by older children or adults.

Bypassing Apps:

The devices themselves would need to host the age verification app securely, so it is tamper-proof.  Devices do have secure conclaves where the most sensitive data is held, but arrangements would need to be made for each hardware and software combination to offer a suitably secure instance to host the app.

Children may discover ways to bypass or uninstall age verification apps, especially if they are more tech-savvy or these become widely available online. This could involve using third-party tools, finding workarounds, or exploiting vulnerabilities in the system.

Dynamic Online Content:

The internet is dynamic, with new content being added constantly, including user generated content and advertisements inserted by third-party ad-serving platforms. Age verification apps may not keep up with this rapidly evolving online content accessed within a browser or another app, and their effectiveness can be diminished as new platforms and types of content emerge unless there is comprehensive adoption of this new approach.

In conclusion, it will take a long time to implement this approach comprehensively and require what is perhaps an insurmountable degree of cooperation and development by every aspect of the online eco-system.  So, while theoretically appealing, device-based age verification apps are not a pragmatic or easily-achievable policy response answer.

AVPA gives evidence to Utah Senate Business and Labor Committee

On Wednesday 14th February, we were invited to addres the Utah Senate Business and Labor Committee which is considering a revision to the State's existing laws designed to protect minors from the harms presented by the use of social media.  It was the longest hearing...

AVPA responses to Ireland’s Coimisiún na Meán

AVPA responses to Ireland’s Coimisiún na Meán

We responded to a consultation on the new Online Safety Code proposed by the Coimisiún na Meán, Ireland new online regulator. We shared our views that: The Coimisiún should be careful it does not imply that smaller sites are exempt from taking action to protect...