We have been reflecting further on the recent Joint Opinion by the European Data Protection Board and their Supervisor.
It is important to put these comments in their proper context. This is an opinion on a very specific issue (i.e. the European Commission’s proposals for combatting CSAM) in which the use of age verification / age inference is considered very briefly and in a vacuum. It will ultimately be for the European Parliament and the Council to decide the extent to which any comments from stakeholders, including the EDPB and EDPS, are reflected if at all in the revised proposal. This opinion will not prejudge any future guidance by the EDPB on age verification generally. It’s also worth noting that the EDPB guidelines on consent appear to take a broader view on the issue of age verification:
“Age verification should not lead to excessive data processing. The mechanism chosen to verify the age of a data subject should involve an assessment of the risk of the proposed processing. In some low-risk situations, it may be appropriate to require a new subscriber to a service to disclose their year of birth or to fill out a form stating they are (not) a minor. If doubts arise, the controller should review their age verification mechanisms in a given case and consider whether alternative checks are required”
We also understand that the EDPB is working on a set of guidelines on children’s data which will cover the topics of age verification and verification of parental consent. The draft version of these guidelines will be put out to public consultation next year. This will offer the opportunity to continue to make the case for age assurance and to raise the problems in relation to parental control mechanisms as a proposed alternative (not least of which is that most parents do not use them).