Publication of a statement on age assurance by the EDPB

Statement 1/2025 adopted on February 12, 2025

The protection of minors in the digital environment raises major regulatory challenges. In this context, the European Data Protection Board (“EDPB”) has issued a statement on age assurance methods with regard to personal data protection issues. This statement is part of a broader European regulatory framework including the GDPR, the Audiovisual Media Services Directive and the Digital Services Act (DSA). It is not binding and constitutes a general guidance document to help organizations better understand all the obligations imposed on them when implementing age assurance processes.

The EDPB starts from a simple observation: the protection of minors has become a European imperative, and age verification a preferred implementation tool. By way of example, the GDPR imposes data controllers to respect a minimum age (between 13 and 16 depending on the Member State) for the validity of minors’ consent, and the DSA mentions age verification as a measure to combat children’s exposure to inappropriate or illegal content (for providers of very large online platforms and very large online search engines – Article 35(1)(j) of the DSA).

In France, this issue is particularly relevant, notably through the obligations imposed on digital service providers to verify the age of access to adult content (SREN law of May 21, 2024) and the introduction of mandatory parental control systems on certain terminals allowing internet access (law of March 2, 2022).

Age assurance involves collecting and processing potentially sensitive data (such as identity documents or biometric data) and implementing technologies that are sometimes intrusive (algorithmic analysis, facial recognition, etc.). For this reason, verification methods raise a number of personal data compliance issues, which the EDPB reviews in its statement.

1. Respect for fundamental rights and the best interests of the child

The EDPB recalls that the best interests of the child must be at the center of any age assurance process. This requirement derives in particular from the International Convention on the Rights of the Child and is reflected in various EU instruments. The Board refers in particular to the right to protection of personal data, but also to other fundamental rights such as protection against violence or other forms of exploitation, specifying that there should be no hierarchy between these different fundamental rights.

2. Risk-based approach and proportionality

Proportionality is at the heart of the EDPB’ approach. The decision to set up an age assurance mechanism must be based on the existence of an actual risk for children, such as exposure to harmful content (violent content, pornography, etc.).

The Board insists on the importance of carrying out a Data Protection Impact Assessment (DPIA) after noting that age assurance may present a high risk to the rights and freedoms of data subjects “in many cases.” The DPIA will guide the design and implementation of appropriate technical and organizational measures, in particular to ensure that the age assurance mechanism is strictly necessary and effective. The EDPB also suggests integrating the risk analysis mentioned in the previous paragraph into the DPIA.

3. Purpose limitation and data minimization

Directly related to the previous point, the EDPB emphasizes compliance with two fundamental principles of the GDPR: purpose limitation (Article 5(b) of the GDPR) and data minimization (Article 5(c) of the same text).

Purpose limitation: the need to verify a data subject’s age, whether imposed by law or decided by the data controller on the basis of the risks presented by its activity, must neither give rise to, nor be a pretext for new processing operations unrelated to this purpose. Data controllers must therefore put in place safeguards to prevent the risk of data being re-used in ways that are not compatible (and not anticipated by data subjects), for example, to determine the identity or precise geographical location of the data subject, or to monitor, evaluate or deduce personal aspects of his or her identity. These guarantees may take the form of organizational measures, such as internal policies or contractual obligations with third parties.

Data minimization: only data strictly necessary for age verification should be collected for this purpose. In many cases, the EDPB notes that the provider of an online service only needs to know whether or not the data subject has reached a certain age threshold (e.g. 18). The principle of data minimization should therefore lead these providers not to collect the exact age of the data subject, but only the information as to whether or not the age threshold has been reached. This could be achieved through the use of third-party verifiers, intermediaries between the data subject and the service provider (the third-party verifier has access to the data subject’s age but only transmits to the service provider the information relating to whether or not the age threshold has been reached).

The EDPB points out that these principles, along with the other fundamental principles of data protection, must be taken into account right from the design stage of age assurance methods (privacy by design), which must ensure the highest possible level of data protection by default (privacy by default). In its statement, the EDPB gives examples of existing technologies and architectures that ensure a high level of privacy (e.g. technologies enabling local processing of information or selective disclosure of identity-related information under the control of the data subject, the use of certain cryptographic protocols, etc.). The Board also stresses the need to regularly review the choices made, and to update them if necessary, in line with developments in the state of the art.

4. Effectiveness of age verification measures

The EDPB rightly points out that ensuring the effectiveness of the age verification measure is essential, since it is a prerequisite for satisfying the principles of necessity and proportionality of processing.

In this case, the effectiveness of the age measure will have to be assessed according to at least three criteria:

  • Accessibility: The procedure must be widely accessible to all, in compliance with accessibility regulation, and prevent the exclusion of certain categories of data subjects (e.g. people without an identity document, people affected by a disability) by offering relevant alternatives where necessary.

  • Reliability: The mechanism must offer a level of accuracy that complies with Article 5(d) of the GDPR and provide a means of redress for data subjects in the event of error – or in any case if the verification mechanism is part of a fully automated decision-making process within the meaning of Article 22 of the GDPR.

  • Robustness: The verification method must, as far as possible, be resistant to attempts to deceive or bypass the system.

5. Transparency, fairness and user information

Informing data subjects is one of the pillars of GDPR compliance. When it comes to age verification, the EDPB stresses the need to ensure that information is sufficiently accessible and clear, since in many cases the data subjects will include children.

The Board also points out that, where several age verification mechanisms are offered, the service provider must explain the impact of each method from a data protection point of view in a transparent manner.

6. Automated decision-making

According to the EDPB, who points out that the CJEU has recently adopted a broad conception of the notion of fully automated decision-making (notably via its SCHUFA ruling of December 7, 2023), age verification can result in such a decision being taken at various stages of the process, for example at the time of allowing access to content or through the methods deployed to prove age. Furthermore, this decision may sometimes produce legal effects or significantly affect the people concerned, depending on the type of service they wish to access (for example, it may prejudice their freedom of expression).

The controller must therefore comply with Article 22 of the GDPR in these cases, in particular by allowing the data subject to obtain human intervention, express his or her point of view or challenge the decision when the processing is necessary for the conclusion of a contract or is based on the data subject’s explicit consent.

7. Security

The EDPB stresses the importance of ensuring the security of age verification processing, in view of the specific risks that such processing may entail (particularly if verification is carried out by transmission of official identity documents, biometrics, etc.).

In this respect, the Board warns that, given the multiplication of legal age verification obligations, and therefore the multiplication of age assurance systems, data breaches are to be expected. The ability to detect and react to such breaches is therefore just as important as the ability to prevent them.

8. Responsibility and governance

The statement emphasizes the notion of accountability enshrined in the GDPR. To be able to prove their compliance, data controllers (as well as their processors) must adopt appropriate governance measures:

  • Precise mapping of age assurance processes (who collects what data, for what purpose?);

  • Clear internal policies describing the data life cycle (retention period, data transfers outside the EU, security mechanisms, etc.);

  • Regular audits to ensure technical and organizational compliance;

  • Traceability: document technological choices, justify data proportionality and minimization, etc.

* * *

Age verification is undeniably an essential lever for ensuring the safety of minors online, whether to restrict access to adult content or to tailor services to children’s abilities. However, as the EDPB statement of February 11, 2025 emphasizes, this objective must not be pursued at the expense of data protection and respect for privacy.

The EDPB statement provides a useful general framework for any organization setting up an age assurance system. In France, it will also be necessary to take into account the positions of the CNIL, which has been publishing on this subject for several years and, with regard to online age verification for pornographic sites, to the technical reference document issued by the audiovisual and digital communication (ARCOM) in October 2024.