European data regulator details new age verification rules for digital services

According to the European Data Protection Board's (EDPB) Statement 1/2025, adopted on February 11, 2025, organizations must follow strict data protection principles when implementing age verification systems for digital services. The announcement, made just one day ago on February 11, 2025, establishes a comprehensive framework for protecting personal data while determining users' ages online.

The statement emerges from an increasing focus on protecting children in the digital environment across multiple European regulations. According to the document, these include the Audiovisual Media Services Directive, the General Data Protection Regulation (GDPR), and the Digital Services Act, which have established various requirements for age verification and children's data protection.

The EDPB defines age assurance as "the umbrella term for the methods that are used to determine the age or age range of an individual to varying levels of confidence or certainty." The statement identifies three primary categories: age estimation, age verification, and self-declaration.

EDPB Chair Anu Talus emphasized the critical balance required in this approach, stating: "Age assurance is essential to ensure that children do not access content that is not appropriate for their age. At the same time, the method to verify age must be the least intrusive possible and the personal data of children must be protected."

The statement outlines ten fundamental principles for implementing age assurance systems. Service providers must conduct risk-based assessments to demonstrate the necessity and proportionality of their chosen age verification methods. The framework requires organizations to implement the least intrusive measures available while maintaining effectiveness.

A key technical requirement specified in the document mandates that age assurance systems should not enable additional tracking or profiling of users. According to the EDPB, organizations must implement effective measures to prevent the process from causing unnecessary data protection risks, such as identifying, locating, or tracking natural persons.

The statement emphasizes the importance of data minimization, stating that service providers should only process age-related attributes strictly necessary for their specified, explicit, and legitimate purpose. For instance, in many cases, knowing whether a user is above or below a certain age threshold suffices, without requiring additional personal information.

Security measures receive particular attention in the framework. The EDPB acknowledges that the nature, sensitivity, and volume of personal data involved in age assurance highlight potential risks of data breaches. The statement recommends implementing trust models, pseudonymization, encryption, and short retention periods to mitigate these risks.

The framework addresses automated decision-making in age verification systems, requiring appropriate safeguards for users' rights and freedoms. According to the document, service providers must provide remedies and redress mechanisms for cases where age-related attributes are not properly established.

The EDPB emphasizes accountability requirements, mandating that service providers implement governance methods demonstrating compliance with data protection regulations. This includes maintaining documentation of processes, conducting regular assessments, and ensuring transparency about operations and decision-making.

The statement specifically addresses technological considerations, recommending that organizations consider current progress in privacy-enhancing technologies when implementing age assurance systems. The EDPB suggests using approaches favoring user-held data and secure local processing, allowing properties such as unlinkability and selective disclosure of personal data.

The framework coincides with broader European initiatives on digital safety. The EDPB indicates it is cooperating with the European Commission on age verification in the context of the Digital Services Act working group, suggesting a coordinated approach to implementing these requirements across different regulatory frameworks.

This comprehensive framework represents a significant development in the regulation of digital services, establishing clear guidelines for protecting personal data while implementing necessary age verification measures. The principles aim to ensure that children's safety online does not come at the expense of privacy rights and data protection standards.