Age assurance
Age assurance is the broader family of methods used to obtain some confidence about a person’s age online. It includes self-declaration, age estimation from a face or behavior, inference from existing account data, and verification against an authoritative identity source.
The distinction matters because an age gate does not inherently require a person’s identity. A service may need only a threshold statement, such as whether the user is over 18. Collecting a name, exact birth date, identity-document image, or persistent identifier answers a much broader question than the access decision requires.
Methods trade different harms
| Method | Principal advantage | Principal privacy or access risk |
|---|---|---|
| Self-declaration | Minimal collection and friction | Easily bypassed and often ineffective |
| Identity-document or electronic-identity check | Strong evidence of legal age | Can bind identity to sensitive browsing and create breach targets |
| Facial age estimation | Does not require a named civil identity | Processes biometric-like imagery, produces errors, and can discriminate |
| Account or behavioral inference | Reuses existing signals | Expands profiling and may silently repurpose unrelated data |
| Attribute credential | Can reveal only a threshold result | Privacy depends on unlinkability, issuer separation, and implementation |
| On-device or parental control | Keeps decisions local | Depends on device control, household capacity, and platform gatekeepers |
No method removes the policy judgment about which content or function warrants an age boundary. Nor does it guarantee that a minor cannot use a VPN, borrow an adult’s device, or receive content through another channel.
Architecture matters more than the label
The privacy-preserving pattern is a three-party separation:
flowchart LR I[Identity or age source] -->|issues threshold credential| W[User-held wallet or device] W -->|presents unlinkable threshold proof| S[Online service] S -->|returns access decision| W
The source should not learn which service the person visits. The service should not receive identity or exact age. Proofs should not be reusable identifiers across visits or sites, and neither party should reconstruct the complete relationship through logs, collusion, or a breach.
EDPB Statement 1 2025 on age assurance therefore favors selective disclosure, user-held data, local processing, single-use credentials, and unlinkability. Assessing age assurance technologies adds that these properties need testable protocol requirements and independent audit, not only privacy-policy promises.
The residual privacy problem
An anonymous age proof is not anonymous browsing. The service can still see its own account, cookies, Internet Protocol address, browser fingerprint, and request history. The device platform or network may retain other metadata. Age assurance can avoid adding a civil identity to that picture, but it does not erase the picture already available.
The EU case is analyzed in EU age verification and Internet privacy.
Unlinkability trades off against account uniqueness
If repeated proofs contain no stable value, one adult can verify two accounts at the same service without the credential itself revealing the common identity. A service that requires one-person-one-account enforcement instead needs controlled within-service linkability, such as a domain-specific pseudonym or nullifier.
Age-proof unlinkability and account uniqueness separates cross-service unlinkability, cross-session unlinkability, and account uniqueness.