Age assurance

Age assurance

Age assurance is the broader family of methods used to obtain some confidence about a person’s age online. It includes self-declaration, age estimation from a face or behavior, inference from existing account data, and verification against an authoritative identity source.

The distinction matters because an age gate does not inherently require a person’s identity. A service may need only a threshold statement, such as whether the user is over 18. Collecting a name, exact birth date, identity-document image, or persistent identifier answers a much broader question than the access decision requires.

Methods trade different harms

Method Principal advantage Principal privacy or access risk
Self-declaration Minimal collection and friction Easily bypassed and often ineffective
Identity-document or electronic-identity check Strong evidence of legal age Can bind identity to sensitive browsing and create breach targets
Facial age estimation Does not require a named civil identity Processes biometric-like imagery, produces errors, and can discriminate
Account or behavioral inference Reuses existing signals Expands profiling and may silently repurpose unrelated data
Attribute credential Can reveal only a threshold result Privacy depends on unlinkability, issuer separation, and implementation
On-device or parental control Keeps decisions local Depends on device control, household capacity, and platform gatekeepers

No method removes the policy judgment about which content or function warrants an age boundary. Nor does it guarantee that a minor cannot use a VPN, borrow an adult’s device, or receive content through another channel.

Architecture matters more than the label

The privacy-preserving pattern is a three-party separation:

flowchart LR
  I[Identity or age source] -->|issues threshold credential| W[User-held wallet or device]
  W -->|presents unlinkable threshold proof| S[Online service]
  S -->|returns access decision| W

The source should not learn which service the person visits. The service should not receive identity or exact age. Proofs should not be reusable identifiers across visits or sites, and neither party should reconstruct the complete relationship through logs, collusion, or a breach.

EDPB Statement 1 2025 on age assurance therefore favors selective disclosure, user-held data, local processing, single-use credentials, and unlinkability. Assessing age assurance technologies adds that these properties need testable protocol requirements and independent audit, not only privacy-policy promises.

The residual privacy problem

An anonymous age proof is not anonymous browsing. The service can still see its own account, cookies, Internet Protocol address, browser fingerprint, and request history. The device platform or network may retain other metadata. Age assurance can avoid adding a civil identity to that picture, but it does not erase the picture already available.

The EU case is analyzed in EU age verification and Internet privacy.

Unlinkability trades off against account uniqueness

If repeated proofs contain no stable value, one adult can verify two accounts at the same service without the credential itself revealing the common identity. A service that requires one-person-one-account enforcement instead needs controlled within-service linkability, such as a domain-specific pseudonym or nullifier.

Age-proof unlinkability and account uniqueness separates cross-service unlinkability, cross-session unlinkability, and account uniqueness.

Sources

  1. edpb.europa.eu
  2. arxiv.org