EDPB Statement 1 2025 on age assurance
The EDPB adopted this statement on 12 February 2025 to specify how GDPR principles apply when services estimate, infer, or verify a person’s age.
The preserved statement does not reject age assurance in all cases. It requires a demonstrably necessary, proportionate, and effective method for the particular risk. Checking every user across harmless content would fail that test, and high-risk deployments will often require a DPIA.
Its central privacy rule is functional separation. An age check should not give a service or intermediary new means to identify, locate, profile, or track a person. In most cases the service needs only a threshold result, not a name, exact birth date, identity document, or persistent identifier.
The statement favors user-held data, secure local processing, selective disclosure, unlinkability even under collusion or breach, single-use credentials issued in batches, and zero-knowledge proofs where privacy risk is high. It also requires viable alternatives, accessibility, transparency, redress for incorrect decisions, and regular evaluation of accuracy and discrimination.
This makes the statement a useful test for Age assurance and national implementations of EU age verification and Internet privacy. It states the desired properties, but compliance still depends on implementation and enforcement.