EDPB Statement 1 2025 on age assurance

EDPB Statement 1 2025 on age assurance

The EDPB adopted this statement on 12 February 2025 to specify how GDPR principles apply when services estimate, infer, or verify a person’s age.

The preserved statement does not reject age assurance in all cases. It requires a demonstrably necessary, proportionate, and effective method for the particular risk. Checking every user across harmless content would fail that test, and high-risk deployments will often require a DPIA.

Its central privacy rule is functional separation. An age check should not give a service or intermediary new means to identify, locate, profile, or track a person. In most cases the service needs only a threshold result, not a name, exact birth date, identity document, or persistent identifier.

The statement favors user-held data, secure local processing, selective disclosure, unlinkability even under collusion or breach, single-use credentials issued in batches, and zero-knowledge proofs where privacy risk is high. It also requires viable alternatives, accessibility, transparency, redress for incorrect decisions, and regular evaluation of accuracy and discrimination.

This makes the statement a useful test for Age assurance and national implementations of EU age verification and Internet privacy. It states the desired properties, but compliance still depends on implementation and enforcement.

Sources

  1. edpb.europa.eu