Regulations, it turns out, are highly irregular, particularly when it comes to age assurance. In a recent webinar hosted by market intelligence firm Liminal, a panel of experts explores how the regulatory landscape is shifting and what businesses need to do in order to stay on top of developments on both the regulation and the solution side.
First off, traditional KYC methods are kaput. “Age assurance is quickly becoming the new frontier in protecting sensitive content, and companies that don’t adapt risk falling behind,” says a summary of the event. “Staying ahead of these changes is crucial to maintaining compliance and trust while avoiding costly fines and reputational damage.”
The discussion features panelists Michael Murray, head of regulatory policy for the Information Commissioner’s Office (ICO); Vaisnavi J, founder of Vyanams Strategies, an online youth safety consultancy; and Ajay Patel, Head of World for Tools for Humanity (TFH), joining Liminal’s Chief Innovation Officer Filip Verley.
Cycle of innovation and regulation
“The age assurance market is growing a lot,” Verley says by way of introduction. While it is still early days for the industry, age assurance regulations have been sprouting up across the globe at an increasing pace. What key factors are accelerating growth in the age assurance market, and how can companies position themselves to take advantage?
According to Vaisnavi J, a lot of people still have assumptions about age assurance technology that’s “rooted in its state maybe five or ten years ago.” Newer tech, she says, has nudged governments to become more active on regulation, including on age assurance measures. All of this means the market for age verification tools is heating up, but also that it is more complicated than ever to navigate the regulatory web.
‘Everything changes so quickly. One size doesn’t fit all’
According to Michael Murray, keeping up with what’s state-of-the-art and what’s effective, unbiased and private, can be a challenge in itself. While facial age estimation has come a long way in replacing traditional ID checks, innovation keeps moving the goalposts. Data analysis from the National Institute of Standards and Technology (NIST) shows the effectiveness of age assurance tech on an upward rise. “And we have now, for example, hand movements being looked at as a highly effective way of doing age assurance,” Murray says. “We’re challenged as a regulator regularly about what’s good enough.
TFH’s Patel speaks to the burden of the end consumer. “How do we make sure we are compliant, but it’s still an experience the user can understand? Finding that balance – how do we enable private, simple, secure experience so that the cost meets the benefit, while meeting compliance to keep kids safe.” ID-only approaches, he says, are exclusive to many, and data minimization practices are essential but difficult to execute well.
Murray argues that systems shouldn’t be putting a lot of the pressure on parents or on the children they are trying to protect. “A lot of this comes down to making sure the companies themselves are putting in place systems that will protect the children’s best interest. It’s their responsibility to make sure their services are meeting the minimum standards.”
How to compete in an increasingly crowded age assurance market
Vaishnavi J. says the ability to move quickly is essential to market entry, and that connecting with other companies in age assurance also brings value in understanding the age verification sector. But, when parents can hardly keep up with the threats and defenses for their kids online, the greatest advantage might be clear communication.
“If you are a platform that can proactively communicate to their users to keep their children safe online, that’s incredibly valuable for building trust with the platform.” Letting parents deal with the issue on their own doesn’t fly. “It actually builds more mistrust with them if you tell them, ‘here are tools for you to manage your child’s experience.’ We cannot keep outsourcing this responsibility to parents.”
Sector lacks education on specific laws and regulations to follow
Verley says there’s a big education gap that needs to be filled. “Practitioners are very confused about what regulation they should follow.” In other words, firms literally don’t know which laws apply to them.
Not every company has Google’s team of lawyers to sort it out. Patel points to online resources as a low cost option. “There has to be more self-service, consumable content out there.” But in the end, a legal assessment is necessary. “Putting a framework together where services can get an assessment done in a way that scales or is cost effective is probably something that’s missing,” he says.
Regulators rolling out recommendations, resources on age assurance
Murray notes that Ofcom is preparing to publish its guidance on highly effective age assurance that can be used for porn sites, which will go into effect in January 2025 – sooner than expected. It will follow with more use cases later in the year. He says “most of the regulators are in this process of updating their guidance” on age assurance and adding requirements. The GDPR, for instance, puts responsibility for ensuring adequate age assurance on the service. More legislation is making proven methods a necessity.
Meanwhile, NIST evaluations show just how accurate age assurance has gotten. And Murray points to euConsent, the IEEE, and upcoming ISO standards as additional support for organizations looking to stay current and compliant.
In comments on the Ofcom decision to speed up age checks for porn, Iain Corby, director the Age Verification Provider’s Association (AVPA), urges Ofcom to “enforce these laws rigorously from the day they come into force.”
“We have seen the adult industry fight age verification in French, German and US courts, so there is no reason to believe they will voluntarily comply with a new UK law. What will improve compliance is if Ofcom establishes a level playing field by taking action against sites of all sizes right from the start.”
As fraud risk grows, firms need to prioritize fraud detection
Deepfakes and other sophisticated types of identity fraud have already learned to take advantage of this developing ecosystem. Providers, says Vaishnavi J, need to stand up account fraud monitoring and mitigation teams; those that don’t have a strategy around fraud detection, “tend to be very low on the list” for customers. It’s key to maintain diversity and interconnectedness in verification, machine learning and other identity technology, and helpful to engage with NIST’s evaluations, which have become a common industry reference.
Third parties also bear some of the load in the trust architecture. Who can be trusted to handle sensitive personal identity information and conduct effective age checks? Solid data sets are important, and vendors should follow compliance rules that apply to their clients, says Patel. “The trust aspect is super important. Doing things with zero knowledge and high assurance is really where the world needs to go.”
That, says Murray, is what certification programs are for. He notes the ICO’s Age Check Certification Scheme as a program that can help businesses find trusted age verification vendors whose products have been tested against standards.
Age assurance providers tell the world, we’re here to help
In the end, the focus needs to be on the most important people: parents and their children. “As we think about what’s the right form of age assurance, we shouldn’t lose the urgency around the need to understand how old people are. Just because there isn’t consensus on the right form of age assurance, doesn’t mean you shouldn’t do it in some way.”
And indeed, organizations are doing it. Age assurance is being increasingly deployed in both regulated and unregulated industries, use cases are growing, and legal frameworks are on the way. Perhaps the biggest hurdle, says Vaishnav J, is getting users to trust that age assurance is designed to keep their kids safe and their data private.
“We have to steer folks gently to realizing that this isn’t a data collection exercise. This is a data minimization exercise.”
Article Topics
age verification | biometrics | digital identity | Information Commissioner’s Office (ICO) | Liminal | regulation | Tools for Humanity
