Inside the FTC’s Age Verification Workshop

The Federal Trade Commission recently convened stakeholders, including researchers, academics, industry representatives, consumer advocates, and government regulators, for a public workshop to discuss age verification, a concept implemented in regulations worldwide as a tool to advance online safety. 

The panelists discussed the importance of age verification, age verification and estimation tools, navigating the regulatory contours of age verification, how to deploy responsible age verification more widely, and the interplay between age verification technologies and the Children’s Online Privacy Protection Act (COPPA). Several themes emerged from the discussions, including the following:

• The importance of age verification that does not rely on user self-declaration. Discussion frequently touched on the difference between assurance—where users can self-declare their age—and verification, which requires some level of proof of user age, such as through scans of government IDs. Many panelists agreed that self-declaration by itself is not an effective mechanism for determining when children are using their services and advocated for adoption of standards or technologies that verify whether users are children. For example, Michael Murray, head of regulatory policy at the UK Information Commissioner’s Office (ICO), said that the ICO is looking for companies to transition away from reliance on self-declaration alone.
• The FTC’s role in promoting and facilitating age verification solutions. Panelists discussed how the FTC can promote age verification solutions, including whether it should issue rules, comment on particular age verification products and technologies, or require robust age verification from companies as appropriate in its settlements. Some panelists suggested the FTC should look to the model of Australia’s eSafety Commissioner’s role in facilitating an age assurance trial. In introductory remarks, FTC Chairman Andrew Ferguson expressed a desire for the FTC to facilitate the development and adoption of emerging technologies that expand protection of children by reducing the costs of protecting them.
• Who should be responsible for verifying age? Against the backdrop of a growing number of state laws that require app stores and developers to verify the age of users before they download apps (and legal challenges to these laws), panelists debated different approaches for when and by whom verification should occur—e.g., at the app store/operating system level, at the moment of access, or by the actual service or app operators—as well as whether there are benefits to having multiple levels of age verification. Some panelists advocated for a centralized approach, arguing that app store operators are best positioned to verify age and pass a signal to apps. Others argued for a risk-based approach without passing age signals to every app, leaving room for operators to pass signals to high-risk apps without, for example, passing age information to weather apps.
• Tailoring the level of assurance required to the risk involved. On a similar note, some panelists argued that the level of age assurance required should vary based on the nature of a service and the risk involved if children were to access it. This could reserve high-assurance methods, such as biometric scanning or submission of government identification, for services that could harm children, while allowing flexibility for innocuous or general-audience services to rely on lower levels of assurance that do not create unnecessary friction or require processing of sensitive information.
• Balancing the need for age verification with other legal concerns: security risks and mitigations. Panelists discussed other legal concerns that may be in tension with age verification, including the risk that collecting personal information for age verification can create a “honey pot” of data that is ripe for targeting by bad actors (one panelist stated this occurred in connection with age data collected in compliance with the UK Online Safety Act), a downstream risk of identity theft for kids, and conflict with privacy principles such as data minimization (which COPPA requires). Panelists discussed options to avoid or mitigate these risks, such as finding ways to determine a user’s age without revealing their identity, as well as measures such as double-blind verification (in which data cannot be linked back to a user) and immediate deletion of any personal data after the user’s age is established. 

What’s Next From the FTC

Chairman Ferguson stated that he “expect[s] the fruits of this workshop will inform a future FTC policy statement on age verification technology, as well as a possible amendment of our own COPPA rule that would promote the use of age verification technologies in compliance with COPPA.” Such a policy statement (which can be adopted by the Commission without notice and public comment) and potential amendments to the COPPA Rule (which would require notice and public comment) would likely establish the conditions under which companies subject to COPPA can use age verification technologies that collect personal information without risk of COPPA liability.