European Data Protection Board adopts statement on age assurance technologies

Published on 10 May 2025

The question

How is the European Data Protection Board (EDPB) proposing to address the benefits and risks of age assurance technologies?

The key takeaway

The EDPB’s statement provides organisations with important guidance on how to navigate protecting children online alongside the data privacy requirements imposed by the EU General Data Protection Regulation (EU GDPR). It does so by listing ten key principles that organisations who use this type of technology can use to inform their compliance programmes.

The background

Age assurance technologies are increasingly used by organisations that provide age-restricted content or services, to confirm that a user is above a certain age before access is provided. They often involve the processing of particularly sensitive personal data, such as biometric data, with the added risk factor that this data may be that of a child.

Through publishing the statement, the EDPB aims to lay the foundation for a consistent approach to the regulation of age assurance technologies at the EU wide level. While age assurance systems can protect children, in themselves they can also pose privacy risks such as tracking, profiling and discrimination. Naturally, the collection of personal data by these technologies also needs to comply with key EU GDPR principles, including the principles of transparency (as the individuals will need to know exactly why and how their data is being processed) and data minimisation (as the organisation will need to collect no more data than is required to verify age).

The development

The statement addresses the use of age assurance technologies in a compliant way by setting out ten principles for organisations to consider, rather than requiring prescriptive actions (which may not be relevant to all organisations). The ten principles are as follows:

  1. The use of age assurance technologies must respect an individual’s rights and freedoms, including data protection, freedom of expression and non-discrimination.
  2. A service provider’s approach to age verification methods must be risk-based and proportionate, and a data protection impact assessment (DPIA) should be conducted before the technology is used.
  3. Age assurance should not lead to unnecessary further collection of personal data beyond that needed to verify age, and a viable alternative to prove their age should be provided.
  4. Service providers should only process age verification data that is strictly necessary for legal compliance. This data should not be repurposed, such as for targeted advertising.
  5. The system should be accessible, reliable and robust, and should not rely on self-declaration as this is dependent on the goodwill of the user.
  6. The organisation must have a lawful basis for processing the age verification data under the EU GDPR. The users must be given transparency information that is clear and easy to understand.
  7. Users must be able to challenge any errors in automated decision making, and children should not be subjected to automated decisions unless it is necessary for their safety.
  8. Age verification systems must employ data protection by design and by default, such as by using privacy-friendly technologies and storing information locally on a user’s device where possible.
  9. Strong security measures should be used to protect personal data, such as encryption and pseudonymisation, and ideally data should be deleted as soon as the age assurance process is complete.
  10. Organisations must have clear compliance frameworks to demonstrate accountability in their processing of personal data through the use of age assurance technologies.

Importantly, the EDPB is working alongside the European Commission’s Digital Services Act Working Group on matters relating to age assurance, and so further guidance on this topic should be expected.

Why is this important?

For organisations that provide age restricted content or services, the EDPB’s age assurance guidelines are crucial for legal compliance, child safety, data privacy and reputation management. While not legally binding in and of itself, the statement provides clear guidelines as to the EU’s regulatory thinking on this topic and the likely focus of enforcement action.

By adopting privacy-preserving, effective age verification in accordance with the statement, organisations can protect their business model, maintain advertiser trust, and enhance brand reputation, potentially turning compliance into a competitive advantage while safeguarding users and platform integrity.

Any practical tips?

If an organisation is using, or plans to use, age verification technologies, it should consider implementing non-intrusive, privacy-preserving methods to verify age without collecting unnecessary personal data. Avoiding unnecessary biometric tracking and excessive data storage will also help promote compliance with the EU GDPR.

In tandem with this, clear communication on how age verification works, what data is processed and users’ rights can help build users’ trust. Conducting a DPIA where personal data is processed in this higher risk context will also help to ensure platform integrity and compliance in this evolving area of regulation.

Spring 2025

Stay connected and subscribe to our latest insights and views 

Subscribe Here