The European Data Protection Board (EDPB) has adopted at its plenary meeting an Opinion on age determination (Statement 1/2025 on Age Assurance)for the use of online services that require a minimum age to access them.These guidelines have been promoted by the Spanish Data Protection Agency (AEPD)within the framework of its actions for the effective protection of children and adolescents on the Internet, maintaining the rights and freedoms of all citizens, both adults and minors.
In March 2024, the EDPB approved the mandate requested by the Agency to define guidelines on age verification. This marked the beginning of an intensive work led by the AEPD in a team made up of different data protection authorities (Ireland, France, Germany and Spain) that culminated in its unanimous approval.
This Opinion provides guidance arising from the General Data Protection Regulation (GDPR) that takes into account the implications and consequences of using age proof tools and systems in the processing of personal data, including practical examples. The guidelines focus on access to online services, including those cases where the law establishes a minimum age for purchasing products, using services or performing acts, as well as where there is a duty of care to protect children and adolescents.
This opinion facilitates the development of a more consistent approach in the EU to the protection of minors in relation to access to online services in treatments where the age of access must be guaranteed, based on the application of the principles of data protection by design and by default. It is an essential instrument for those involved in the Internet ecosystem, and for national and European authorities with competence in the digital field , to have the necessary information regarding the most appropriate strategies for proving age. In addition, it will have a positive influence in promoting truly effective solutions for the comprehensive protection of minors, such as that of aSecure Internet by Default andsafe from exposure toaddictive patterns.
The work carried out in the preparation of this Opinion is based on the framework of the AEPD initiatives for the protection of minors in the digital environment. In particular, it is derived directly from theDecalogue of Principles of Age Verification and Systems of Protection of Minors from Inappropriate Contentpresented by the AEPD in December 2023, together with practical proofs of concept.
Principles included in the Opinion
The ruling develops ten principles that establish that age determination tools cannot be understood in isolation, but rather within the framework of the protection of the rights and freedoms of individuals. Thus, the determination that the restrictions are complied with must imply an increase in these rights, in this case the protection of the rights of children and adolescents on the Internet, without this implying a reduction in other rights of the same minors and of the general public.
The principles develop requirements on risk prevention, limitation and minimisation, insisting in particular that age verification should not provide resources for internet services to identify, locate, profile or follow the digital activity of individuals. They emphasise the need to use effective tools with a broad vision, for example, that do not involve limiting the right to access the internet, the obligation of legality, loyalty and transparency, that do not involve subjecting individuals to automated decisions without the guarantees of the GDPR and the application of the principle of data protection by design and by default.
Finally, the principles highlight the impact that data breaches could have on the use of such tools, with an obligation to apply data minimization principles in addition to security measures, and establishing that any tool, in such a complex environment, must implement governance methods in the Internet ecosystem that demonstrate regulatory compliance.