Assessing whether and how to use age assurance – Guidance for websites and online services

Summary: Assessing whether and how to use age assurance

1. Introduction

There is a growing body of evidence that being subject to certain personal information practices, or exposed to certain online content, can be harmful to children. To ensure that their website or online service is safe for children, operators should be able to establish that one of the following conditions is met:

• The website or online service is likely to be accessed only by a trivial number of children;
• Access to the website or online service is not likely to pose a potential harm to children^{Footnote 1}; or,
• Appropriate measures are taken to mitigate the potential harms to children.

Age assurance^{Footnote 2} can be a legitimate approach to this harm mitigation. However, the use of age assurance can also have negative impacts, particularly if privacy is not protected from the outset. Without appropriate caution and design choices, potential impacts include personal information that is used for age assurance being breached, individuals’ online activities being profiled or tracked, or equity-deserving populations facing disproportionate data collection to access content or services. The use of age assurance also risks having secondary impacts, such as reducing individuals’ willingness to use a service or access content even if they would not be subject to an age-based restriction.

Age assurance should not be the default condition for accessing the Internet. It should be one of multiple approaches to the protection of children online and used in a risk-based manner, proportionate to the potential harm being addressed.

This document is for the operators of websites and online services (“relying parties”) seeking to determine whether their organization is required to use age assurance to support the creation of more age-appropriate experiences for youth online and, if so, how to apply age assurance in a privacy-protective manner. It is complemented by Designing age assurance to be privacy-protective^{Footnote 3}, which considers the operation of these systems. Relying parties should also be familiar with that document, as ensuring that selected age assurance providers adhere to it is part of the expectations for a relying party.

This document is not an exhaustive description of all related obligations under Canada’s privacy laws; for more information about compliance requirements, please visit priv.gc.ca.

2. Determining whether age assurance may be required

Determining whether age assurance may be required is equivalent to determining whether there is a legitimate need to differentiate between users based on age. There are two situations in which this may be the case: (i) where individuals must be prevented from accessing some or all of a website or online service, and (ii) where a website or online service needs to be adjusted to accommodate users based on age. These are not mutually exclusive; many sites that host content to which some users’ access must be prevented will also host non-restricted content. As such, organizations should consider whether they fall into either or both categories.

2.1. Preventing access based on age

The fundamental nature of a website or online service, or the content that it hosts, may mean that access to some or all of the site by individuals under a given age must be prevented. This might include sites that host pornographic content, facilitate gambling, or sell products that are subject to age restrictions. Such restrictions may be due to a legal requirement to prevent access, or a determination by the organization that a potential harm is likely to occur if the website or service is accessed by children. The latter category would include, for instance, online dating services where matching or allowing contact between children and adults would be harmful.

In either scenario, organizations must take steps to assess whether a reasonable person would consider the collection and use of personal information for age assurance to be appropriate under the circumstances.^{Footnote 4} These include:

• Where there is a legal requirement to prevent children from accessing some or all content, the organization should be able to demonstrate:
• The specific requirement that age assurance will help the organization meet, and why it is subject to it; and,
• That age assurance is required by the legislation, or that reasonable alternatives to age assurance (if available) were considered and assessed as not being suitable.
• Where the organization has determined that a potential harm is likely to occur if children access some or all content, it should be able to demonstrate:
• The potential harm that is being addressed, and why the particular impact of this potential harm on children warrants differentiation of users by age; and,
• Whether there is a reasonable likelihood that a non-trivial number of children would be impacted by that potential harm (as explained in section 2.2.2).

Where an organization seeks to block children’s access due to potential harm caused by its personal information practices, the organization should also clearly document why those practices are inherent to the nature of the site or the service being provided (that is, they cannot be adjusted to accommodate children’s access). This will be of particular importance where a child would be harmed by lack of access to the site – such as losing access to important community or informational resources, for example.

2.2. Adjusting practices to accommodate users based on age

In some situations, it is the design decisions made by the organization itself – such as the application of a particular algorithm, or the extent or nature of collection and use of personal information – that are the cause of potential harm.

In such instances, organizations should determine: (i) whether the personal information practices associated with a website or online service pose a potential harm to children; (ii) if so, whether a non-trivial number of children are likely to access the website or service; and (iii) if so, whether the potential harm could reasonably be addressed without the use of age assurance.

The order of steps 1 and 2 are interchangeable; for instance, it would be acceptable for an organization to forego an analysis of the potential harm to children if it first establishes that only a trivial number of children are likely to access the website or service.

2.2.1. Determining whether personal information practices pose a potential harm

As a first step towards determining whether the use of age assurance is required to accommodate children, organizations operating websites and online services must determine whether their personal information practices pose potential harm.

Not all collections and uses of personal information related to children pose potential harm. Many standard online practices are unlikely to meet this threshold, such as:

• Using first-party cookies or other methods to collect analytics data about site use;
• Allowing a user to submit an email address to receive a newsletter;
• Allowing a user to save preferences by creating an account on a service.

These practices would generally not require differentiation between users based on age, and thus age assurance would not be necessary.

However, other personal information practices create a potential harm specific to children and would thus require a site’s practices to be adjusted – either for all users, or where the operator of a website or service reasonably believes that a user is a child. These include:

• Services that allow unrestricted private contacts between users, creating the potential for a child to be exploited by an adult user;
• Services that create detailed profiles of users, which are sold or used to create exploitative or age-inappropriate advertising;
• Services that encourage users to divulge sensitive personal information about themselves.

There is an emerging body of work on how potential harms to children can be identified. Useful tools and resources to assist organizations include the Child Rights Impact Assessment^{Footnote 5}, the United Nations’s Convention on the Rights of the Child^{Footnote 6} (and associated General comment 25 on children’s rights in the digital environment^{Footnote 7}) and documents such as the Canadian Federal, Provincial and Territorial (FPT) Privacy Commissioners and Ombuds with Responsibility for Privacy Oversights’ resolution Putting best interests of young people at the forefront of privacy and access to personal information (FPT Resolution on best interests of the child).^{Footnote 8}

The evaluation of potential harms should be proportionate to the nature and extent of collection and use of personal information. For example, where an organization generally does not seek to collect or use information about its users (or, for example, collects only pseudonymized usage information), a cursory consideration will likely suffice. Where collection is extensive, or includes sensitive information, a more thorough examination of potential harms should be conducted.

2.2.2. Determining whether a non-trivial number of children are likely to access the site or service

The second consideration for whether age assurance might be required to address a potential harm to children is whether a non-trivial proportion of an organization’s users are children.

This evaluation requires that an organization understand high-level audience metrics, determined by analysis of the design, nature and content of the site or service. It does not require organizations to collect age-related information from all users to determine precise age demographics.

Relevant factors^{Footnote 9} that should be considered in an analysis of audience metrics include:

• Any available research evidence that an organization has undertaken about its user base, or about user behaviours that indicates the presence of children.
• Indication that third-party advertisers place ads directed at children on an organization’s website.
• The presence of content, design features or activities that are appealing to children.
• Whether children are known to access similar websites and services.

An unenforced statement in a privacy policy (or similar document) that individuals under a given age are not intended or permitted to use the site or service would not be a meaningful factor in establishing the actual age demographics of users.

Where an organization has determined that only a trivial number of its users are likely to be children, the use of age assurance for the purpose of keeping children from potentially harmful personal information practices would not be reasonable in light of the privacy interest in limiting collection. Therefore, in such a situation it should not be used.

2.2.3. Alternative approaches to addressing potential harms

Once an organization has determined that its website or service is likely to be accessed by children and poses potential harm to them, it should consider whether there are reasonable risk mitigation approaches other than age assurance that could address the potential harm.

For example, behavioural advertising that relies on a detailed profile of individuals poses a potential harm to children.^{Footnote 10} Rather than addressing this by applying age assurance to all users from the outset, an organization should instead consider:

• Prohibiting (or only using ad services that prohibit) the use of any inference that a user is, or may be, a child for the purpose of behavioural advertising;
• Discontinuing behavioural advertising if it becomes aware that the user is a child (for instance, automatically opting out any user who indicates that they are a child during an account creation phase or whose device sends a signal indicating that the user is a child); and,
• Making appropriate opt-out controls readily available.

Where reasonable, less-privacy invasive measures would prove sufficient to prevent potential harm to children, organizations should consider their adoption.

Similarly, organizations should consider whether a potential harm is specific to children or if it would impact all users – and if the latter, whether the protection(s) that would be applied for children should be applied broadly, removing the need to differentiate between users.

3. Determining the nature of age assurance

If an organization has determined that children would face potential harm should they visit a website or service without restriction, that a non-trivial number of children are likely to do so, and that alternative approaches to mitigating this potential harm are not reasonable, age assurance may be a required or appropriate option. The organization must then consider (i) what form of age assurance is appropriate to use, and (ii) when age assurance should be applied.

3.1. Form of age assurance

Age assurance must always be implemented in a risk-based and proportionate way to reduce the potential harm to users, and particularly children.^{Footnote 11} This means that, to avoid disproportionate impacts, individuals should not be required to provide more, or more sensitive, personal information than is necessary to adequately address the identified risk(s).

Necessity will be determined by the required level of effectiveness for the age assurance process. For instance, where an organization is using age assurance to address a legal requirement to prevent children from accessing content or a service, or where the potential harm it has identified would have a significant impact on a child, ensuring a high level of effectiveness is warranted. This means that it may be appropriate to use age estimation based on biometric information, or age verification that requires provision of a government ID, so long as in either case, the method is implemented in a privacy-protective manner.

Where the organization has identified a potential risk to children that it has determined would not be significant (but is more than trivial), age assurance may still be appropriate. However, to ensure proportionality, the organization should select an age assurance method that minimizes the additional collection of personal information about users, even if it means less certainty that children will not be exposed to the potential harm.

Organizations should regularly revisit their choice of age assurance method to determine whether developments in the field would allow for the necessary effectiveness to be achieved in a more privacy-protective manner. For instance, rather than requesting users to undergo an age assurance process specific to a given site or service, it would be preferable for the organization to accept a credential from a digital wallet or a signal from a browser or device, should those become both trusted and commonplace for Canadian Internet users.

Organizations are accountable for demonstrating that their approach to age assurance is privacy preserving, effective, and proportionate.^{Footnote 12}

3.2. The extent of age assurance

Collecting and using personal information for the purpose of age assurance should only be done when necessary. This means that users should generally only be required^{Footnote 13} to establish that they are of age at the moment when they must be differentiated by age to prevent a potential harm to a child.

Organizations should, for example:

• Segregate or detect and flag age-restricted content such that an individual will only be subject to an age determination when they attempt to access age restricted content;
• Use an “off-by-default” approach, in which features or data practices which may be harmful to children are only activated should an individual establish that they are above a given age.
• Notably, this latter approach supports the principle that individuals should be required to prove that they are above a given age (and thus can access content or features that may be harmful) and not that they are below it (and thus require additional protections).^{Footnote 14}

Where a website or online service contains a mix of both age-restricted and non-restricted content or features, the organization’s goal should be to provide the greatest possible access to the latter without an age assurance verification.

4. Using Age Assurance in a Privacy-Protective Manner

Once an organization has determined that it should, or is required to, use age assurance and has considered how and when it will be applied, it must ensure that its use of age assurance is privacy-protective.

As discussed in Designing age assurance to be privacy-protective^{Footnote 15}, there are many privacy-protective measures that should be designed directly into age assurance systems. Other measures should also be applied by organizations operating websites or online services which use age assurance. These include:

• Using the age assurance result only for that purpose: Age assurance providers are not permitted to retain, disclose, or use information collected for age assurance for other purposes. The organization receiving the age assurance result^{Footnote 16} (the “relying party”) is also not permitted to do so. For example, while a relying party can use the information received from an age assurance provider to grant access or direct a user to a more age-appropriate version, it must not use that information as part of an advertising profile for the individual. This information should also be destroyed as soon as possible, particularly in cases where any information beyond the simple “yes/no” indication of age is generated.
• Make no attempt to use age assurance to correlate visits: Age assurance systems should be designed in a way that relying parties are not able to use age assurance results to correlate multiple visits by the same user. Where an age assurance system does not prevent this, however, the relying party must itself not attempt to make such correlations.
• Provide individuals with appeal mechanisms: Where an individual has been denied access to content or a service based on the results of an age assurance system, an appeal mechanism must be available to them. This mechanism must also be privacy-protective.
• Provide users with options: Individuals are likely to have preferences with respect to the type of personal information they would rather use as part of an age assurance process – for instance, preferring to provide an age credential rather than undergoing age estimation, or vice versa. Where possible, organizations should seek to provide individuals the option to select between multiple effective, privacy-protective age assurance mechanisms.
• Limit authentications: Where possible, relying parties should use age assurance systems that allow the individual to undergo the authentication phase as infrequently as possible. This could mean, for instance, associating an age signal with a user’s account, or accepting a reusable digital credential. In higher risk scenarios, however, a relying party could periodically re-confirm that a previously received age signal remains valid.

An organization must have an appropriate process to ensure that any age assurance system being used is privacy-protective. Where the organization is implementing age assurance on its own, the measures set out in Designing age assurance to be privacy-protective^{Footnote 17} will be applicable to the organization. Where the organization is contracting a third party, as part of the procurement process, the organization should have the ability to assess the age assurance process being contracted to ensure that it meets all privacy requirements.