IAPP Panel: More Privacy Input Needed in Fragmented Age-Assurance Push
The age-assurance landscape is shifting so quickly that it feels like "building the plane while flying it," IAPP Vice President Caitlin Fennessy said Wednesday during an IAPP webinar. With new laws, technologies and approaches cropping up globally, the privacy community must become more engaged in age-assurance activities and decisions, speakers said.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
There are different ways to achieve age assurance, said Kate Charlet, Google's global director for privacy. Age declarations require users to provide their age. Age estimations use a range of technologies and behavioral indicators, such as account longevity, to gauge age. Age verification requires actions such as uploading one's digital ID.
Age-assurance initiatives are happening around the world, including in the EU, U.K., Australia and the U.S., noted Brian Hengesbaugh, a Baker McKenzie data and cybersecurity lawyer. Fortunately, there are many methods for creating age-assurance systems that also protect privacy, he added.
The EU Digital Services Act, for example, stipulates that companies don't collect more data than they have been from users for age assurance. A European Commission blueprint sets out a "double-blind approach," which some EU countries are testing, Hengesbaugh said (see 2507140013).
Google is working in the EU on a zero-knowledge-proof approach that allows a user to share a minimal age signal in a way that's double-blind and untrackable, Charlet said.
The U.S. Children's Online Privacy Protection Act is the oldest law in the world focused on kids' privacy, noted Cobun Zweifel-Keegan, managing director of IAPP Washington, D.C. It's intent-based, meaning that everyone is deemed a child if particular content is directed at children. Companies that know there are children on their platform must comply with COPPA, he added.
U.S. law on protecting children online is evolving, said Zweifel-Keegan. Some laws focus on safety requirements that come into play once a company knows a user is a child, while others are focused on keeping kids off certain sites. States are tackling age assurance through porn laws, strict bans on social media, app store accountability laws and age-appropriate design codes, he added.
Globally, Hengesbaugh said, "there's no convergence on anything!"
Some see the issue as a fight over who's responsible for protecting children online, Charlet said. Legislators will find responsibility at all levels of the stack, said Zweifel-Keegan.
There should be more privacy voices at the table to ensure that age-assurance initiatives are properly balanced, as well as additional legal oversight, Zweifel-Keegan and Charlet added.
Age assurance is "a pivotal point of debate" globally, Baker Mackenzie data protection attorney Magalie Dansac Le Clerc said in a blog post Wednesday.
Developments in the U.K., France, the EU, the U.S., Australia and Canada show a common theme, Dansac Le Clerc wrote: "Organsations are expected to assess risks contextually and calibrate their practices accordingly."
Online companies must balance the competing imperatives of safeguarding young users, complying with different legal frameworks and upholding privacy-by-design principles, she said.
Organizations grappling with these issues should revisit their age-assurance policies, "particularly considering mounting enforcement activity and the prospect of new technical standards emerging in the months ahead."