The EDPB adopts an opinion on age verification on the Internet
The best interests of the child is a fundamental principle enshrined in the United Nations Convention on the Rights of the Child, which seeks to prioritise the needs and rights of children and adolescents in relation to the decisions they have to make.
Protection of minors in the digital age
In the current social context, the digital environment to which minors have access must also be protected by measures that prevent the violation of their rights.
This protection of minors in the digital environment is required at the regulatory level in Europe. A clear example is the GDPR, with the introduction of minimum age requirements for consenting to the processing of personal data in the context of information society services (Article 8).
Likewise, the Digital Services Act refers to age verification as a risk mitigation measure (Article 35) and several states have joined this protective ecosystem, implementing minimum age requirements for carrying out legal acts.
The key role of the Spanish Data Protection Agency
To further emphasize the importance of this safeguard for minors, the European Data Protection Board (EDPB) has adopted an opinion on age assurance (Statement 1/2025 on Age Assurance) regarding the use of online services that require a minimum age for access.
The Spanish Data Protection Agency has been the driving force behind this opinion, having led the initiation of this work in a team with other supervisory authorities from countries such as Ireland, France, and Germany.
Finally, this project has culminated in its unanimous approval and develops ten principles that establish that the tools that determine age cannot be understood in isolation, but within the framework of the protection of the rights and freedoms of individuals.
Principles for age determination in online services
These are the 10 principles:
1. Full enjoyment of rights and freedoms
The age verification process should respect the fundamental rights and freedoms of natural persons and prioritise, above all, the best interests of the child. This principle should encompass the right to data protection, protection against violence, access to information from various sources and consideration of their views.
To ensure this principle, service providers should assess the impact of all fundamental rights, not just data protection.
2. Risk-based assessment
Age verification must be proportionate and risk-based, respecting the rights of individuals. It is necessary to assess the risks that a service may pose to minors, as age determination may pose a high risk to their rights and freedoms, and a Data Protection Impact Assessment must be carried out prior to processing.
3. Prevention of data protection risks
The age verification measure may not pose an unnecessary data protection risk to data subjects, including additional activities such as identification, tracing, profiling or tracking of individuals.
4. Purpose limitation and data minimization
The principles of purpose limitation and data minimization apply in this context, meaning that service providers and any third parties involved in age verification must collect only the data that is necessary, adequate, and relevant for the intended purposes.
5. Effectiveness of age verification
Age verification shall be achieved by demonstrating the level of effectiveness appropriate for the purpose, taking into account aspects such as accessibility and robustness.
6. Lawfulness, fairness, and transparency
Service providers must comply with the principles of transparency, lawfulness and fairness set out in Articles 12, 13 and 14 of the GDPR, to inform of the data that will be processed, the third parties involved, the possibility of transfer, retention, among others.
7. Automated decision-making
Following the European regulatory framework and with it, the GDPR, service providers must provide adequate remedies and redress mechanisms when automated decisions are made in the age verification of minors.
8. Data protection by design and by default
According to Article 25 of the GDPR, controllers involved in age verification shall implement appropriate technical and organisational measures to ensure compliance with data protection principles. In doing so, controllers will be obliged to take into account the current process of technology available on the market to determine the appropriate measures.
9. Ensuring the security of age verification
To ensure the security of the age verification process, service providers shall implement appropriate technical and organisational measures such as pseudonymisation, encryption, no-logging policies or storage limitation.
10. Accountability
Governance methods must be implemented to demonstrate compliance with data protection regulations to ensure the effectiveness, data protection by design and by default, and security of age verification.
