Age Protection, Privacy, and Identity Verification

by Clive Bourke, President, EMEA & APAC
November 17, 2023

For parents and caregivers, ensuring their children are safe is arguably a number one priority. As the way kids play has changed dramatically, digital playgrounds are offering up new opportunities for learning and growth that’s accessible for a wide audience. However, these digital spaces also offer equally ample opportunities for bad actors to take advantage of the underaged.

As more and more instances of playground equipment turning from PG into rated R have emerged, VPC, or Verifiable Parental Consent, has come about as a way for parents and caregivers to allow their kids and teens to safely engage in digital play – like signing a paper permission slip for a field trip.

Digital permission can be just as dubious to verify as a signature on paper, though. Traditional verification factors, like knowledge-based questions, phone calls, credit/debit card checks, and database analysis via SSN or other PII (personally identifiable information) are no longer (nor were they ever, really) secure enough to stand the test of today’s fraudsters or to keep up in an evolving digital landscape.

Parental controls need to be strengthened, especially with the kind of access (whether knowingly or accidentally) kids today can have to dangerous content and subversive, manipulative bad actors. Parental and adult permissions must move away from both self-asserted and token mechanisms, where the user is not compared to the evidence, and toward a more secure future for VPC.

Digital identity verification (IDV) that uses a combination of facial biometrics and document comparison technology is the most secure and viable way forward for age protection and security. IDV can help verify the ages of digital users and verify guardian identities, enhancing security measures and only allowing true owners to access their own data.

Changing regulations, changing times

Governments around the world are altering their digital protection regulations to ensure that vulnerable populations – including, and especially, children – can securely interact in the digital world, safe from societal risks like adult chatrooms with age-inappropriate content or grooming by older individuals encountered online.

More robust security measures and user experience fixes are undoubtedly needed – not to mention overdue. To that end, jurisdictions around the world, including the U.S., UK, and EU, are revising identification and protection mechanisms that encompass online communications and media platforms to protect the vulnerable. Prioritizing the security of children is at the heart of these changes.

COPPA 2.0, KOSA, and VPC principles in the U.S.
In the United States, COPPA (Children’s Online Privacy Protection Act) is being upgraded to resolve issues with the current regulation – specifically, how it protects the underage online. One of the key changes proposed by “COPPA 2.0” is to raise the age of protection from 13 to 16 years of age. Another is to completely ban marketing targeted at users under age 16.

COPPA was first passed into law by Congress in 1998; it was last updated in 2012 by the FTC. Complying with COPPA, as with any other federal regulation, is of the utmost importance for digital service providers that engage with audiences that include underage individuals. According to the FTC, “…if your company is covered by COPPA, you need to have certain information in your privacy policy and get parental consent before collecting some types of information from kids under 13.”

KOSA (Kids Online Safety Act) was introduced to the U.S. Senate by Sen. Marsha Blackburn (R-TN) and Sen. Richard Blumenthal (D-CT) in May 2023 as a bipartisan bill with more stringent requirements surrounding digital content and its accessibility by minors. KOSA requires online platforms to mitigate or prevent “Promotion of self-harm, suicide, eating disorders, substance abuse, and other matters that pose a risk to a minor’s physical and mental health,” according to Common Sense Media, amongst other things. It also requires companies to acquire parental consent before allowing children under 17 to use their platforms.

The bill has been met with controversy by various digital rights groups as well as social media companies, as much of the language in the bill leaves room for interpretation by both platforms and individual state attorneys general (who would be charged with enforcing the bill) when it comes to what, precisely, constitutes “a risk to a minor’s physical and mental health.”

The proposed changes in the U.S. are naturally increasing conversation surrounding Verifiable Parental Consent and its enforcement across many industries. VPC mandates that service providers estimate or verify the age of a user before granting that user digital access to its product or service. This territory inevitably brings about privacy concerns, especially for the underaged: how can organizations safely collect data about children to verify their age while not invading the user’s privacy unnecessarily or in a manner that places their identity at risk? Tech developers, stakeholders, politicians, and businesses at large are embroiled in these critical conversations.

Laws in states like Utah and California, the latter of which is known for its CCPA (California Consumer Privacy Act) law, are bringing VPC to the forefront of the digital world as companies are now being required to estimate or verify users’ ages. CCPA already addresses – most thoroughly out of any other legislation in the U.S. – some of the weak points in COPPA policy, including increasing the age of data collection consent to 16 years old.

The state of California has also passed a more stringent age protection law, CAADCA, which will be enforced beginning July of 2024. CAADCA (California Age-Appropriate Design Code Act) will literally raise the standard of these laws by increasing the definition of a child to be a user under the age of 18, to name just one of the important changes it will bring

The U.S. isn’t the only country responding to the need for enhanced online safeguards. It’s widely recognized across many international jurisdictions that better digital protection for the vulnerable and the young is now critical.

UK: Online Safety Bill passed into law as the Online Safety Act
In the UK, the Online Safety Bill (OSB) has finally been written into law as the Online Safety Act. OSA “puts the onus on firms to protect children from some legal but harmful material, with the regulator, Ofcom, being given extra enforcement powers,” according to BBC. UK tech firms are being compelled by law to take more responsibility when it comes to the content on their platforms and who views it.

OSA, alongside GDPR, provides the need for age confirmation online. Undoubtedly, there will be conversations being had in the UK about the new U.S. legislation and the role of VPC. The EU is also considering redefining its approach to age protection and privacy regulations.

A safe way forward
Whether overseas or at home, protecting underage digital users, as it stands today, comes at a cost. Doing nothing will result in dangerous consequences, as will continuing on with the inadequate technology currently being used to keep children safe online.

By implementing identity verification that relies on biometric factors and document checks to prove age and provide parental consent, those costs are eliminated. Current VPC processes are often friction-filled, lack necessary efficacy, cause concerns over privacy, and lack accessibility for all users.

Innovative digital IDV that places security and user experience first is the best path ahead for guardians, government, and the kids who just want a safe way to play.

What is IDV?

Identity verification is the first step to establishing and authenticating a user’s identity. A user who wants to open an account online is asked for identifying information, such as their name, address, email, or identification number (SSN in the U.S., for example). The process then involves capturing both an identity document and a facial biometric, ensuring both are live, real, and unaltered, and then making sure that they match. Often, identifying data the user provides during the registration process is cross-checked against the data extracted from the ID.

Identity verification can even check the captured image and data against a fraud watchlist, preventing known offenders or illegitimate users (those who are underage or those who are not the true guardian of the underage user) from completing the process. As a biometric factor (like your face or fingerprint) cannot be stolen, lost, or forgotten, its use for VPC thoroughly confronts and eliminates both privacy and convenience concerns that current reliance on knowledge-based factors cannot address.

Facial biometric systems, for example, function by converting a facial image into a mathematical representation, or template. This template is a complex set of data points that represent unique facial features. The template creation process is one-way, meaning the original image cannot be reconstructed from the template. Even if a bad actor gains access to the stored template, they cannot reverse engineer it to recreate the original facial image or use it to directly attack an online system.

IDV is the only way to ensure that the user attempting to access a service online is truly who they claim to be – and the only tried and true method to do this is through a secure, convenient combination of biometrics and document verification.

How it works

Step 1: The user confirms their consent to have their biometric information captured for authentication.

Step 2: The app guides the user to capture a front-side identity document image that is instantly subjected to anti-fraud checks.

Step 2b: The identity document’s back image may also be captured and checked for fraud and against the data from the front.

Step 3: The app guides the user to capture a selfie, which is checked for liveness and matched to the image from the identity document.

IDV processes that mirror Daon xProof, above, will ensure the safety of underage users, their data, and the identities of their guardians. As more laws like OSA and CAADCA pass around the world, Verifiable Parental Consent will become more and more dependent upon frictionless, biometrics-based identity verification processes.

The future of age verification services
As age verification expands beyond online child protection, controlled substances sales, eSports/gaming, and software-defined vehicles, the future will hold as many positive opportunities as it does ones that fraudsters, hackers, and cybercriminals will be all too ready to exploit for their own gain.

The move toward zero-knowledge trust tokens is already ushering in a new era for age verification services. As users’ privacy concerns become more and more paramount, zero-knowledge proofs and their application in consumer technology will continue to expand the frontier of digital identity verification services – and underscore its irreplaceable nature in how we conduct our digital lives.

Discover more about Daon xProof, the solution every organization needs to futureproof its identity verification strategy.