We all know that age verification isn’t a new concept — bars and restaurants have been verifying customers’ ages for a long time. So why isn’t it widespread online?
There’s certainly a desire for online age verification. Pew Research recently reported that 71% of US adults and 56% of teens support requiring people to verify their age before using social media sites. Regulators are also working to protect their constituents. Governments are shifting away from self-attestation and beginning to require higher-assurance age verification methods to access alcohol, tobacco, and adult entertainment sites. And in the social media and gaming industries, governments have recently started setting minimum ages and requiring age verification for account access. If you’d like to learn more about navigating global age verification regulations, check out our blog or feel free to download our ebook.
For people (like you!) who are responsible for managing your company’s online age verification processes, balancing regulations and privacy requirements with the needs of the business can seem like an overwhelming task. That’s why we’re launching a configurable age verification solution built with Persona’s dynamic identity platform to help serve the needs of your business, no matter what size you are or what verticals or geographies you operate in. Read on to learn more.
Age verification challenges
As you look to add age verification to your business, you’ll run into three challenges. First, you’ll have to comply with complex age verification regulations around the world. You’ll also have to comply with equally complex privacy regulations. And while you ensure compliance, you’ll still need to provide users with a streamlined experience.
Age verification regulations are complex
Regulators often focus on two criteria for age verification: the age threshold for a given product or service and the method of verifying someone’s age against that threshold.
It may sound straightforward to enforce an age threshold. Yet businesses that operate in multiple regions will need to map different sets of thresholds across jurisdictions, use cases, and industries. For example, Utah’s Minor Protection in Social Media Act sets the age threshold for social media access to 18, while a similar law in Georgia sets the threshold to 16. In the UK, the Online Safety Act requires a wide variety of online platforms to keep children under 13 off of their services.
Adding to this complexity, regulations in different jurisdictions specify different acceptable means to verify age. In the UK, for example, performing a credit card swipe can offer enough assurance in certain cases to determine that an individual is at least 18, but other countries may not follow the same practices. In the US, the Protecting Georgia's Children on Social Media Act of 2024 doesn’t list specific methods, but states that businesses must “verify the age of account holders with a level of certainty appropriate to the risks."
In short, regulations require you to enforce the right age thresholds in each jurisdiction, but they often leave it to you to decide how to actually enforce them.
Privacy regulations add to the complexity
Because verifying someone’s age requires collecting user information, you also need to comply with privacy regulations. The specific privacy requirements depend on the jurisdiction, the user’s age, and the verification methods you use, but some examples of important considerations are:
- Data deletion: Louisiana Act 440, which requires age verification to protect minors from harmful content, prohibits businesses from retaining users’ information after verifying their age.
- Parental consent: According to the Children’s Online Privacy Protection Act (COPPA) in the US, websites need to collect verifiable parental consent prior to collecting data from children under 13 (this may soon increase to 16).
To reduce the risk of hefty fines, bad press, and lost user trust, your business should make sure it adheres to privacy best practices while complying with age verification regulations.
Users demand a streamlined experience
Finally, you need to balance conversion and risk on a per-user basis. If you require too many checks or verifications, your users will get frustrated. Conversely, if you make the experience too seamless, you risk providing access to underage users or running afoul of regulations.
It’s tricky to find the right balance between regulatory compliance, user experience, and your business objectives. An ideal age verification experience will present the right amount of friction to verify a user’s age at the right time. Even the same user might need a different flow depending on what they’re trying to do, their physical location at the time they attempt to verify their age, and other factors.
Example: Imagine a business that offers bike rentals in urban areas. Regulations may require them to collect a government ID for age verification. Depending on the business’s risk tolerance, they may be willing to automatically approve certain ID submissions if the user looks well above the minimum age to ride.
Furthermore, if their population uses predominantly low-end devices, the business should configure the image quality checks associated with the government ID verification such that they’re approving as many applicants as possible while keeping risky applicants out.
Introducing Persona’s configurable age verification solution
Given the considerations above, any business that needs to verify their users' ages will need a solution tailored to their unique mix of population, regulatory requirements, and risk tolerances. Whether you leverage Persona’s government ID, database, or selfie verifications, you can build a customized age verification system that’s molded around your unique business needs, while simultaneously protecting your users’ privacy and giving them a great user experience.
Meet regulatory requirements in a way that’s best suited for you
To suit your specific needs, Persona’s platform gives you the power to configure things at two levels: the overall flow level and individual verification level.
At the flow level, you can leverage Dynamic Flow to sequence different verifications that meet your requirements while providing an optimal user experience. For instance, businesses that want to take a stricter approach to age verification can set up a government ID and selfie verification flow, whereas other businesses may opt to leverage selfie age estimation first, and then perform a government ID step-up verification if the user falls above or below a risk threshold.
At the verification level, you can configure each of Persona’s government ID, database, and selfie verifications with granular settings for collection requirements, fraud checks, and fallbacks. For example, a US-based gaming company launching their first game may start with only accepting US and Canadian IDs, while leveraging looser match requirements against the submitted account information as they learn about their initial users. A seasoned international gaming company, in contrast, might accept IDs around the world and leverage stricter match requirements against account information to deter high-risk or prohibited users. Each of Persona’s verifications comes with a diverse set of checks, allowing you to sift out risky users right from the start.
Finally, these configurations don’t need to be static: easily adapt your configurations as your requirements shift over time without engineering resources by leveraging our Dashboard and Flow Editor products.
Protect your users’ privacy as you comply with age verification regulations
Persona allows you to fine-tune your privacy controls for each jurisdiction you operate in at every level of the product, from global redaction policies down to specific product configurations. Our platform enables you to handle users’ consent and manage the data you collect with fine-grained retention and redaction controls–all without making code changes.
For example, with Dynamic Flow, you can request and record users’ consent prior to collecting their data, prevent the collection of PII from prohibited age groups, and set real-time auto-redaction policies for users under certain age thresholds. You can also enforce policies to retain and redact specific PII fields based on your desired cadence. At the government ID level, you can configure censoring policies so you don’t collect certain PII in the first place. And if you’re using a lightweight selfie age estimation flow, you can opt to auto-redact the user’s selfie once you verify their age.
These are just a few ways Persona enables you to implement fine-grained auto-redaction policies to protect your users’ data — and yourself.
Minimize drop-off while maintaining compliance in real time
Each of your users is unique. Not only will they have different appetites for friction and levels of tech savviness, but they will also be using different devices in a range of contexts with varying lighting conditions and other environmental factors that can influence input hygiene (typos) and image quality (blurry photos).
Persona’s age verification solution enables you to create user flows that ask users only for the information that’s necessary and customized to their specific context, leveraging built-in step up verification that can be triggered by the information a user submits. For instance, you can configure a selfie age estimation flow so a user only has to submit their government ID if their estimated age is below a risk threshold.
Finally, apply your own branding, theming, and UI instructions so the experience feels native and engenders more trust by making it as easy for users to submit the right information and get real time feedback.
Balance compliance, privacy, and conversion with a tailored age verification approach
While regulators have been paying more attention to online restricted goods, social media, and gaming, this is likely the starting point of a much larger trend, one in which verifying people’s identities — or at least parts of people’s identities (age, geography, etc) — becomes an increasingly important focus of online regulations around privacy and security. As the internet grows, it will require more and more businesses to tackle these issues in a structured, forward-thinking way.
As Persona, we’ve long believed that while you can’t predict the future, you can plan for it by building an approach to age verification — if not identity verification as a whole — that is adaptable and robust enough to help you handle changing regulations, and the changing needs of your business.
Ready to get started? Take a closer look at our age verification capabilities, and talk to a Persona expert today.
Disclaimer: The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third- party websites are only for the convenience of the reader.