Thanks to the internet, our world is more connected online than ever. As a result, minors and adults are increasingly demanding safeguards to ensure their digital experiences remain age-appropriate. Regulators have also taken note, and have passed numerous regulations related to age verification across industries and geographies.
This means that now more than ever, organizations have more compliance considerations when it comes to designing, implementing, and managing age verification experiences. From staying ahead of privacy regulations, to optimizing user experiences and meeting business objectives, trying to balance the needs of so many stakeholders can make anyone’s head spin! (To get strategies for solving age verification’s challenges, check out our ebook.)
Having partnered with hundreds of businesses to navigate these processes, we’ve developed a simple and repeatable framework for managing an age verification process that ensures that products and processes are tailored for you and your business. At a high level, Persona recommends that organizations:
- Deconstruct relevant age and privacy regulations that apply to your various business use cases
- Map the regulatory requirements to the specific needs of your business
- Deliver on the requirements with experiences tailored to your users
Deconstruct the regulations
Regulations vary widely based on jurisdiction. Requirements can also depend on your industry, products, and users. Deciphering what they mean for your business can feel overwhelming.
The key is to partner with your compliance team to research what potential regulations apply. Some of the primary considerations for use cases covered by age verification regulations include:
- Scope: At the most basic level, you need to be aware of the age verification regulations that apply to your industry and the geographies you operate in. For example, if you’re a social media company in France, you may need to comply with the Digital Services Act (DSA) at the EU level, and the Loi Visant à Sécuriser et à Réguler l'Espace Numérique (SREN) at the national level.
- Data privacy: When you implement age verification, you inevitably need to gather some user data. This means you’ll likely need to consider privacy regulations (in addition to age verification requirements, that is). Regulations like the Children’s Online Privacy Protection Act (COPPA) in the U.S. and the General Data Protection Regulation (GDPR) in the EU call for specific protections for users under certain ages–such as data retention and deletion practices that keep children’s personal data secure. State regulations in the U.S. – such as the California Privacy Rights Act and Colorado Privacy Act – mandate similar protections.
- Age thresholds: The age thresholds your business needs to enforce depend on your geography, industry, and use cases. Alcohol retailers need to enforce an age threshold of 21 in the US, but different thresholds apply in other regions. Social media companies may need to wrangle more convoluted sets of thresholds across geographies. For instance, Utah’s Minor Protection in Social Media Act sets the age threshold at 18, but the Protecting Georgia's Children on Social Media Act of 2024 sets it at 16.
- Assurance: Each method of verifying someone’s age provides a different level of confidence—or assurance—that the user’s age is what they say it is. Certain regulations are very clear about the amount of assurance they require. For example, Louisiana Act 440 specifically mentions government ID and transactional data (e.g. from a credit card). On the other hand, the EU’s Audiovisual Media Services Directive calls for different levels of age assurance proportionate to the risk (more on that in the next section). This means that a business would need high assurance in a user’s age before granting access to the most harmful audiovisual content. It could use lower-assurance age verification methods to grant access to lower-risk content.
- Consent tracking: To protect consumers, age verification and privacy regulations often require businesses to gather and record users’ consent prior to collecting their information. In the same vein, certain regulations require businesses to gather the consent of a minor’s parent prior to collecting the minor’s data. One example is Tennessee’s Protecting Children from Social Media Act, which requires express parental consent for minors under 18 to hold a social media account.
Going through this checklist with your compliance team can help you figure out the age thresholds and privacy controls you need to enforce. But since regulations may not specify exactly how you’re supposed to comply, you’ll need the next step: mapping these requirements to your business.
Map the requirements to your business
While similar businesses might have similar compliance requirements, they may implement different strategies. To ensure your age verification compliance strategy is suitable for your business, you need to identify the risks your business may face – and your tolerance for those risks.
Determine your risk tolerance
So much of building age verification is about choices. There are choices to be made about your product, your resourcing, your user experience, your long-term strategy, and so much more.
A great way to align around the choices you want your business to make is to get key stakeholders together, hash out the risks that can influence these choices, and how much of each risk you’re willing to accept. Possible risks include:
- Non-compliance: At the most basic level, if your business doesn’t comply with applicable regulations (e.g. by enforcing the right age thresholds or handling users’ data properly), you risk having to deal with enforcement actions such as fines and lawsuits.
- Loss of user trust: Without proper age and privacy protections, your users could feel unsafe on your platform. They could feel that you aren’t protecting their data appropriately. If situations like these happen to your business, you risk losing users’ trust, and once lost, users’ trust can be difficult – if not impossible – to regain.
- Bad press: Similarly, a lack of proper safeguards could lead to media coverage that paints your business in a negative light. As a result, new users might think twice before signing up for your platform, and existing users might stop engaging with your services.
- Malicious entities: Unfortunately, your business could be a victim of its own success if it achieves widespread adoption. In pursuit of their own goals, individuals or organizations with malicious intent may attempt to abuse your products or users.
- Loss of revenue: Any of the risks above can lead to the follow-on risk of causing your business to lose revenue.
As you identify risks with your team, think about the impact of each risk, and the likelihood of each risk occurring. You’ll get a sense of your risk tolerance, which can inform the constraints your age verification system should enforce. If your system is too lenient, you may allow access to individuals who are too young, and expose your business to non-compliance risk. If it’s too strict, you may block legitimate users and leave revenue on the table.
Evaluate your building blocks
Once you’ve aligned on your risk tolerance, it’s time to think about which age verification methods will best suit your business’s circumstances.
There are multiple options, including:
- Checking a database: validate user-provided information against an authoritative source
- Assessing a government ID: reference a user’s age based on the date of birth printed on a government-issued ID
- Estimating age based on their face: infer a user’s age based on physical characteristics seen in a selfie
Each method has its own pros and cons, so a particular method might provide enough assurance for one region or use case, but not enough for another. In addition to age verification methods, you’ll also need to implement privacy controls such as consent collection screens, records to help maintain audit trails, and system logic to help you enforce your privacy policies. Your understanding of the applicable regulations and your business’s risk tolerance should inform which verification methods and privacy controls you use in different scenarios.
As you can see, there’s a variety of building blocks you can use to assemble your ideal age verification system: verification methods, configuration settings, consent screens, data and decision storage, and routing logic, to name a few. In the final section, we’ll cover how you can bring these together to orchestrate the ideal user experience and business processes.
Deliver the ideal flow
As you translate your regulatory and business requirements into user experiences, keep in mind that you probably won’t want to ask every user to use the same verification approach across all cases.
Most platforms serve multiple types of users. Demographics, location, and experience preferences are likely to differ across users. You’ll need to take these factors and your risk tolerance into account as you design the business processes and user flows you’ll use to comply with regulations.
At the level of your business processes, you should configure each age verification method to enforce the appropriate age thresholds and gather the necessary assurance based on regulatory requirements. Your privacy controls should be set up to collect required consent and safeguard users’ data according to region-specific regulations.
When it comes to your user flows, contextual factors such as behavior and lighting conditions can influence the riskiness of a user, so you might also fine-tune the verification checks to account for variations across users’ environments in real-time. It might even make sense to request different verifications from the same user depending on their real-time location, the time of day, and other factors. You can streamline how you enforce privacy requirements by setting up consent screens and privacy controls that automatically adapt to the region, user, and use case. These practices can help you ensure compliance with user experiences that feel tailored to each user, and specific to your business goals.
Example: Imagine two companies that look similar on the surface: they both offer bike rentals in urban areas. However, the exact jurisdictions they operate in–and local ordinances they’ll need to follow–are likely to differ. They’ll also want to offer user experiences tailored for their brand, competitive differentiators, and their users’ specific contexts. Their age verification strategy should account for all of these variables to deliver the ideal flow at the right time.
Bringing it all together, the ideal age verification system should help you automatically customize data collection flows, consent screens, and redaction policies in real-time so you can comply with age verification and privacy regulations, manage risk, and deliver the best possible experience for each user. Learn more about Persona's modular and customizable age verification solution here, or talk to a Persona expert.