Written by: Haim Ravia, Dotan Hammer
Israel’s Privacy Protection Authority (PPA) has published a draft document for public comment, on the protection of privacy when using age-assurance measures in the online environment. The PPA describes “age assurance” as a range of measures that provide an estimate, at varying levels of certainty and accuracy, of a user’s age, often on the basis of processing personal data, and that are typically used to prevent access to a service by age, to tailor a service to the user’s age, or to comply with legal and regulatory requirements.
The document surveys three main methods. Self-declaration, in which the user states a date of birth or that they are above a given age, is the most basic and the easiest to circumvent. Age estimation seeks to approximate a user’s age, or place them within an age range, through technological processes such as real-time processing of biometric data (facial features, voice, or movement), processing of profile or behavioral data, or knowledge tests. Age verification provides a high level of certainty using techniques such as “hard identifiers” (an identity card, passport, or driving license), photo-to-ID matching, checks against public databases, credit-card or banking data, or trusted third-party verification services built on zero-knowledge proofs that issue an anonymous token confirming a user’s age without revealing further personal data. These methods may be combined in a “waterfall” approach for greater certainty.
While the PPA recognizes that age assurance can protect minors and even reduce data collection about them, it warns that these measures also carry significant privacy risks for children and adults alike. Measures with a high privacy impact will almost always exceed what is necessary to verify age and should be used only where there is a legal obligation or a concrete risk to minors.
Organizations are expected to use collected data only for age verification, to define the minimum personal data needed, to avoid using multiple verification methods, and to retain only the minimum data required. The PPA further notes that using age-assurance measures may trigger an obligation to appoint a Data Protection Officer and heightened data-security requirements, particularly where external providers are involved, and that non-compliance may draw administrative financial penalties under the Protection of Privacy Law as well as exposure to civil claims.
Click here to read the PPA’s draft guidance on age assurance (in Hebrew).
