July 17, 2026

DNS Africa Resource Center

..sharing knowledge.

Age Assurance for Internet Society Services (ISS): What to Know About a New UK ICO Opinion – JD Supra

Orrick, Herrington & Sutcliffe LLP
The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has published an opinion on age assurance for internet society services (ISS). The opinion aims to explain how a company can use technology in compliance with data protection law in a “risk based and proportionate way.” 
Age assurance: 
Establishing the age of users is important for services subject to the UK’s Age Appropriate Design Code as well as the newly introduced Online Safety Act 2023. As with many legislative changes in the UK over the past year, the focus is on protecting children.  
“Privacy risks children face in the online world can have a significant impact,” the opinion says. “The potential severity of these risks means that the Commissioner expects you to take the necessary steps to protect children. Age assurance is a crucial component in this, helping you to provide an age-appropriate experience, or restrict access to underage users where appropriate.”
The ICO expects a compay to adopt an age assurance method based on the risks created for the child by processing personal information and the required level of certainty about the individual’s age. It identifies high risks to children such as large-scale profiling, invisible processing, location tracking and the use of innovative technologies (e.g., smart devices).
The opinion focuses on three categories of actions, explaining what services:
The ICO does not expect implementation of methods that:
The opinion describes the variety of age assurance methods and the associated actions for services: 
Must
Should
Could
Should
Could
Must
Services
Assessing risk is a key factor in the ICO’s opinion, setting out various considerations for services depending upon the nature of the service and their corresponding risks. 
Should
Could
Could
Should
Must
Data Protection
The opinion also addresses the interplay between age assurance and data protection principles, confirming that data protection must be embedded in the design. 
Must
Must
Should
Must
Should
Must
Should
Must
Must
Should
Must
Should
Must
Should
Must
Should
Whilst many of the principles in this opinion may not be new to most internet society services, it is helpful to see the focus of the ICO on this issue. It is also a clear sign that the UK’s Age-Appropriate Design Code and the interplay with the Online Safety Act is at the forefront of the ICO’s agenda. Companies should ensure they have considered the issues and documented their approach to how the business uses age assurance measures. 
[View source.]
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Orrick, Herrington & Sutcliffe LLP | Attorney Advertising
Refine your interests »
Back to Top
Explore 2024 Readers’ Choice Awards
Copyright © JD Supra, LLC

source

About The Author