Age Assurance for Internet Society Services (ISS): What to Know About a New UK ICO Opinion – Orrick

10 minute read | April.23.2024
The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has published an opinion on age assurance for internet society services (ISS). The opinion aims to explain how a company can use technology in compliance with data protection law in a “risk based and proportionate way.” 
Age assurance: 
Establishing the age of users is important for services subject to the UK’s Age Appropriate Design Code as well as the newly introduced Online Safety Act 2023. As with many legislative changes in the UK over the past year, the focus is on protecting children.  
“Privacy risks children face in the online world can have a significant impact,” the opinion says. “The potential severity of these risks means that the Commissioner expects you to take the necessary steps to protect children. Age assurance is a crucial component in this, helping you to provide an age-appropriate experience, or restrict access to underage users where appropriate.”
The ICO expects a compay to adopt an age assurance method based on the risks created for the child by processing personal information and the required level of certainty about the individual’s age. It identifies high risks to children such as large-scale profiling, invisible processing, location tracking and the use of innovative technologies (e.g., smart devices).
The opinion focuses on three categories of actions, explaining what services:
The ICO does not expect implementation of methods that:
The opinion describes the variety of age assurance methods and the associated actions for services: 
Must
Should
Could
Should
Could
Must
 
Services
Assessing risk is a key factor in the ICO’s opinion, setting out various considerations for services depending upon the nature of the service and their corresponding risks. 
Should
Could
Could
Should
Must
 
Data Protection
The opinion also addresses the interplay between age assurance and data protection principles, confirming that data protection must be embedded in the design. 
Must
Must
Should
Must
Should
Must
Should
Must
Must
Should
Must
Should
Must
Should
Must
Should
 
Whilst many of the principles in this opinion may not be new to most internet society services, it is helpful to see the focus of the ICO on this issue. It is also a clear sign that the UK’s Age-Appropriate Design Code and the interplay with the Online Safety Act is at the forefront of the ICO’s agenda. Companies should ensure they have considered the issues and documented their approach to how the business uses age assurance measures. 
If you have questions about this development, reach out to our authors (Kelly Hagedorn and Adele Harrison) or another member of the Orrick team.
London
London

Kelly provides comprehensive regulatory advisory services to clients, including counseling on the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. She has designed and implemented data protection compliance programmes for clients in a range of sectors, including technology, gaming, manufacturing, and private equity.
Kelly has worked with companies to respond to data incidents that range from small-scale issues that do not attract regulatory attention to large, multi-jurisdictional breaches requiring coordination across numerous different regulatory regimes. She has also advised extensively on litigation matters involving allegations of fraud and financial crime, and in connection with securities laws.
During her career, Kelly has undertaken secondments to the Serious Fraud Office and a major telecommunications company. At the Serious Fraud Office, she worked on a number of cases dealing with restraint and confiscation matters. During her time with the telecommunications company, she helped develop and implement the company’s group-wide anti-bribery compliance programme security associated with data retention, processing, and transfer.
London
London

Adele has advised clients on a wide range of cybersecurity and data privacy matters.  Adele has a particular interest in online safety requirements for companies and has advised clients in relation to the Age Appropriate Design Code, Video Sharing Platforms requirements and the Online Safety Bill. 
Before joining Orrick, Adele worked for two years on a global investigation into allegations of fraud, bribery and corruption, resulting in settlements with the UK Serious Fraud Office, French Parquet National Financier, U.S. Department of Justice and U.S. Department of State.
Prior to her work in private practice, Adele practiced at the independent Bar for five years. She has experience in prosecuting and defending in a wide range of criminal law cases and has developed a practice focusing on fraud, white collar crime and regulatory law.  Adele has conducted secondments with the Serious Fraud Office and Crown Prosecution Service on high profile banking fraud cases, as well as internships with the International Criminal Court and the New York State Division of Human Rights.
Adele has obtained the Certified Information Privacy Professional – Europe (CIPP/E) designation from the International Association of Privacy Professionals.
© 2024 Orrick, Herrington & Sutcliffe LLP. All rights reserved.
Please do not include any confidential, secret or otherwise sensitive information concerning any potential or actual legal matter in this e-mail message. Unsolicited e-mails do not create an attorney-client relationship and confidential or secret information included in such e-mails cannot be protected from disclosure. Orrick does not have a duty or a legal obligation to keep confidential any information that you provide to us. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.
By clicking “OK” below, you understand and agree that Orrick will have no duty to keep confidential any information you provide.

source

About The Author

admin

See author's posts