Background and regulatory expectations
The ICO's open letter follows ongoing concerns that many platforms set a minimum user age of 13 but rely primarily on self-declaration to enforce this threshold. The ICO highlights that self-declaration is easily circumvented, exposing under-13s to risks associated with the unlawful collection and use of their personal data, without the protections to which they are entitled under UK data protection law.
Recent advances in age assurance technologies-such as facial age estimation, digital ID and one-time photo matching-mean that more robust and privacy-friendly solutions are now available. The ICO expects platforms to make full use of these technologies to enforce their own minimum age requirements effectively.
This latest communication from the ICO underscores the regulator's commitment to protecting children online and signals a clear expectation that platforms must move beyond self-declaration to more robust age assurance measures.
Legal and practical implications
The ICO reiterates that, where a minimum age is set (e.g., 13), platforms generally lack a lawful basis for processing the personal data of children below that age. As such, platforms must implement effective age gates to prevent access by underage users. The ICO is clear that reliance on self-declaration or basic profiling is no longer considered sufficient or effective.
Platforms must ensure that any personal data processing by the age assurance solution that they adopt complies with data protection law, including requirements for lawfulness, fairness, proportionality, security, data minimisation and transparency-particularly in communicating with children in an age-appropriate manner.
Next steps
The ICO is calling on industry to act without delay, identifying and implementing viable age assurance technologies to prevent underage access. The ICO has said that it has commenced direct engagement with higher-risk services and expects full cooperation over the coming months. The ICO will monitor industry practices and has signalled that further regulatory action may follow if platforms fail to meet these expectations.
Social media and video sharing platforms should review their current practices as a matter of urgency and ensure that any new measures are compliant with UK data protection law.
For further information or advice on implementing age assurance technologies in compliance with the Children's Code and UK data protection requirements, please contact Simmons & Simmons for support.
_11zon_(1).jpg?crop=300,495&format=webply&auto=webp)
