What is age assurance?
Age assurance is the umbrella term for methods a service uses to establish that a user is (or is not) above a given age — spanning a spectrum from self-declaration (a birthday field), through age estimation (inference from account context, behaviour or appearance), to age verification (checking against an authoritative source). The regulatory trend across the EU, UK and Türkiye is the same: the higher the risk of the feature, the stronger the assurance expected.
The legal drivers
Four regimes push in the same direction. Data protection: GDPR requires parental consent for information-society services offered to children under the digital-consent age (16 by default, member states set 13–16); KVKK has no fixed age and works from general capacity rules, with parental involvement expected for young children. Platform regulation: the DSA obliges platforms accessible to minors to take proportionate protective measures. The AI Act names age among the vulnerabilities that prohibited practices may not exploit. And consumer law restricts marketing that leverages children’s credulity — reaching AI companions that nudge purchases.
The proportionality principle in practice
The design mistake runs in both directions: a bare terms-of-service age gate on a high-risk feature is decoration, while demanding ID documents for a low-risk app creates a worse data problem than it solves — a warehouse of children’s identity data. Match method to risk: declaration for neutral features; declaration plus inference signals (account context, payment method) for chat and personalisation; verified parental consent plus child-calibrated safety testing for AI companions, edtech scoring and health-adjacent features. Whatever the method, document the choice — the reasoning memo is what regulators ask for first.
Is age estimation from faces lawful?
It processes minors’ data and can amount to biometric processing; where softer signals suffice, they are the proportionate choice. If facial estimation is used, it needs its own DPIA-level analysis and immediate deletion practices.
Does “13+” in our terms protect us?
Not by itself — regulators read the product, not the terms: marketing, art style and app-store category can all establish that a service targets children regardless of the disclaimer.
Related: data subject, DPIA.