Age Verification: From the EDPB Principles to the EU Age Verification app

The protection of minors online necessarily entails the verification of their age, a requirement now imposed by several complementary regulatory instruments: principally, the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR) as authoritatively interpreted by the European Data Protection Board (EDPB). 

Compliance with these obligations requires service providers to implement age verification systems; however, no effective model has yet been consolidated that does not result in the disproportionate processing of personal data. The EU Digital Identity Wallet (EUDI) is intended to provide the definitive privacy-preserving architecture, but it has not yet reached full deployment. In the interim, the European Commission has put forward a bridge solution.

The DSA obligation: When verification is required

The DSA and its implementing guidelines oblige providers of online platforms accessible to minors to put in place appropriate and proportionate measures to ensure a high level of privacy, safety and security of minors on their service. In particular, the DSA makes three things clear.

First, a provider cannot rely solely on a statement in its terms and conditions prohibiting access to minors to argue that the platform falls outside the scope of the obligation. Second, self-declaration does not meet the requirements of robustness and accuracy and is not an appropriate age assurance method.

Third, for high-risk services, including access to adult content of a sexual nature and gambling- age verification is an appropriate and proportionate measure, methods based on verified government-issued IDs that release no additional data to the platform, such as anonymised age tokens, are specifically indicated as compliant.

However, the DSA does not specify how verification must be done. That is where the GDPR -and the EDPB- come in.

The GDPR constraint: how verification must be designed

On 11 February 2025, the EDPB adopted Statement 1/2025 on age assurance. The statement is a guidance document not a binding instrument, but it carries significant practical weight. It provides specific guidance and high-level principles stemming from the GDPR that should be taken into consideration when personal data is processed in the context of age assurance. While not mandatory in themselves, these principles are likely to steer the approach of national supervisory authorities in enforcement proceedings, and any platform or third-party verification provider that departs from them should be prepared to justify its alternative approach.

The three principles with the greatest operational significance are:

• Prevention of data protection risks and purpose limitation. The processing of personal data for age assurance should not provide additional means to fulfil purposes unrelated to the age assurance itself.  In that regard, based on the state of the art in age assurance, the EDPB advocates towards technologies and architectures favouring user-held data and secure local processing (device-based), allowing properties such as unlinkability and selective disclosure of personal data under the control of the data subject.
• Data minimisation. Service providers and any third party involved in age assurance should only process the age-related attributes that are strictly necessary for their specified, explicit and legitimate purpose. The controller should only collect personal data that are necessary, adequate, and relevant for the purposes intended. In many cases, for example, the service provider may only need to know whether the user is over or under an age threshold.
• Storage limitation. Fulfilling the storage limitation principle and using short retention periods may also be essential for security in age assurance, reducing the exposure surface. A no-log policy may be considered a valuable safeguard: once the user's age is verified, no record of the personal data used for the age assurance process is kept.

The AEPD interpretation

The AEPD has articulated, through its decalogue of principles and accompanying technical proofs of concept, a detailed benchmark of what a compliant age verification system must look like. AEPD's decalogue demands a system that guarantees that it is not possible to identify, track, or locate minors through the Internet; that produces a single binary output, whether authorised to access or not, without ever disclosing the user's exact age or date of birth; and that ensures that access credentials remain anonymous to Internet service providers and third parties alike.

To demonstrate that this is achievable in practice, the AEPD, in collaboration with the General Council of Professional Colleges of Computer Engineering, developed a series of proofs of concept based on a clean architectural separation between identity management, age verification, and content filtering. The architecture relies on two applications: one for content access, one for verification. It is designed so that the entire process takes place on the user's device without accessing external resources, with the verification app acting as an intermediary between existing identity providers and the content service, generating nothing more than the condition "authorised to access". 

By contrast to the above, in March 2026, the AEPD issued a resolution against an age verification provider offering a non-compliant solution under the GDPR. It may be relevant to flag that no controller making use of the age verification services was involved nor fined in the resolution, but this may not be the case if a claim or an investigation is opened against both the third-party provider and the controller.

The AEPD found that the provider's digital identity app required users to submit a facial scan to create an account, with no alternative ways to verify age. This generated a persistent biometric facial template, processing of special category of data, used for authentication and identification. The authority also found additional infringements relating to consent obtained through pre-ticked boxes and excessive retention periods for biometric templates, geolocation data and verification-related data. The total fine was EUR 950,000, of which EUR 500,000 corresponded to the absence of a valid legal basis for the processing of special category data.

The bridge solution and the road to the EUDI Wallet

Against the background of a binding obligation to verify, a demanding set of conditions on how to do so, and an enforcement record that shows how regulators will act, the Commission issued a recommendation urging Member States to accelerate the rollout of the EU age verification app.

The app is presented explicitly as a bridge solution: a harmonised, cross-border toolbox designed to function while the EUDI Wallet reaches general deployment.  Compliant solutions should be available across all Member States by 31 December.

The proposed architecture is a direct response to the EDPB's framework: A double-blind model in which the verification provider does not know which services a user is accessing, and the platform receives only a threshold confirmation ("18 or over"), never an identity. The technical mechanisms used to achieve this include anonymised age tokens, key rotation and zero-knowledge proofs, the same cryptographic tools the EDPB identifies as consistent with the unlinkability and data minimisation requirements of the GDPR.

The EUDI Wallet, once in full deployment, will represent the definitive architecture: citizen-controlled verifiable credentials that allow selective disclosure of a single attribute -age of majority- without revealing any other identifying information. The proposed app is designed to be compatible with the EUDI Wallet framework from the outset, so that the transition, when it comes, is technically seamless.

Osborne Clarke comment

For businesses operating age-restricted services, the first compliance question is whether the current verification method processes anything beyond a simple age-threshold signal: whether it collects, retains or transmits data that goes beyond what the verification purpose strictly requires. The answer may determine whether a system considered reasonable at deployment remains defensible today, in terms of being both effective at age assurance and compliant with GDPR requirements.