Age Verification Systems on Video Platforms

The Spanish National Commission of Markets and Competition (CNMC) kept a public consultation open for contributions until the 31st of January, aiming to delve into the specific obligations Video Sharing Platforms (VSPs) must fulfill to protect minors from harmful content, in accordance with the General Audiovisual Communication Law (LGCA) as the transposition of the AVMSD2 in Spain. Among other requirements, the LGCA mandates VSPs to implement effective age verification systems, ensuring only adults can access such content.

The rationale behind CNMC’s public consultation lies in its commitment to align technical and legal measures with the current challenges posed by digital content consumption, especially in highly accessible environments such as VSPs. In this context, the CNMC uses the public consultation to remind VSPs that implementing mechanisms that merely require a declaration of being of age, without subsequent verification, does not provide a sufficient security level for these platforms to prevent minors’ access to such content.

The CNMC has identified several technical options for age verification, each with its own advantages and disadvantages, focusing on the accuracy of the technology used and the protection of personal data.

Identity verification through identity documents and associated certificates

This proposal would involve using electronic identity documents or digital certificates derived from them, offering a high level of reliability in age verification. This solution could include verification through electronic ID cards, digital passports, or residence cards with integrated chips, checked through readers or specific mobile applications. This method would ensure the authenticity of the user's age through official data verification, thus minimizing the risk of improper access by minors.

Identity verification through bank cards

Another contemplated technological solution would focus on using bank cards as a means of verification. Upon entering a card's details, the system implemented by the VSP would perform a check to ensure it is valid and belongs to an adult, through a pre-authorization of payment or a symbolic micropayment.

Though this latter method could be less intrusive and quicker for the user, it faces the challenge that minors could theoretically access bank cards and bypass the verification. Therefore, while this option would offer a layer of protection, its effectiveness could be limited without the combination of additional security measures, such as cross-verification with databases or the use of biometric authentication systems to confirm the cardholder's identity.

Potential barriers to implementing age verification systems

A significant challenge in implementing systems like those described above are the potential impacts on personal data. This is particularly relevant insofar as it involves processing biometric data and/or revealing particularly sensitive user information. Issues are also raised regarding data transfers, retention periods, and the need to conduct personal data impact assessments and consultations with the Spanish Data Protection Agency (AEPD).

In this regard, the AEPD has presented its model proposal for an age verification system, based on a decalogue of essential principles, detailed in a technical note and exemplified through practical videos for application on different devices and operating systems. The proposal focuses on processing the age attribute directly on the user's device, preventing the minor's condition or any personal data from being disclosed to visited websites.

Among the principles described in the aforementioned decalogue, the AEPD emphatically states that whichever technical solution is chosen, it must ensure that individuals cannot be profiled based on their browsing, that verification information is anonymous to any third party or internet provider, and that under no circumstances can a minor be identified, tracked, or geolocated. Another principle to highlight is the need to enable appropriate mechanisms for parents to exercise parental authority over minors, which, according to the AEPD, necessitates their participation - directly or through representing entities - in determining the criteria for what content should be restricted to minors.

Conclusions

Regardless of the final conclusions reached by the CNMC, it is clear that VSPs subject to the obligation to establish age verification systems will face the necessity to adopt new technical solutions.

Implementing these measures will not only require an innovative approach to meet the requirements of efficacy and data protection but will also demand a detailed legal analysis on a case-by-case basis. Adapting to these changes will pose significant challenges for VSPs but also represents an opportunity to lead in the protection of minors in the digital realm, taking advantage of the opportunity for self-regulation, which the CNMC points out as the preferred option in this area.