Age verification methods: navigating the twin challenges of the GDPR and the Digital Services Act

The protection of minors online has become a critical regulatory priority across the European Union. With the implementation of the Digital Services Act (DSA) and the GDPR’s evolving compliance requirements, the demand for robust age-assurance methods is increasing.

The challenge with age verification is not simply to determine a minor’s age, but to ensure this is done in a necessary, proportionate and data-minimising manner that protects privacy and data protection rights.

This article focuses on recent regulatory guidance concerning different age-assurance methods and examines the GDPR compliance challenges they present. Particular focus is given to the processing of biometric data, which, when used to uniquely identify an individual, is classified as special category data under Article 9 GDPR.

The regulatory framework - the interplay between the DSA and the GDPR

Article 28 of the Digital Services Act

The DSA contains key provisions for the online protection of minors. Article 28(1) DSA requires providers of online platforms accessible to minors to put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security on their service. Until recently, however, it was unclear what these measures were required to address, leaving online platform providers uncertain about how to meet these obligations in practice. Article 28(4) DSA therefore granted the Commission the authority to issue guidelines to assist providers in applying paragraph 1.

Commission Guidelines on the protection of minors

On 14 July 2025, the European Commission published comprehensive guidelines on the application of Article 28(1). They set out concrete measures to protect minors from risks such as harmful content, cyberbullying, addictive design features, grooming, and unfair commercial practices. While not legally binding, the guidelines will serve as a benchmark for assessing DSA compliance and will play a central role in enforcement by national authorities.

A key focus is age verification. The guidelines distinguish between self-declaration, age estimation and age verification, and emphasise that providers should only use methods that are accurate, reliable, robust, non-discriminatory, and as non-invasive as possible. They also recommend applying age-differentiated protection measures only where specific risks to minors exist, rather than restricting entire services solely on the basis of age.

On the technical side, the Commission is currently testing an age verification solution designed to facilitate checks ahead of the European Digital Identity Wallet (EUDI Wallet), scheduled for 2026. The solution is intended to serve as a reference model for a compliant, device-based procedure.

EDPB Statement on age assurance and Guidelines

Earlier in 2025, the EDPB issued a statement on age assurance, identifying three primary categories, self-declaration, age estimation, and age verification, which form the structure of the analysis below. The statement also underlined that age assurance measures must be risk-based, proportionate, and data-minimising, avoiding unnecessary identification, profiling, or tracking.

On 12 September 2025, the EDPB adopted for public consultation its Guidelines 3/2025 on the interplay between the DSA and GDPR, (Guidelines) clarifying how online platform providers should apply and interpret the GDPR when processing personal data in DSA contexts, including measures to protect minors and the prohibition on profiling-based advertising to them.

The Guidelines emphasise that online platform providers must first understand the risks their services pose to minors and then adapt their technical and organisational measures accordingly. In this context, age assurance is expressly identified as an appropriate measure. The Guidelines also note that providers may in some cases know their services are used by minors without needing to process additional personal data, for example, where a service is clearly directed at or predominantly used by minors.

The EDPB further recognises that Articles 28(1) and (2) DSA can, in appropriate cases, serve as a basis for processing under Article 6(1)(c) GDPR (legal obligation). This is conditional on controllers demonstrating that the specific processing, such as age assurance, is necessary and proportionate to achieve the DSA objectives, and that no equally effective but less intrusive alternative exists. Article 28(3) DSA also makes clear that providers of online platforms are not obliged to process additional personal data solely to determine whether a user is a minor.

For special category data under Article 9(1) GDPR, controllers must assess on a case-by-case basis whether an Article 9(2) exception applies. The EDPB advises against processing such data, particularly biometric data used to uniquely identify a person and especially where children’s data is involved. It also emphasises that age assurance can often be achieved without identifying the user, and that online platform providers should avoid mechanisms enabling unambiguous online identification, such as requiring government-issued IDs, which generally contain biometric data.

Building on this, the Guidelines stress that if an online platform provider determines age assurance to be necessary, it must be implemented in a risk-based and proportionate manner, limiting processing to what is strictly required. Where an age range provides reasonable certainty, verifying an exact date of birth should not be required. Providers should also avoid permanently storing age or age-range information and instead record only whether the user meets the relevant access condition, thereby applying data minimisation and data protection by design and by default.

Finally, the Guidelines set out additional requirements for Very Large Online Platforms (VLOPs), which are subject to enhanced obligations, including systemic risk assessments and mitigation measures.

Age verification methods

Self-declaration

• Method overview: self-declaration represents the most basic approach, typically requiring users to tick a checkbox or enter their date of birth.
• GDPR considerations: self-declaration typically relies on Article 6(1)(b) GDPR (performance of a contract) or Article 6(1)(f) GDPR (legitimate interests) as its legal basis. It aligns well with the principle of data minimisation as it involves only minimal data processing. However, it provides little assurance of a user’s actual age.
• Regulatory assessment: both the Commission and the EDPB underline that self-declaration does not provide the robustness or accuracy required under Article 28 DSA. Its effectiveness depends largely on the goodwill of users and it can be easily circumvented, making it unsuitable where actual risks to minors exist. The Commission explicitly considers self-declaration not to be an appropriate age-assurance method for ensuring a high level of privacy, safety, and security for minors. The EDPB has likewise expressed serious doubts about its reliability in high-risk contexts, as it has also elaborated in a binding decision.

Accordingly, self-declaration may, at most, play a role in very low-risk scenarios or as part of layered approaches, but it cannot generally be regarded as sufficient on its own.

Age estimation

• Method overview: age estimation refers to methods that allow online platform providers to assess whether users are likely to fall within a certain age range or above/below a defined threshold. Unlike age verification, which seeks certainty, estimation produces only an approximation.
• The CEN and CENELEC Workshop Agreement (a voluntary European standardisation initiative developed by stakeholders to establish best practices) notes that age estimation methods may include automated analysis of behavioural and environmental data. Such approaches compare the way a user interacts with a device to patterns observed in other users of the same age, and may also rely on metrics derived from motion analysis or tests of a user’s capacity or knowledge.
• GDPR considerations: where age estimation is necessary to meet Article 28 DSA obligations, Article 6(1)(c) GDPR (legal obligation) may serve as a legal basis. In other contexts, reliance on Article 6(1)(f) GDPR (legitimate interests) may be possible, subject to a balancing test. Article 9 GDPR is engaged only where biometric data are processed for the purpose of uniquely identifying an individual. In practice, age estimation is typically aimed at generating an age-related probability rather than identifying a person. That said, techniques such as facial or voice analysis may involve biometric characteristics, and there is a risk that data could be stored or combined in ways that enable identification.
• Regulatory assessment: The Commission notes that lower accuracy does not automatically mean a lower impact on users’ rights and freedoms. Less accurate solutions may, in some cases, process more personal data than more accurate ones. Providers of online platforms accessible to minors should therefore ensure that the data protection principles, especially data minimisation, are properly implemented and remain robust over time. The Commission further indicates that age estimation tools can complement age verification technologies and may be used alongside them. Where appropriate, they may also act as an interim option until compliant verification measures are available. The Commission announced that it may, in due course, supplement the guidelines with a technical analysis of the main age estimation methods currently available on the market.

Accordingly, age estimation can play a useful role in layered, risk-based approaches, particularly where a degree of approximation is sufficient, but it should not be relied upon as the sole measure in higher-risk contexts involving minors. Where possible, reliance on biometric data should be avoided in favour of methods that focus, for example, on how a minor interacts with their environment. In any case, systems should be designed so that identification is technically excluded, for instance through on-device processing and the immediate deletion of personal data.

Age Verification

• Method overview: age verification involves methods that provide a high degree of certainty regarding a user’s age. This usually relies on trusted physical identifiers or verified sources of identification, such as government-issued IDs or trusted third-party attestations. Unlike age estimation, verification seeks to establish factual certainty rather than approximation.
• GDPR considerations: where age verification is necessary to meet obligations under Article 28 DSA, Article 6(1)(c) GDPR (legal obligation) may apply as a legal basis. In other contexts, Article 6(1)(f) GDPR (legitimate interests) may be relevant, provided the balancing test supports it. Again, special category data considerations under Article 9(1) GDPR are only triggered where biometric information is processed for the purpose of uniquely identifying an individual.
• Regulatory assessment: the Commission considers access restrictions supported by robust age verification measures to be an appropriate and proportionate way of ensuring a high level of privacy, safety and security for minors, particularly in high-risk contexts such as access to alcohol, gambling or pornographic content. At the same time, the EDPB cautions that online platform providers should avoid mechanisms enabling unambiguous identification of users, such as requiring the direct submission of government-issued IDs containing biometric data. Instead, verification should be treated as a distinct process, separated from other data collection, and implemented using privacy-preserving technologies.

In this context, the Commission is developing an EU-wide age verification solution intended to bridge the gap until the launch of the EU Digital Identity Wallet in 2026. This reference solution is designed to be privacy-preserving and data-minimising, initially focused on 18+ proof. Key features include simple activation, confirmation of age without disclosing identity or precise date of birth, no data flows to proof providers during use, anti-tracking mechanisms, and technical capacity to support additional attributes.

Accordingly, age verification can be an effective measure in high-risk contexts, but it must be implemented with strict safeguards to ensure compliance. Providers of online platforms should therefore evaluate technical solutions carefully and prioritise those that minimise data use while delivering the required level of certainty.

Outlook

The regulatory landscape for age verification methods is still developing and will continue to evolve as both the DSA and GDPR frameworks are further interpreted and applied. The Commission’s testing of an EU reference solution and the upcoming rollout of the EU Digital Identity Wallet in 2026 point towards more standardised, privacy-preserving approaches. At the same time, the EDPB has underlined that age assurance measures must always be risk-based, proportionate and data-minimising, with particular emphasis on avoiding identification and intrusive biometric processing.

For online platform providers, this means compliance strategies cannot depend on a single method. Layered solutions that combine different approaches are likely to become the norm, adapted to the specific risks of each service. Looking ahead, the interplay between technological innovation, such as AI-driven age estimation, and evolving regulatory guidance will shape the next generation of age verification methods. It is already clear that protecting minors while safeguarding privacy and data protection rights will remain a central expectation, requiring providers to remain agile and proactive in their compliance efforts.