Nationwide push to require social media age verification raises questions about privacy, industry standards

Lawmakers in Washington and in statehouses around the country are seeking to compel tech companies to prove the age of their users, part of a growing national effort to better protect young children from the harms of the internet. But requiring age-verifying technology to keep teenagers away from potentially harmful content online has its own set of risks for children and their families.

Utah and Arkansas have already passed legislation that requires social media companies to verify user ages, mandating that anyone under 18 get consent from a parent. At least seven other states are considering similar laws. And late last month, a bipartisan group of Senators led by Sens. Brian Schatz, D-Hawaii, and Tom Cotton, R-Ark., introduced legislation that would require platforms to use age-proving tech to keep users under 13 off social media and require parental approval for users 13 to 17.

The problem with these proposals, say experts, is that there is no fool-proof age verification technology available or agreement in the industry over what to use. Adding these services to platforms such as Instagram or YouTube would likely introduce new privacy risks for families and their children, such as incentivizing companies to collect even more data on children.

“From a technical standpoint, there’s just not a lot of options out there that get companies in line with what lawmakers would like to be done right now,” said Bailey Sanchez, policy council at the Future of Privacy Forum.

Most social media companies already prohibit children under the age of 13 from creating accounts due to restrictions around collecting data from children of that age or younger without parental consent. But those terms of service are often ignored by young users — and their parents — and poorly enforced by tech companies.

Presently, there are three main ways that technology companies determine users’ ages: self-declaration, age estimation and age verification. Experts say each solution comes with its own levels of potential privacy risks and inaccuracy. “There is no one size fits all solution,” Sanchez said. “It’s very contextual and depends on a lot of factors.” 

Some of those are “counterintuitive,” she notes. For instance, while involving more parties might seem invasive, in some cases having a third-party do verification can be “more privacy-protective and secure” than having a particular service collect and control even more user data.

Acknowledging the complicated regulatory landscape, many of the leading companies in the age verification space already offer multiple options for companies. “One of the things that’s important is to offer that range so that consumers have got choice and platforms have also got choice,” said Julie Dawson, director of regulatory and policy at Yoti, a UK-based identity verification platform.

While Yoti offers customers the option to verify age using a government-approved ID, Dawson said by far the most popular choice is age estimation software, which analyzes users’ biometric features to assign a correlative age. A March white paper from Yoti puts the tool’s accuracy at more than 99% across race and gender and accuracy of age within 2 years for 6-17 year-olds. Yoti’s algorithms have been audited for accuracy by an independent organization accredited in the U.K., according to Dawson

Big tech companies are already experimenting with the tool. Meta started offering Yoti as an option on Instagram in June 2022 and found that  81% of users presented with the choice opted for Yoti’s age estimation.

Unlike uploading a government ID to a platform directly, Yoti allows users to just share whether they are over 18 or not using an assigned digital identity. The company claims that its process is more privacy-preserving than traditional 1:1 facial recognition because the estimation process does not assign a user’s data to an identity.

Yoti’s Dawson notes that while age verification requirements in the U.S. for social media are new, big tech is just the latest industry facing age verification regulations. The online gambling industry has long faced age-verification requirements and, increasingly, in the U.S. and abroad, lawmakers have required pornographic content providers to verify users’ ages with mixed results.

Children’s privacy laws in the U.S. have, historically, taken a much less direct approach. The Children’s Online Privacy Protection Act requires internet companies to get express parental permission from parents of children under 13 since its inception. In doing so, providers just needed individuals to self-declare they were a parent providing permission. Moreover, the rule operates under an actual knowledge standard, something that has historically disincentivized companies from requirements such as age verification.

“A lot of the platforms we’re speaking to will know their user base, but historically there hasn’t really been an imperative to want to know your user base because that’s then created other different obligations,” said Dawson.

Helping companies comply with COPPA is what got PRIVO, a U.S. platform that enables companies to verify parental consent, to get its start more than two decades ago. Its co-founder and CEO Denise Tayloe told CyberScoop that while there is “no one method” for verifying a user’s age, it shouldn’t rely on collecting even more data.

For instance, PRIVO is working on launching technology that would allow parents to verify their child’s ID at the device level. So, instead of having to verify with each company, parents only have to do it once — an age-verification equivalent of the telecom industry’s “Do Not Call” list. Such a technology would also allow companies to “age-gate” certain services and more easily comply with laws such as California’s Age Appropriate Design Code, which requires services reasonably used by children to limit their access to age-appropriate experiences.

Like others, Tayloe says there’s no “magic bullet” when it comes to age verification technology, but that companies need to “meet consumers where they are” by allowing them to verify their identity one-time, using credentials they already have. “Not creating a cottage industry of more people to collect my biometrics and my data and promise me they’re never going to use it,” Tayloe added.

While Yoti and PRIVO are two of the better-known firms in the U.S., they are hardly the only offerings available to companies. What companies seeking to meet legal standards in the U.S. don’t have, experts say, is government-backed digital ID solutions. “The states and the federal bills basically call for a digital identity infrastructure in the U.S. that doesn’t exist,” said Zack Martin, a senior policy adviser at the law firm Venable.

Instead, as written, the laws will likely require at least some individuals to upload a hard copy of government IDs to a third party, creating additional data security risks.

Martin said that even if companies delete the records, “having digital copies out there is troubling.”

“Without the digital identity infrastructure to enable this in a privacy-enhancing way, this proposed legislation is putting a lot out there that is going to lead to bigger privacy issues down the line,” he told CyberScoop

The Schatz-Cotton bill also acknowledges the potential challenge the lack of a national digital ID poses to the bill. It instructs the Commerce Department to within two years establish a pilot program for verifying individuals’ identity online. It would be applicable only to use for verifying age and parental consent on social media.

Other countries have sought solutions to age verification concerns. France’s data watchdog worked with academics to develop a prototype software to verify the ages of people seeking to view adult-themed content. The U.K., which has rolled out its own age verification proposals, has also invested heavily in digital identity technology and the German government has a list of approved age verification providers.

The international efforts have raised privacy concerns, too. France’s data watchdog released a report in September concluding there was no product on the market that met its requirements for “sufficiently reliable verification, complete coverage of the population and respect for the protection of individual’s data and privacy and their security.”

Even though it would seem that a law such as the one Schatz introduced would be a boon for PRIVO, Tayloe, the company’s CEO, said she doesn’t think this new field of legislation will hold up to the scrutiny of parents or the courts.

She’s not alone. Several parent groups have spoken out against the Schatz law, calling it overly burdensome on parents and expressing concerns about requiring parents to give consent for teens, especially those who might not have supportive families.

Josh Golin, director of FairPlay, a nonprofit focused on child safety, said that while his group shares the bill’s aims of protecting kids from online harm and manipulations, banning kids from social media will just drive them “further underground.”

“We are concerned that it’s putting far too much of the burden on parents to keep their kids off of the internet and social media if they want to keep them safe,” said Golin. “And we think really the onus needs to be on the big tech platforms, and the ways in which they’re designed to monetize kids.” Instead, he believes social media companies should be using the data they already collect on users to make age estimations.

Tech industry critics say the laws will likely trigger court battles similar to the ones stemming from Congress’s attempts in the late 90s to criminalize the transmission of certain forms of obscene and offensive content online through the Communications Decency Act. The Supreme Court struck down parts of the law for being overly broad and infringing on First Amendment rights.

“The reason why Congress hasn’t spelled out age verification processes is that there are none that currently exist that would work at a scale that would also preserve privacy,” said Chris Marchese, litigation center director at NetChoice, an industry group that opposes the federal and state social media bans. NetChoice is currently suing the state of California over language in its Age Appropriate Design Code that similarly dictates what content companies share.

Experts cautioned that there’s one more obstacle to restricting social media that Congress and industry shouldn’t underestimate: the obstinacy and ingenuity of children.

“I’ve been around these really resourceful kids for 20 years, watching what they do to get around the parental consent process,” said Tayloe. “I promise you if companies would have just complied with COPPA, and if they would start now, they will resolve these issues naturally in the marketplace without going too heavy-handed.”