News & Insights
EDPB publishes principles for GDPR-compliant age verification
On 11 February 2025, the European Data Protection Board (EDPB) published ten key principles for designing age verification (also referred to as “age assurance”) in compliance with the GDPR. The aim is to better protect children in digital environments – without compromising their fundamental rights.Age verification should always be risk-based and proportionate: the more sensitive the content or service, the stricter the requirements may be. At the same time, the EDPB emphasizes the principle of data minimization – only data that is strictly necessary should be processed. Often, a simple “18+” confirmation is sufficient, without requiring disclosure of the full date of birth.
Particularly important: the procedures used must not lead to the identification, localization, or profiling of users. Any reuse of the data – for example, for personalized advertising – is prohibited. Providers must clearly explain how the data is processed and communicate this in an especially understandable way when children are affected.
The EDPB also sets high technical standards: age verification systems should rely on modern, privacy-friendly approaches such as local processing or zero-knowledge methods. Automated decision-making is only permissible with additional safeguards – especially when children are concerned.
Finally, the EDPB calls for a strong governance framework: providers must document their procedures, review them regularly, and be able to demonstrate compliance to supervisory authorities.
