News

Spanish Data Protection Agency’s Guidance on age verification

Image
Image

The Spanish Data Protection Agency (Spanish DPA) has published guidance on age verification and protection of minors from inappropriate content. After a year of sanctions to adult content service providers, the Spanish DPA has issued this guidance to protect the superior interest of minors and, at the same time, comply with data protection principles and obligations. On one hand, service providers must have due mechanisms to avoid minors having access to adult content and to process their data lawfully. On the other, these mechanisms cannot turn out to be a disproportionate processing of data of all internet users. For this purpose, the Spanish DPA has published not only a guidance, but also a proof-of-concept report to evidence how this works and several other explanatory materials.

Background – Spanish DPA vs. Adult content service providers

Minors protection has been for the last years one of the top priorities of the Spanish DPA. This is precisely reflected in the Spanish Data Protection Act, which has a specific provision on minors protection on the internet (Art. 84).

During the last year, there have been three sanctioning decisions against adult content service providers (PS/00554/2021, PS/00555/2021, and PS/00308/2023). These have stressed the importance of protecting minors from accessing to adult content and consequentially pointed out to the need of establishing age verification mechanisms. However, these resolutions also showed the difficulty of establishing reliable age verification systems that are also fully compliant with data protection obligations, paving the way to the age verification guidance (the Guidance) subject matter of this article.

In each of these decisions, adult content providers were sanctioned for eight or more infringements, from breaches of general principles to privacy by design. The most interesting part of those refer to Arts. 8, 24 and 32 of the General Data Protection Regulation (GDPR) and minors’ personal data. Particularly, the Spanish DPA concluded that:

  • Where minors should not access certain adult content, it is up to the entity to implement appropriate technical and organizational measures to ensure that the processing of data is carried out only in respect of data subjects of legal age. This implies that it also implements appropriate technical and organizational measures to ensure that the data of minors are not processed. Based on Arts. 24 and 32, they should adopt appropriate security measures to verify the age of users, whether registered or not, who access the websites in question, ensuring that they are of legal age. This way, these data controllers can achieve the goal which is to prevent access to minors.

  • Although mechanisms for "declaring" age were present, these were not sufficient to meet their obligation to prevent minors’ access. There was no subsequent verification of age, nor any for verifying it ab initio, which would have been an appropriate measure to avoid the materialization of the high risks that such access may involve to the rights and freedoms of minors. Mere declarations are not only ineffective because they do not serve to verify the age of data subjects, but also because they can be easily circumvented.

  • Curiously, the Spanish DPA sets a very low threshold to consider that an information society service is “directed” to a minor. It states that simply including in its privacy policy the conditions regarding minor’s consent, entailed that the service was also directed to minors (even where banners stating only adults were allowed to access such content were also in place). In this line, it declares that as minors can indeed access the content therein, controllers have the obligation to establish age verification mechanisms and to meet the obligations regarding minors’ personal data as set out in data protection laws.

  • Lastly, it is interesting how the Spanish DPA sanctioned one of these providers for not having the privacy policy in Spanish language.

Other Spanish Authorities – the CNMC and video sharing platforms

All sanctioning decisions above referred to video sharing platforms which, under Spanish Audiovisual Act, must establish and operate age verification systems both for content and ads.

In this regard, the Spanish National Markets and Competition Commission (CNMC), the authority in charge of supervising and control of the audiovisual market, has published a public consultation on criteria for ensuring the adequacy of video sharing platforms’ age verification systems related to content harmful to minors (the Consultation).

As established by the CNMC in recent decisions (see here), mere declarations of being of legal age (without further actions) or merely providing guidance on how to establish parental controls; cannot be deemed age verification or sufficient to meet age verification obligations.

Additionally, in past proceedings it also declared that verification systems such as symbolic credit card payments are not valid either as minors could also own those. In resolution IFPA/DTSA/266/22 it also addressed using a third party’s platform to contrast the information/image on the subject’s ID (scanned) and a photograph or video of the person.

We have addressed the Consultation here and the deadline to respond is 31 January 2024.

The Guidance

After an introduction on the legal framework protecting minors (referred to different age segments below 18 years old – note that age requirements for a social network is not the same as to access pornography), the Guidance provides for a decalogue made up of principles which should be construed and met by age verification systems as a whole (and not each independently):

PRINCIPLE 1: The system for the protection of minors from inappropriate content should ensure that it is not possible to identify, track or locate minors through the internet.

PRINCIPLE 2: Age verification should be directed to persons of appropriate age, so that they are able to prove their status as an "authorized person",  and not to allow the accreditation of the status of a "minor".

PRINCIPLE 3: Accreditation for access to inappropriate content should be anonymous to internet service providers and third parties.

PRINCIPLE 4: The obligation to prove the status of "person authorized to access" shall be limited to inappropriate content only.

PRINCIPLE 5: Age verification must be carried out in an accurate manner and the age categorized to "person authorized to access". This way, the system shall not reveal the specific age of each data subject.

PRINCIPLE 6: The system must ensure that individuals cannot be profiled based on their browsing.

PRINCIPLE 7: The system must ensure that a person's activity is not linked between different services.

PRINCIPLE 8: The system must guarantee the exercise of parental authority by parents. This refers to the obligation to consider parental “rights” to determine what is conceived as harmful content. In this context, the Guidance declare that policies should be drafted taking into account the opinion of families in this regard, either directly or through representatives, associations and foundations for the protection of minors.

PRINCIPLE 9: Any system for the protection of minors from inappropriate content must guarantee the fundamental rights of all persons in their access to the internet. Particularly, the Guidance cites the right to privacy, personal freedom, freedom of information, thought, conscience and religion.

PRINCIPLE 10: Any system for the protection of minors from inappropriate content must have a defined governance framework.

Age verification is nothing but a part of a system to protect minors from inadequate content. For the Guidance, this system is made up of:

  • Age verification system.

  • Age rating policies for sites and contents.

  • A rating of the sites, or of the contents, according to the policies above.

  • Implementation of access policies.

Proofs-of-concept

To demonstrate that it is possible to comply with the Guidance’s decalogue, and that this type of solution could already be offered on the internet, a series of proof-of-concepts were developed and published (including a FAQs document – truly useful).

With the same, the Spanish DPA looks to evidence that:

  1. (i) Clear separation of identity management, age verification and content filtering is possible.

  2. (ii) The protection against inappropriate content can be done on the device itself, with individuals having full control over the use of their identity and age.

  3. (iii) Localization and profiling of minors on the internet (and internet users in general) is not necessary.

Three proof-of-concepts are carried out (links to each explanatory video by the Spanish DPA included) for: (i) computers and consoles, (ii) Android mobile phones, and (iii) IOS mobile phones.

Next steps

  • If your company addresses minors or adult only content, review your age verification systems under the lens of the Guidance.

  • Video sharing platform also to check CNMC’s guidance.

 

 

Authored by Santiago de Ampuero and Cristina Barón.

Search

Register now to receive personalized content and more!