The rapid shift to all-digital customer interactions during the COVID-19 pandemic drove considerable demand and innovation for high-fidelity digital-only identity verification (IDV) solutions that organizations could leverage to confirm an individual’s identity and eligibility for certain services. These IDV solutions often rely on the rich functionality available on mobile devices to conduct tasks such as facial recognition, liveness detection, data extraction from an identity document, and scanning of an identity document. These solutions have become a key aspect of many organizations’ digital interactions, helping to reduce fraud and data losses without impairing the user experience.

With online identity verification well understood and maturing, the next brewing verification battle is around age verification, a subset of identity verification. Age verification is needed to enable a range of digital activities such as purchasing age-restricted products (such as alcohol), determining if someone meets an age minimum for using a service, or flagging if a user is subject to additional children’s privacy protection laws. The challenge is that not all minors possess an acceptable form of identity (such as a driver’s license or passport) to complete an age verification process successfully. In response, providers offer a mishmash of ineffective age verification mechanisms, including:

  • Self-asserted consent. This approach relies on the user to enter the birth date. This is an honor system and generally used for giving consent to enter a site and browse content (such as a tobacco or alcohol product site) and not necessarily for purchasing items.
  • Consent-based functionality. This model asks other individuals to confirm an individual’s age. Meta introduced this approach several years ago.
  • Facial-recognition age estimation. This is an emerging method that leverages AI to determine an individual’s age based on a selfie. This approach provides an age estimate.

National And State Regulations Are Increasing

Given concerns around minors accessing inappropriate content or services, regulators have introduced different regulations to govern minors’ access to digital content. In the US, the Children’s Online Privacy Protection Act (COPPA) was passed in 2000. COPPA requires parental-consent online operators for collecting or using personal data for any child under 13 years of age. COPPA also provides penalties for noncompliance. While COPPA is more than 20 years old, it has not eliminated controversies around age verification. Last year, the Senate passed two similarly controversial updates to COPPA, the Kids Online Safety Act and COPPA 2.0, but the bills stalled in the House of Representatives.

In the UK, the Online Safety Act was passed in 2023 and introduced similar requirements around age verification. The EU’s GDPR also has certain provisions around consent for children between ages 13 and 16. Australia also recently passed a similar age verification law.

Despite these regulations, governments are still concerned about enforcing age verification and consent for minors. In the US, several states have now introduced legislation that would require app-store operators (namely, Apple and Google) to conduct age verification and, if necessary, require parental consent before users can download a new app from their respective app stores. Last week, Utah passed such a law requiring app store owners to conduct age verification. Utah’s law awaits the governor’s signature and, if approved, would go into effect on May 7.

Enforcement Challenges Remain Unanswered

While there is broad consensus on the importance and need for age verification, there is much less consensus on who is best positioned to conduct that verification. These latest state legislative efforts in the US aim to put the onus on app-store operators, arguing that they are already collecting user information and are best positioned to verify age. Apple and Google have resisted prior attempts, claiming privacy concerns about collecting this information. But in the last few weeks, both Apple and Google have announced efforts aimed at addressing these age verification challenges.

First, Google announced plans to test the use of AI to determine users’ ages. And last week, Apple announced a series of capabilities to protect minors, including age assurance. Apple’s white paper outlined a new Declared Age Range API as a tool to assist app developers by sharing an age range but only when parental consent is given. This is a privacy-centric approach that minimizes users having to share specific information but also places the burden on obtaining a specific age on the individual app developer and not the app-store provider. Apple also announced updated age ratings for apps that will come into effect later this year.

Given the ongoing immaturity of the technologies involved in age verification and the growing regulatory initiatives, app developers and privacy leaders at B2C firms will need to pay close attention to this space in 2025 and beyond to avoid potential privacy or compliance violations, both of which could affect customer loyalty and retention. Expect IDV vendors to add to or enhance existing age verification capabilities to meet the growing demand for age verification solutions.

Special thanks to Senior Analyst Stephanie Liu, who provided some additional input for this blog.