Appendix 1: Outline of relevant regulations:
General Data Protection Regulation (GDPR), which was instituted by the European Commission with an eye toward correcting the balance of control over data between users and service providers. Article 8 of the GDPR states that,
“in relation to the offer of information society services directly to a child, the processing of a child's personal data shall be lawful where the child is at least 16 years old.”
Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years”. Note that the UK opted for the limit to be 13, while Ireland chose 16. TrustElevate enables compliance with GDPR.
Subsequent to this, the UK’s data protection regulator, the Information Commissioner’s Office published a statutory code entitled Age appropriate design: a code of practice, which requires companies to consider specific age-bands of users when designing products and services. This combination of regulation and statutory codes underpins the necessity of age verification for under 16s. Under age-appropriate application, section 3, the code asserts that service providers must: “either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing or apply the standards in this code to all your users instead.”
The UK government has also confirmed a new Online Safety Bill, set to be published later this year, to tackle illegal content online. The new rules will apply worldwide to any platform that hosts online user interactions or user-generated content accessible by people in the UK. Social media platforms, search engines, online marketplaces, peer-to- peer services, and online forums, allowing online interaction will therefore all fall under the regulation. Companies will need to comply with various forthcoming codes of conduct to discharge their duty of care. Ofcom, the media and communications regulator, will be responsible for enforcing the rules and will have the power to impose fines for non- compliance of up to 10% of a company's annual turnover or £18 million (whichever is higher). The regulator may also take enforcement action to require providers to withdraw access to key services. For severe failures of the duty of care, Ofcom has the power to entirely block a company's services from being available in the UK.
The Payments Services Directive (PSD2) seeks to make payments more secure in Europe and facilitate open banking. Payment Initiation Services Providers (PISPs), such as Facebook, Microsoft and Google facilitate the use of online banking to make payments online. These services help to initiate a payment from the consumer’s account to the merchant’s account by creating an interface to bridge both accounts, filling in the information needed for the bank transfer (amount of the transaction, account number, message) and informing the store of the transaction.
For this to work securely, PSD2 introduces new security requirements known as Strong Customer Authentication (SCA). TrustElevate’s high level of identity proofing meets these requirements as well as providing verification of a relationship between parent and child such that a parent can authorise bank-to-bank transactions. In the age of open banking and unprecedentedly increased amounts of online shopping, enabling children’s purchases in a compliant and customer-friendly fashion is a necessity. TrustElevate enables compliance with PSD2.
The Audiovisual Media Services Directive introduces new rules on protecting minors from harmful content on video-sharing platforms, which includes requirements for content to be age-rated and the utilisation of age verification services for under 18s by content providers The regulation also provides Ofcom with enforcement powers, including the right to impose financial penalties and to suspend the service. As noted above, Ofcom is actively engaged in discussions with industry and funding research and innovation around age verification services. TrustElevate enables compliance with AVMSD
The Anti-Money Laundering Directive is intended to prevent money laundering or terrorist financing and underpin Know Your Customer (KYC) requirements for those operating in financial services. TrustElevate enables the remote onboarding of child and teen bank accounts.
The EU’s ePrivacy Regulation, of which there was a new draft version released on January 5, 2021. Once approved, the ePrivacy Regulation will set out requirements and limitations for publicly available electronic communications service providers processing the data of, or accessing devices belonging to end users in the EU. The regulation aims to safeguard the privacy of the end users, the confidentiality of their communications, and the integrity of their devices. As the UK is no longer part of the EU, it is unclear at this juncture the impact of ePrivacy Regulation on UK-based end users. Nonetheless, it will need to be monitored and, like GDPR, it requires companies to know the ages of their users. TrustElevate enables compliance with e-Privacy regulation