Ofcom and the Information Commissioner’s Office (ICO) have released a joint statement on age assurance, aimed at providing greater clarity for services likely to be accessed by children on how to comply with both their online safety and data protection obligations.

The joint statement follows separate publications from the respective regulators on the subject recently (discussed here and here), and amid growing concern that online services are not doing enough to guard against children accessing content that is not appropriate for them.

The regulators begin by setting out the various ways in which their approaches align. For example, both share a “flexible, tech-neutral” approach to age assurance, stating that services should choose “the most appropriate method to reduce risks and potential harms to children online”. As a result, they agree that services are not expected to use age assurance methods that are “not technically feasible or that introduce risks to rights and freedoms that outweigh the benefits”, but that methods such as self-declaration, or those that do not address risks of circumvention, will not be sufficient.

The joint statement then sets out the obligations on services under the Online Safety Act 2023 (OSA) on the one hand and data protection law on the other. Much of the content will be familiar, but, for example, it includes reminders about what constitutes highly effective age assurance for the purposes of meeting obligations under the OSA, and provides examples of how effective age gates can be implemented to prevent underage children accessing services, thereby minimising the risk of unlawful processing.

The value of the joint statement is that it provides a concise and accessible resource for services to understand their obligations in these two areas which often overlap but are nonetheless discrete and, at times, subtly and importantly different. It also offers helpful practical examples of how particular types of services can comply with the law, together with a table summarising how different requirements under either the OSA or UK data protection legislation will apply to specific services.

To read the joint statement in full, click here.