In response to the ICO’s opinion on Age Assurance for the Children’s Code

Yoti 9 min read

The Age Appropriate Design Code is a statutory data protection code of practice from the ICO that applies to providers of Information Society Services that are likely to be accessed by children, such as apps, online games, and web and social media sites. The ICO released an Opinion that looks at how age assurance can form part of an appropriate and proportionate approach to reducing or eliminating risks and conforming to the code. This included opinions on age verification and age estimation technologies.

We believe that some of the generalisations made about age estimation do not apply to Yoti’s privacy preserving facial age estimation solution. Please read on for more.

 

Introduction to Age Estimation

Yoti’s Age Estimation using facial images is a secure age-checking service that can estimate a person’s age by looking at their face. We consider it to have wide application in the provision of any age-restricted goods and services, both online and in person. Businesses have already used our service to perform over 500 million age checks since launch of the service two and a half years ago and a growing number of businesses are adopting our solution.

Yoti’s Age Estimation using facial images is designed with user privacy and data minimisation in mind. It does not require users to register with us, nor to provide any documentary evidence of their identity. It neither retains any information about users, nor any images of them. The images are not stored, not re-shared, not re-used and not sold on. The images are not used to train the model further. It simply estimates their age and then deletes the image.

Yoti’s Age Estimation using facial images does not create or use biometric facial geometry. The model only looks at a photo of a person.

For a detailed explanation of how it works, how it was trained and its accuracy please see our White Paper.

 

How it works

Yoti’s Age Estimation using facial images model is a neural network model trained using machine learning techniques – in other words it is an algorithm trained on lots of data to give an estimated age. A face image is inputted into the algorithm and then based on the images it has been trained on the algorithm is able to output an estimated age. Because the only data we used to train the algorithm are face images with the person’s age in months and years, the model cannot work out anything else other than an estimated age.

All the model knows how to do is to estimate age. The model does not know how to identify someone, how to face match or even tell if the same person’s image is repeatedly submitted to it.

If you kept submitting slightly different photos of yourself to the model, it would come out with slightly different estimated ages. Things like lighting, camera quality and angle of the face change the outputted estimated age. The key point is that the model cannot say to itself: “I have seen this face before and I can use that information to estimate the age on this image.”

 

The legal position of Yoti’s Facial Age Estimation 

Yoti’s facial age estimation complies with the UK GDPR and also our own ethical approach to user data and privacy.

When businesses use age estimation to verify the age of their customers Yoti acts as the data processor, with businesses as the data controllers. Businesses therefore need a legal basis to use age estimation. The model obviously processes personal data (a face image) so the legal basis for processing personal data relied upon by businesses will be either: (i) consent of the customer; (ii) performance of a contract between the business and the customer; or (iii) legitimate interests of the business that do not unfairly prejudice the customer.

The Yoti Age Portal has a consent option in-built so businesses can easily collect consent from customers for use of Yoti’s Age Estimation if that is the lawful basis the business chooses.

If Age Estimation processes biometric data and if Age Estimation processes ‘special category data’ then the business will also need to process under a legal basis in Schedule 1 of the UK GDPR, such as consent or acting to protect children.

However, Yoti’s facial age estimation does not involve the processing of biometric data or special category data. This is because the facial age estimation model is physically unable to allow or confirm the unique identification of a person (and that is the key test for biometric data) and it is not being used for the purpose of identification (and that is the key test for special category data). The model was not trained to recognise a face, but instead to categorise that face into an age.

In our view, and in the view of our external lawyers, Yoti’s Facial Age Estimation does not identify a user because the only possible output is the non-identifying estimated age.

Further, even if the view is taken that it is biometric data, it is not ‘special category data’ because there is the added test of needing to use the model for the purpose of uniquely identifying a person – and the model is used explicitly not to identify a person, but instead to allow a person to age verify themselves without being identified.

 

Definitions of biometrics in GDPR

For those more legally minded, here are some of the key parts of the UK GDPR.

Definition of biometric data in Article 4(14) of the UK GDPR:

Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

 

Definition of special category data in Article 9 of the UK GDPR:

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

 

Recital 51 of the UK GDPR further says that:

The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. 

 

What the ICO has said

In the Commissioner’s [the ICO’s] Opinion on Age Assurance for the Children’s Code, first published on 14 October 2021, the ICO states that age estimation “may” involve the processing of biometric data (at para 2.3.2) and then clarifies later at para 4.2.1 that it is only biometric data if it is used to uniquely identify an individual.

Yoti cautiously welcomes the Opinion because of its generally clear explanation to organisations on how to apply age assurance for the Age Appropriate Design Code.

But the Opinion does not clearly explain when age estimation uses biometrics, and just as importantly, the Opinion does not explain when age estimation using facial analysis does not use biometric processing and is not special category data. This would have been very helpful for organisations seeking to implement the age assurance measures required under the Age Appropriate Design Code.

Further, the ICO at para 4.2.1 could have also made clear that it is not processing special category data if the purpose of the processing is not to identify someone. This would also have been helpful clarity to those evaluating different age assurance methods.

The ICO has helpfully clarified that processing biometric data for the purposes of the Age Appropriate Design Code can be lawfully done to meet the ‘substantial public interest’ exception in the UK GDPR (Article 9(2)(g)). Yoti’s implementation of facial age estimation (immediate deletion of the image, use of very secure data centres, SOC2 Type 2 security certification, use of encryption in transit and only returning to the business an estimated age result) means that businesses can be assured that the remainder of the Article 9(2)(g) requirements are met.

 

Accuracy of our Facial Age Estimation

The Yoti White Paper discloses how accurate the model is. The testing is split by age, gender and skin tones to reassure organisations and the public that there is minimal, if any, bias in the model for the key 18+ metric. We have been publishing our accuracy every few months for the last two and a half years.

The ACCS, an independent testing company, assessed the model and published its certification report for Yoti Age Estimation in November 2020 which concluded that: “The System is fit for deployment in a Challenge 25 policy area and is at least 98.89% reliable“. We shared this certification evidence with the ICO in November 2020.

We strongly disagree with the ICO’s statement in Annex 2 of its Guidance which groups all age estimation techniques together and then provides a grouped statement on their accuracy:

Age estimation techniques generally use Artificial Intelligence (AI) algorithms to automate the interpretation of data. There is little evidence for the effectiveness and accuracy of these emerging approaches.”

We understand that currently there are a limited number of businesses offering accurate age estimation, but there is clearly strong evidence that for the last 12 months there is compelling evidence that Yoti’s age estimation AI service can reliably estimate the age of adults to meet the needs of retailers and online brands wishing to prevent under 18s from buying age restricted goods or accessing over 18 content.