Understanding verification requirements in the new Digital Services Act

profile picture Amba Karsondas 9 min read
Image of a young person sitting down and using their smartphone.

The EU’s new Digital Services Act (DSA) will apply from the 17th February this year. Originally only applicable to ‘very large online platforms’ (VLOPs) and ‘very large online search engines’ (VLOSEs) with over 45 million monthly users, it will eventually be expanded to cover all online intermediaries and platforms that offer their services to users based in the EU.

These include online marketplaces, social networks, adult content companies, content sharing platforms, app stores, and online travel and accommodation platforms. 

To comply with certain parts of the Act, platforms will need to have effective verification of business users and support age-appropriate design. This blog explains the DSA and how affected platforms can comply with its age and identity requirements.

 

What is the purpose of the Digital Services Act?

One key goal of the DSA is to create a safer online environment. It looks to do this by preventing illegal and harmful activities online, limiting the spread of disinformation and protecting the rights of users.

The new rules will ensure user safety, increase transparency and create a fair and open online environment. The wide-ranging obligations will protect consumers and their rights with clear and proportionate rules.

 

Who is impacted by the Digital Services Act?

The DSA will apply to platforms that provide people access to goods, services and content. The phrase ‘digital services’ refers to a range of online services including:

  • simple websites
  • internet infrastructure services
  • online marketplaces
  • social networks
  • content sharing platforms
  • hosting services
  • app stores
  • travel and accommodation platforms

Platforms must comply with the DSA if they operate in the EU or if there is a “substantial connection” to the EU. A substantial connection exists when the provider either:

  • has their main establishment in the EU
  • has a significant number of users in the EU
  • targets its activities towards at least one EU member state

Under this criteria, a business could have its headquarters outside the EU and still have to follow the new obligations. 

Where a business has its main establishment in a member state but operates across the EU, the host state will be responsible for enforcement. Where the company is based outside the EU, it’ll have to nominate a legal representative. VLOPs based outside the EU answer directly to the European Commission. As such, many UK businesses offering online services within the EU are significantly impacted.

The DSA has a tiered system of obligations. The tier that a company falls into depends on its size, the type of company and the impact that it may have on its users. Tier 1 has the least strict requirements and these get progressively more stringent for higher tiers.

 

Is this the first piece of EU legislation of its kind?

The DSA is an updated version of the EU’s Electronic Commerce Directive from 2000. Since then, technology has advanced significantly which in turn requires more comprehensive legislation.

The DSA refreshes the EU’s framework for illegal content on online platforms. Crucially, it also aims to harmonise the various laws that have emerged at national levels across individual EU states. This is to ensure consistency across the European single market.

The DSA will sit alongside the Digital Markets Act. Together, this package will form a single set of rules that apply across the whole of the EU and EEA. Its two main goals are:

  • to create a safer digital space in which the fundamental rights of all users of digital services are protected
  • to establish a level playing field to foster innovation, growth and competitiveness, both in the European single market and globally.

 

Why has the Digital Services Act been introduced?

People are turning to the internet to complete an increasing number of everyday tasks. We’re using it to communicate, shop, order goods, find information and stream entertainment. Ultimately, for many of us, digital services make our lives easier. 

But whilst there are many benefits of these digital services, we need to be aware of the problems they can bring. Online services could be used to:

  • trade and exchange illegal goods, services and content 
  • amplify the spread of disinformation
  • facilitate online abuse and exposure to harmful content
  • collect personal data without user consent

 

What does the Digital Services Act mean for online platforms?

Companies must meet a vast array of obligations under the DSA. These include:

  • creating user-friendly tools for users to report illegal content
  • a ban on targeted advertisements to minors on online platforms
  • explanations to users detailing why their content has been restricted or removed
  • having an internal complaints system for users to appeal content moderation decisions
  • publishing annual transparency reports on their content moderation processes
  • the increased protection of the privacy and security of children
  • a responsibility to inform law enforcement authorities if they become aware of any potential criminal activity
  • making sure that their platforms are not designed in a way that manipulates or deceives users
  • being able to verify the identities of business users on online marketplaces
  • ensuring clear terms and conditions on their platforms

 

How can companies protect young people in line with the Digital Services Act’s requirements?

New protections for young people mean that platforms must ensure transparent online advertising. Part of this requirement means that there will be restrictions on the ads that are displayed to minors.

Tailoring advertising to individuals requires the collection of something known as “special categories of personal data”. Put simply, this is any data about an individual that could be used to identify them. Under the DSA, platforms will no longer be able to collect this data about young people and target ads specifically towards them.

Alongside this, if their platforms are accessible to children, companies must protect the safety of these users. They will need to implement heightened data protection measures for children. Platforms may need to adapt the language in their terms and conditions so that children can properly understand them. They may need to put parental controls into place so that parents and guardians can help protect their children from exposure to harmful content. Or they may need to create tools to allow young people to report content and receive tailored support.

The DSA also forbids “dark patterns”. This is a technique that some platforms use to influence the decisions of their users. For instance, some sites may try to persuade users to make unnecessary purchases or make it difficult for users to cancel online subscriptions.

But to put these age-appropriate measures in place, platforms face the challenge of assessing whether the user is a child.

Establishing a user’s age is a delicate process of balancing assurance with privacy. In most cases, platforms won’t need to know the exact age of the person trying to access their content. It’s even rarer that they will even need to know a user’s exact date of birth. In many cases, it’s likely they’ll only need to know if the user is over or under a particular age threshold. The less information the user needs to share with a platform, the more their privacy is protected.

Users should also be given a choice of age assurance methods. Since many young people don’t own identity documents, offering alternative methods is vital for inclusion. Alongside the common method of using an identity document, platforms could consider accepting Digital IDs and facial age estimation. These alternative methods are more privacy-preserving as users can prove just their age without sharing any other personal details or documents.

 

How can companies verify their business users in line with the Digital Services Act’s requirements?

Another goal of the DSA is to counter the spread of illegal goods. The Act requires companies to be able to identify those selling goods or services on their platforms. This will make it easier for platforms to identify the person responsible for each sale.

Under the DSA, this ‘Know Your Business Customer’ (‘KYBC’) obligation requires online marketplaces to:

1. Collect KYBC information on sellers – Depending on the requirements, this could include their name, contact details, a copy of their identity document, bank account details, a registration number if the seller is registered in a company register or similar public register, and a self-certification by the seller committing to only offer products or services that comply with the applicable EU law.

2. Verify this KYBC information – Platforms must have effective methods in place to verify a seller’s identity. They are required to make reasonable efforts to assess whether this information is reliable.

This applies to both new sellers and those who are already active on the platform. If a seller cannot effectively prove their identity, the platform is required to suspend the user from trading. 

Therefore, to know who is selling on online marketplaces, platforms need to have simple, frictionless methods in place so that they can effectively check identities at scale. Users should be able to verify their identity in a way that protects the security and privacy of their personal information.

One such method could be with a Digital ID app, which lets people share the necessary information, without having to upload identity documents online. Online marketplaces can also use official online databases that are freely available.

Offering people choice in how they prove their identity ensures these checks are inclusive for people who don’t own identity documents or are unable to access them.

If the platform becomes aware of a user selling illegal goods or services, the platform is obligated to contact the users who have purchased the product. They will be able to identify the seller and must offer buyers with options for redress.

 

Complying with the Digital Services Act

Florian Chevoppe-Verdier, Public Policy Associate at Yoti said, “The Digital Services Act is the first major piece of online safety legislation, echoing the impact of GDPR. It is poised to set the tone for industry standards, and it is likely other advanced economies and trade blocs will follow suit. While compliance poses challenges for businesses, trusted age assurance providers such as Yoti can make the online world safer. The societal benefits will be immeasurable and truly transformative.”

If you’d like to know more about how you can comply with the EU’s new Digital Services Act, please get in touch.

Keep reading

girl looking at phone smiling

The Age Appropriate Design Code for businesses

This blog was updated in February 2024, following the ICO’s  updated opinion on age assurance for the Children’s Code. In a nutshell the main changes include:  Facial age estimation is now recognised as the most widely used age estimation approach, with high levels of accuracy.  Self-declaration on its own is not sufficient for high-risk services. The ICO has also introduced a new term, the ‘waterfall technique’. This refers to a combination of age assurance methods.  Companies should ensure that any age assurance system implemented has an appropriate level of technical accuracy, reliability and robustness, whilst operating in a fair way

13 min read
An image of a young person wearing a set of headphones and using their smartphone

Online Safety Act becomes law

After years of debate and discussion, the Online Safety Act is now law – marking a new chapter in online safety. There are three key elements within the Online Safety Act that we are ready to help with: Age assurance to help platforms create safe, age-appropriate experiences online User verification to give users more control over who they interact with online Over 18 consent from content creators for the publication of intimate images   Age assurance in the Online Safety Act The Online Safety Act is not about excluding children from the internet. It’s about giving them an experience

5 min read
An image of a young person looking at a phone screen. The content on the phone has been blurred out. It has been replaced with a graphic of a crossed-out eye and the words "sensitive content".

Understanding age assurance in the Online Safety Act

The Online Safety Act 2023 is a piece of UK legislation that aims to protect children and adults online. It covers a wide range of issues including minimising the risk of children seeing harmful and age-inappropriate content, removing illegal content like child sexual abuse material (CSAM), criminalising fraudulent and scam ads, and introducing age verification for certain online services. This blog looks at some of the age requirements in the Online Safety Act and what this means for tech companies, adult sites, gaming companies, social media platforms and dating sites.   What is the purpose of the Online Safety Act 2023?

10 min read