Age verification process

age-verification-processDomain: age-verificationType: mixed

Description

Age verification is the operational tier-determinator for products whose features gate by age: minor-protection regulations that require enhanced safeguards once a user is known to be under a defined threshold, age-rating regimes that prohibit ratings-disallowed content for younger users, alcohol or gambling regimes that prohibit the product entirely below the threshold, and content-moderation duties to known minors that shift in scope once age is established. The verification event itself is the artifact a regulator reaches for: which method was applied, at what point in the user lifecycle, with what evidentiary support. Implementation has three layers. The verification surface (neutral age screen, attestation, document verification, age estimation via facial-analysis vendor, parental-consent flow with verifiable consent under COPPA, or a tiered combination keyed to risk) is the user-facing piece, and the choice among the surface options is a trade-off between friction and confidence rather than a single best answer. The verification-event log is the audit-side piece: per-user records that capture which method ran, the timestamp, the result, and the retention treatment of any document or biometric evidence that fed the decision. The method-tier policy is the governance piece that documents the rationale for the chosen method against the data sensitivity and the applicable regulation. The trade-off pressure that shapes the design is that the regulators most active here (the FTC under COPPA, the ICO under the UK AADC, Ofcom under the Online Safety Act 2023 highly-effective-age-assurance regime) have been pushing toward stronger verification for higher-risk surfaces and explicitly rejecting self-declaration when the platform data sensitivity warrants more. The statutory anchors define the threshold and the verification-quality expectation per jurisdiction. COPPA at 15 U.S.C. §§6501-6506 and 16 CFR Part 312 §312.5 sets verifiable parental consent for under-13 users and enumerates the acceptable VPC methods (knowledge-based authentication, credit-card transaction, video-conference review, government-ID match, the 2025-amendment text-message methods). The UK AADC Standard 3 (Data Protection Act 2018 s.123 + ICO Age Appropriate Design Code) sets age-appropriate application keyed to a risk-proportionate assessment. California AADC at Cal. Civ. Code §§1798.99.28 to 1798.99.40 (AB 2273, 2022) imposes equivalent obligations. The DSA reading and KOSA at the federal US level (Pub. L. No. 118-XXX, 2024) both require reasonable measures to identify minor users without specifying a single method. China's Regulations on the Protection of Minors in Cyberspace (State Council Order No. 766, effective January 1, 2024) and PIPA Korea both layer verification expectations on top of their general data-protection frameworks. The cheapest defensive posture is to choose the method tier that proportionately matches the regulator's expectation for the riskiest surface the platform exposes to potential minors, document the rationale before launch, and treat self-declaration as inadequate wherever the data sensitivity is non-trivial.

Required by (13 regulations)

CA AADC
Cal. Civ. Code §§1798.99.28-1798.99.40 (AB 2273, 2022)
CCPA/CPRA
Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102
Minors Online Protection
Regulations on the Protection of Minors in Cyberspace (promulgated by the State Council, Order No. 766, effective January 1, 2024)
COPPA
§ 312.5 — verifiable parental consent + age screening.
15 U.S.C. §§6501-6506; 16 CFR Part 312
DPDPA
Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023
DSA
Regulation (EU) 2022/2065 of the European Parliament and of the Council (Digital Services Act)
KOSA
KOSA is currently PROPOSED federal legislation; not in force. If enacted, would impose duty of care + design defaults + transparency obligations on covered platforms for users under 18. Operators should track the bill but should not build to KOSA compliance until it passes; multiple substantive amendments expected before final form.
Kids Online Safety Act (KOSA) — S.1409 (118th Congress, died); reintroduced as S.1748 (119th Congress); PROPOSED, NOT ENACTED. Multiple House versions advanced through subcommittee December 2025; no chamber has passed a unified bill as of mid-2026.
PIPA
Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)
UK AADC
Standard 3 — age-appropriate application.
Data Protection Act 2018, s.123; Age Appropriate Design: A Code of Practice for Online Services (ICO, 2020)
UK OSA
Online Safety Act 2023 (c.50)
California SB 243
Establishes whether a user is known to be a minor, which gates SB 243's recurring break/AI reminders and the sexually-explicit-content guardrail.
California SB 243 (2025), Companion Chatbots
Source →
California SB 976
Establishes whether a user is a minor, which gates SB 976's addictive-feed and notification restrictions.
California SB 976 (2024), Protecting Our Kids from Social Media Addiction Act
Source →
China Game Approval (Banhao)
China's minors-protection requirements tied to game approval include real-name and age verification gating minors' play time and spending.
Administrative Measures for the Administration of Online Publishing Services (NPPA and MIIT Order No. 5, effective March 10, 2016); NPPA notices governing online game publication approval (game publication number / banhao)

Fulfilled by (6)

yoti · full · medium effort · $$
persona · partial · medium effort · $$
jumio · partial · high effort · $$$
In-house build · medium effort
superawesome · full · medium effort · $$
COPPA-certified parental-verification flow + SDK.
privo · full · medium effort · $$
FTC-approved COPPA safe harbor with age-verification.

Magist does not accept payment from vendors. Methodology.

Evidence formats

age-gate flow
verification-event log
method-tier policy

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Description

Required by (13 regulations)

CA AADC

Cal. Civ. Code §§1798.99.28-1798.99.40 (AB 2273, 2022)

CCPA/CPRA

Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

Minors Online Protection

Regulations on the Protection of Minors in Cyberspace (promulgated by the State Council, Order No. 766, effective January 1, 2024)

COPPA

§ 312.5 — verifiable parental consent + age screening.

15 U.S.C. §§6501-6506; 16 CFR Part 312

DPDPA

Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023

DSA

Regulation (EU) 2022/2065 of the European Parliament and of the Council (Digital Services Act)

KOSA

KOSA is currently PROPOSED federal legislation; not in force. If enacted, would impose duty of care + design defaults + transparency obligations on covered platforms for users under 18. Operators should track the bill but should not build to KOSA compliance until it passes; multiple substantive amendments expected before final form.

Kids Online Safety Act (KOSA) — S.1409 (118th Congress, died); reintroduced as S.1748 (119th Congress); PROPOSED, NOT ENACTED. Multiple House versions advanced through subcommittee December 2025; no chamber has passed a unified bill as of mid-2026.

PIPA

Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)

UK AADC

Standard 3 — age-appropriate application.

Data Protection Act 2018, s.123; Age Appropriate Design: A Code of Practice for Online Services (ICO, 2020)

UK OSA

Online Safety Act 2023 (c.50)

California SB 243

Establishes whether a user is known to be a minor, which gates SB 243's recurring break/AI reminders and the sexually-explicit-content guardrail.

California SB 243 (2025), Companion Chatbots

Source →

California SB 976

Establishes whether a user is a minor, which gates SB 976's addictive-feed and notification restrictions.

California SB 976 (2024), Protecting Our Kids from Social Media Addiction Act

Source →

China Game Approval (Banhao)

China's minors-protection requirements tied to game approval include real-name and age verification gating minors' play time and spending.

Administrative Measures for the Administration of Online Publishing Services (NPPA and MIIT Order No. 5, effective March 10, 2016); NPPA notices governing online game publication approval (game publication number / banhao)

Fulfilled by (6)

yoti · full · medium effort · $$

persona · partial · medium effort · $$

jumio · partial · high effort · $$$

In-house build · medium effort

superawesome · full · medium effort · $$

COPPA-certified parental-verification flow + SDK.

privo · full · medium effort · $$

FTC-approved COPPA safe harbor with age-verification.

Magist does not accept payment from vendors. Methodology.