Principles, levels and implementation
AgeVerif implements an age verification system designed to provide a high level of reliability, while ensuring maximum protection of user privacy. Our approach is based on four core principles.
AgeVerif is not directly subject to the Digital Services Act (DSA) but helps platforms meet their obligations by applying principles aligned with the protection of minors, proportionality and data minimisation.
AgeVerif is thus aligned with:
AgeVerif uses a proof-of-age system that ensures:
Although several international standards are still under development or in the process of being harmonised, AgeVerif applies the common principles recognised in the European and international frameworks relating to age assurance:
AgeVerif:
As a website operator, it is your responsibility to ensure that the age verification system put in place is appropriate, proportionate and complies with the legal and regulatory obligations applicable in the countries where your service is accessible.
AgeVerif provides operators with a technical and methodological framework designed to meet commonly recognized requirements in terms of the protection of minors, the reliability of verification mechanisms and respect for privacy.
This framework allows you to demonstrate that the deployed system meets an appropriate level of age assurance, based on the nature of the content offered and the associated risk.
However, the final compliance of the system is the responsibility of the site operator, in particular with regard to:
AgeVerif supports this approach by offering the possibility of selecting different age assurance methods, in order to build a solution adapted to your legal obligations and your audience.
In a logic of continuous improvement, AgeVerif remains open to remarks, feedback and proposals from operators and authorities. Our solutions are designed to be scalable and adaptable, in order to take into account regulatory changes, industry best practices and specific requirements that may emerge at national or international level.
AgeVerif's verification and age estimation methods have varying levels of accuracy.
In order to avoid false positives (minors incorrectly identified as adults) and in accordance with European regulations, AgeVerif applies an error margin (buffer) depending on the method used.
This margin raises the effective technical threshold, without changing the legal age of access and varies according to the methods used and the geographical location of the user.
Under laws protecting minors from pornographic content online, the minimum age threshold (usually set at 18 years) defines the legal age of access. With age estimation methods (AI, selfie), variations in accuracy require the addition of a technical margin of error, to ensure that no minors are allowed in error.
This buffer is not a new legal age, but a compensatory operational threshold to avoid false positives with the least accurate methods.
| Technical effective threshold by method | ||||||
|---|---|---|---|---|---|---|
| France | Italy | Germany | United Kingdom | United States | Other countries | |
| Selfie | 23 | N/A | 25 | 25 | 25 | 23 |
| Credit card | N/A | 18 | 18 | 18 | 18 | 18 |
| Ticket | 18 | N/A | N/A | N/A | N/A | N/A |
| 23 | N/A | 25 | 25 | 25 | 23 | |
| AnonymAGE | 18 | 18 | 18 | 18 | 18 | 18 |
| Pleenk | 23 | N/A | 25 | 25 | 25 | 23 |
| AgeGO | 21 | 21 | 21 | 21 | 21 | 21 |
| AgeKey | 23 | 23 | 25 | 25 | 23 | 23 |
| PayPal | 18 | 18 | 18 | 18 | 18 | 18 |
| (N/A indicates that the method is not available.) | ||||||
Determines the validity period of the proof of age token issued by AgeVerif.
Upon successful age verification, AgeVerif issues the user with a reusable proof of age token, valid for a maximum period of one (1) year.
Upon expiry of this period, the proof of age token becomes invalid, and the user must proceed with a new age verification in order to obtain a new token.
This duration does not imply continuous uncontrolled access, as the reuse of the token remains subject to the session, authentication, and validity verification mechanisms described in the following sections.
This period of validity reflects current market practices in relation to age assurance and may be adjusted in line with changes in the legislative and regulatory framework or recommendations from the competent authorities.
Determines the session duration of using a proof of age issued by AgeVerif.
To date, only France (Arcom) and Italy (Agcom) have specific regulations on the validity
period of an age verification session.
In Germany, the regulation, which is based on the authorities for the protection of minors
(BzKJ, KJM), does not define the duration of the session.
In the other countries of the European Union, no regulations or recommendations have been
published and no jurisdiction imposes a duration of sessions.
In the United Kingdom, no session duration is mentioned in the regulatory texts published
by Ofcom.
In the United States, there is no federal law or state law that imposes a maximum time
limit for an age verification session to be valid.
The challenge of these measures is to ensure that, even after a successful verification, access does not remain open indefinitely. This is particularly relevant when the consultation terminal is potentially shared between an adult and a minor.
To ensure protection, the session must be valid for a limited period to prevent regulated content from being viewed without the need for re-verification.
| Status of regulations to date | ||
|---|---|---|
| Status | Duration | |
| France | Mandatory (Arcom) | 60 minutes |
| Italy | Mandatory (Agcom) | 45 minutes |
| Germany | No legal duration | - |
| United Kingdom | No legal duration | - |
| Other EU countries | No legal duration | - |
| United States | No legal duration | - |
| Other countries | No legal duration | - |
Where there is no defined session duration, regulators generally consider it the responsibility of the age verification service provider to determine the frequency of verifications in accordance with the principle of proportionality.
By default, AgeVerif assumes that certain types of devices, such as desktops, laptops, tablets, and connected TVs, can be shared among multiple users, including minors. For these devices, AgeVerif applies strict session durations, in accordance with applicable national recommendations or obligations.
Personal mobile phones, protected by authentication mechanisms at the operating system level (PIN, biometrics, auto-locking), are considered to present a reduced risk of unauthorized sharing.
In the absence of a specific regulatory requirement, AgeVerif can apply a longer session duration on mobile phones, while retaining the possibility of immediate expiration in the event of a context change or detected risk.
| Session duration applied by country and device | |||
|---|---|---|---|
| Mobile Phone | Other Devices | Status | |
| France | 60 minutes | 60 minutes | Mandatory (Arcom) |
| Italy | 45 minutes | 45 minutes | Mandatory (Agcom) |
| Germany | 30 days | 60 minutes | No legal duration |
| United Kingdom | 30 days | 60 minutes | No legal duration |
| Other EU countries | 30 days | 60 minutes | No legal duration |
| United States | 30 days | 60 minutes | No legal duration |
| Other countries | 30 days | 60 minutes | No legal duration |
During the session, AgeVerif checks:
Important note: these checks are not intended to identify the person, but only to verify the technical legitimacy of the use of proof of age.
AgeVerif can be integrated by website operators using standard protocols, including OAuth 2.0, which give the operator complete control over the management of application sessions and the use of the issued tokens.
In this context, AgeVerif:
However, it is the responsibility of the website operator to:
AgeVerif does not control the final configuration of the application sessions of the operator site, nor the effective use of the tokens beyond the technical parameters it delivers.
Accordingly, the responsibility for the operational compliance of the integration lies with the website operator.
The sole purpose of authentication is to ensure that the user
legitimately has the proof of age assigned to their device or account, and to
prevent fraudulent use of this proof.
It does not in any way identify the user.
AgeVerif Account
Passkey
In accordance with the applicable regulatory frameworks for the protection of minors, in jurisdictions where this requirement is explicitly provided, authentication and the associated session are strictly limited to the website for which age verification has been carried out.
In these cases, during the duration of an active session, if a user accesses another website protected by AgeVerif, a new strong authentication is required. The user cannot benefit from the session initiated on a different site, even if it is still valid.
When the inter-site limitation is applied, this measure aims in particular to:
In jurisdictions where there is no specific regulatory requirement to limit the session to the originating site only, AgeVerif may, by design choice, allow the reuse of an active session between multiple sites protected by AgeVerif.
This reuse is based on explicit authorisation from the user, materialised by a voluntary action, and does not constitute a new age verification or strong authentication in the strict sense, but a validation of the legitimacy and use of the existing proof of age in a new context.
This approach aims to reconcile:
| Jurisdictions with a session limit on the verified site | |||
|---|---|---|---|
| Explicitly required cross-site limitation | Source / Regulation | Comment | |
| France | Yes | Arcom - Technical reference framework on age verification | The check and session must cease at the end of the service consulted; Inter-site pooling is not permitted. |
| Italy | Yes | Agcom - Delibera n. 96/25/CONS, Allegato A | Verification is strictly related to the service consulted; No inter-site reuse is planned. |
| Germany | No | BzKJ, KJM - Jugendmedienschutz | Requirement for efficiency and no circumvention, with no explicit rule on cross-site scope. |
| United Kingdom | No | Ofcom - Online Safety Act (guidelines) | No explicit obligation; Overall efficiency is required, with no formalised rules on pooling. |
| Other EU countries | No (to date) | DSA framework + national regulations | No formalized requirements comparable to Arcom / Agcom known at this stage. |
| United States | No | Federal and state laws (COPPA, state age verification laws) | No notion of session or mutualization defined; Obligation of result, no technical parameters. |
| Other countries | No (to date) | Existing national frameworks / lack of a harmonised reference framework | To date, no explicit and widespread requirement imposing cross-site session limitation has been identified outside of the jurisdictions mentioned above. |
This table reflects the status of the regulatory frameworks known as of the date of publication of this document and is subject to change.
To date, only some national authorities have explicitly formalised the requirement that an age verification and the associated session must be strictly limited to the website for which the verification was carried out.
In the absence of such an explicit requirement in other jurisdictions, the cross-site scope of sessions may be implemented subject to:
This document describes the current state of the practices, principles and technical choices implemented by AgeVerif in the field of age assurance and verification, based on the regulatory frameworks, recommendations and guidelines known and available at the date of publication.
These elements are likely to change according to:
AgeVerif does not claim to replace the regulatory authorities or to establish an autonomous normative reference system. With this in mind, regulators and competent authorities are expressly invited to contact us if they consider that certain interpretations, implementations or guidance presented in this document would not be in line with the applicable guidelines or would merit clarification.
In a logic of cooperation and continuous improvement, AgeVerif also remains open to any remarks, proposals or feedback made by:
This approach aims to ensure that the solutions offered by AgeVerif remain suitable, proportionate and aligned with regulatory requirements and industry best practices.