Some of the views on age estimation expressed by a UK regulator do not apply to Yoti’s facial age estimation solution, according to a response from the company in a blog post.
The problem is compliance with UK GDPR regulations, which classify biometric data as âspecial category dataâ and establish strict controls over its use, especially when collected from children.
Yoti says its technology “does not create or use biometric facial geometry,” referring readers to a company-produced white paper on how age estimation can be done in ways that maintain anonymity from subject. The algorithm does not identify the user in initial or subsequent submissions, nor does it recognize when an image is submitted by someone who has already gone through the process, according to the post.
This means that Yoti’s age estimate does not involve special category data, in the opinion of the company, and that of the outside lawyers from whom the company sought advice.
An explanatory video produced by Be in Touch of South Africa details the process used by Yoti’s technology and the difference between facial analysis and facial recognition. The same difference also applies to 1: 1 matches, as in biometric facial authentication.
Yoti also posted a blog post earlier this month claiming that its sophisticated age estimation methods provide a better method of protecting anonymity than the ID document and biometric selfie checks often used for online checks.
ICO Opinion Paper
The UK Information Commissioner’s Office (ICO) released an opinion paper on ‘Age Assurance for Childhood Code’, which states that the age estimate “May” be based on biometric data. The ICO later clarifies that age estimation can use biometric data to uniquely identify an individual, in which case it counts as special category data. The Children’s Code, also known as the Age-Appropriate Design Code, provides a statutory code of practice for online service providers who may be consulted by children.
The ICO also states that the privacy protections of biometric-based age estimation could be improved through rigorous data minimization and goal limiting techniques.
Biometrics could still be allowed for age estimation under the ‘substantial public interest’ clause of Article 9 UK GDPR, as long as the conditions for the ‘protection of children’ in section 10 are met.
Yoti “cautiously welcomes the opinion,” but complains that it “doesn’t make it clear when age estimation uses biometrics” or when it doesn’t. According to the biometrics and age estimation provider, the ICO missed an opportunity to clarify that the processed data is only special category data if it is collected for the purpose of identifying someone.
The company particularly objects to a statement in Annex 2 of the ICO document, which generalizes the accuracy of all age estimation technologies, saying that “there is little evidence of the effectiveness and precision of these emerging approaches â.
The ICO guidelines conclude that age estimation technology is an important tool for mitigating online risk, and has issued a call for contributions as it works with OFCOM and other government agencies to work on a cohesive set of regulations and best practices to protect children online.
age verification | IA | biometric data | biometrics | children | data protection | digital identity | facial analysis | confidentiality | regulation | Yoti