The call for effective age verification online is getting louder. But how far can you go when checking someone's age? The Spanish privacy regulator (hereinafter: AEPD) recently imposed a fine of €950,000 on age verification service YOTI. An interesting case, especially because of the question: when do you actually process biometric personal data?
The rise of online age verification
From adult sites, social media, online shops to gaming platforms, more and more services need or want to verify the age of their users. The traditional method with a simple checkbox of "I'm 18+" is no longer sufficient. Legislators and regulators are demanding more robust solutions.
Services such as YOTI are responding to this. This British company offers several age verification methods. Think of age estimation based on facial age estimation, verification via identity documents, verification via credit card, verification via mobile number and database checks. Sounds convenient, but the AEPD saw serious problems with the way YOTI handles personal data.
What went wrong at YOTI?
AEPD launched an investigation into YOTI's 'Digital ID App' and found three violations under the GDPR. For the unlawful processing of biometric personal data in violation of Article 9 of the GDPR, YOTI was fined €500,000. In addition, a fine of €200,000 was imposed for obtaining invalid consent in violation of Article 7 of the GDPR. Finally, the company was fined €250,000 for exceeding retention periods in violation of Article 5 of the GDPR. In this blog, we will mainly zoom in on the most interesting violation: the processing of biometric personal data.
When is facial data 'biometric'?
The GDPR defines biometric data as personal data that results from specific technical processing of physical, physiological or behavioural characteristics of a natural person and that enables or confirms the unambiguous identification of a natural person. That second condition is essential. Not every processing of a facial photo automatically results in biometric personal data. The decisive factor is not what you say you want to do, but whether your system makes identification possible.
YOTI argued that it did not process biometric personal data within the meaning of Article 9 of the GDPR. Their reasoning was that they did not use facial scans to identify persons, but only to estimate the age of the user and to check whether the identity document belongs to that user.
The AEPD did not agree with this. According to the regulator, YOTI itself acknowledges both in the registration process and in the privacy statement that the facial scan is used to verify the identification of the user. The AEPD ruled that YOTI does indeed create a biometric facial pattern with the aim of unambiguously identifying the user. This means that the personal data fall under the special categories of Article 9 of the GDPR, which are subject to a general prohibition on processing.
YOTI was unable to demonstrate that one of the exceptions in Article 9(2) of the GDPR was applicable. Moreover, the express consent that YOTI considered to have obtained was invalid because it was obtained through pre-ticked boxes.
The thin line between age estimation and identification
This is where it gets interesting for practice. There is an important difference between age estimation and age verification with identification. In age estimation, a system evaluates an age based on facial features without identifying the user. If this is done anonymously and no biometric profile is stored, this may fall outside Article 9 of the GDPR. In the case of age verification with identification, on the other hand, a system creates a biometric profile to verify that the same person returns, or to make a link with an identity document. According to the AEPD, this does fall under Article 9 of the GDPR.
The problem with YOTI is that both functions are combined. When creating a YOTI account, the user must first provide their age. The app then creates a template of the biometric personal data, which is used to recognize the user upon return and to verify whether uploaded identity documents belong to the same person.
Additional aggravating circumstances
The AEPD also took into account in its decision that minors are the primary target group, as the app is intended to verify age and will therefore be widely used by young people. The AEPD also stated that YOTI acted negligently by denying that it processed special categories of personal data, while this was apparent from their own documentation.
YOTI appeals against AEPD decision to impose a fine
YOTI has indicated that it will appeal this decision. The company can file an appeal with the AEPD itself within one month, or appeal directly to the Spanish Chamber of the Legal Administrative Court of the National Supreme Court within two months.
Lessons for practice
For age verification providers, it's critical to determine if their system actually identifies. Key points to consider:
-
Does the system create a biometric profile for the purpose of identification? In that case, biometric personal data are processed within the meaning of Article 9 of the GDPR.
-
Find a valid exception to the prohibition of Article 9 GDPR; if consent is assumed, it must be explicit consent that meets all GDPR requirements.
-
In the case of minors, the guarantees are more important; The requirement of explicit consent is extra strict.
-
Minimize retention periods; the AEPD ruled in the YOTI case that personal data was stored for too long.
-
Delete biometric personal data as soon as possible, preferably immediately after completing the verification.
-
Ensure transparency: clearly communicate that biometric personal data is being processed and for what purpose.
Conclusion
The YOTI case illustrates the tension between society's desire for effective age verification and the privacy law limits to it. Facial recognition and age estimation can be powerful tools, but once a biometric profile is created for identification purposes, it enters the realm of special categories of personal data.
The message of the AEPD is clear: the fact that a socially useful service is provided does not relieve the obligation to strictly comply with the privacy rules. Certainly not when the target group consists largely of minors.
YOTI has been given six months to demonstrate that their processing complies with the GDPR. How YOTI and other providers adjust their services and what a possible appeal means for the interpretation of "biometric data" will become clear in the near future.
Do you have any questions after reading this blog? Please contact us.
