Why Age Changes Your Consent Logic
A minor usually can't give valid consent to non-essential cookies. Under GDPR Article 8, a child below the digital age of consent (set by each member state somewhere between 13 and 16) needs a parent or guardian to authorise it. Under COPPA in the US, sites aimed at under-13s need verifiable parental consent before collecting personal information, and cookie identifiers count. The catch is obvious once you say it out loud: to apply the right rule, you first have to know whether the visitor is a child. That's what age assurance is for. It sits upstream of everything in our broader guide to children's privacy and cookie consent.
Self-Declaration Is the Weakest Link
The tick box that says "I confirm I am over 18," or the birthday dropdown, is the default because it's free. Regulators have stopped accepting it where the stakes are real. The UK's Ofcom, applying the Online Safety Act, has been blunt: self-declaration is not a highly effective age check, and neither is a payment method that doesn't confirm the user is over 18. A determined 12-year-old defeats a birthday dropdown in one click. If your audience skews young or the risk is high, self-declaration on its own won't carry the weight.
Ofcom's Four Tests for a Method
Ofcom judges an age-assurance method against four criteria: technical accuracy, robustness against circumvention, reliability, and fairness. A method has to pass all four to count as "highly effective." It's a useful yardstick even outside the UK: if a method fails any one of them, don't lean on it for a real age decision.
The Methods, Ranked by Assurance
There's a spectrum from "free and useless" to "strong but heavy." The right choice depends on your risk, not on picking the strongest option available.
| Method | Assurance | Trade-offs |
|---|---|---|
| Self-declaration (checkbox, birthday) | Low | Free, frictionless, trivially bypassed. Not accepted where risk is high |
| Device or OS signals | Low to medium | Uses platform age signals; coverage and reliability vary |
| Email-based age estimation | Medium | Infers likely age from an email's digital footprint; privacy questions |
| Facial age estimation | Medium to high | Estimates age from a selfie without storing an ID; Ofcom views it as more privacy-preserving than ID upload |
| Mobile network operator check | Medium to high | Carrier confirms an adult line; depends on the account holder |
| Credit card / hard identifier | High | Strong signal, but excludes people without one and collects more data |
| Digital ID / verified wallet | High | Can return a simple over-threshold yes/no; the direction the EU is heading |
What the Regulators Are Doing in 2025 and 2026
This area moved fast, and the direction is toward stronger methods.
- United States, COPPA. The FTC's amended COPPA Rule is effective 23 June 2025, with most obligations due for compliance by 22 April 2026. It adds biometric identifiers to protected data, requires separate parental consent before disclosing a child's data for purposes that aren't integral to the service (which is exactly what behavioural ad cookies do), and mandates a written data retention policy.
- United Kingdom. Ofcom's "highly effective age assurance" duties took hold from 25 July 2025 under the Online Safety Act, pushing services toward the methods above and away from self-declaration.
- European Union. On 14 July 2025 the Commission released an age-verification "mini-wallet" blueprint, an open-source app that proves someone is over 18 without revealing anything else. Denmark, France, Greece, Italy, and Spain are piloting it, and it's built on the same specs as the coming EU Digital Identity Wallet.
- California. The Age-Appropriate Design Code has been in court, but in March 2026 the Ninth Circuit vacated the injunction against its age-estimation requirement while leaving other parts blocked. The design-code approach is far from finished.
Don't Solve One Privacy Problem by Creating Another
Verifying age can itself become a data-protection risk: check IDs carelessly and you're now storing passports and biometric scans on children and adults alike. Data minimisation still applies (GDPR Article 5(1)(c)). Prefer methods that return a simple over-threshold yes or no over ones that make you retain an identity document. The strongest method on paper is the wrong choice if it means hoarding sensitive data you don't need.
Tying Age to Cookie Behaviour
Age assurance only matters if it changes what you do. Once you have an age signal, wire it into the banner: if the visitor is, or might be, under the applicable age, default to essential cookies only, suppress analytics and advertising tags, or gate them behind verified parental consent. Log the age signal alongside the resulting consent state, so you can show later that a child wasn't served ad cookies. This is a segmentation decision, the same machinery that drives region-based banners can drive age-based behaviour.
Age assurance and consent checklist
Decide whether children are a realistic part of your audience
If yes, self-declaration alone is unlikely to be enough.
Match the method's strength to the risk
A low-risk site may accept a light check; adult-only content needs a highly effective one.
Prefer over-threshold answers to stored identity documents
Minimise what you collect to make the age decision.
Default under-age or unknown users to essential cookies only
Suppress analytics and ad tags until age or parental consent is confirmed.
Log the age signal with the consent outcome
So you can demonstrate a child wasn't tracked.
Re-check the rules for each market you serve
COPPA, GDPR Article 8 thresholds, and UK duties differ by jurisdiction.
Serve the Right Flow to the Right Visitor
The practical work is making the banner behave differently for different people. CookieBeam's segmentation lets you serve an essential-only or parental-consent flow to a defined audience instead of showing everyone the same prompt, and the consent logs record which flow ran and what the visitor chose. Age assurance decides who's a child; your consent configuration decides what that means for the cookies they get. Start from the wider picture in children's privacy and cookie consent.