The Entertainment Software Rating Board (ESRB), which assigns age ratings to video games, has asked the US Federal Trade Commission (FTC) to greenlight a new age-estimating method. According to the organization, it should avoid the collection of any personal data.
Image: Yoti Age Estimation White Paper
What happened?
As reported by Bloomberg Law, the ESRB joined forces with two companies, Yoti and SuperAwesome, to apply for FTC approval of a new verifiable parental consent method called “Privacy-Protective Facial Age Estimation.”
- Yoti is a developer of a facial age estimation tool that helps companies know that a user is the right age without collecting their personal data like name and birthdate.
- SuperAwesome is an Epic Games-owned service that operates its own ad platform and provides tools for parental consent management.
According to the application filed last month, the method is designed to comply with the Children’s Online Privacy Protection Act (COPPA), a federal law aimed at regulating the collection of personal data from kids under 13 years old. Among other things, it requires US-based companies operating various online services to obtain verifiable parental consent before collecting and using children’s personal information.
So the ESRB wants the FTC to greenlight the use of Yoti’s age-estimating tool to verify parents’ ages under the COPPA law and avoid collecting children’s data.
However, the FTC is now seeking public comment on the technology from the companies. The Comission has several concerns, including whether the “proposed method poses a privacy risk to consumers’ personal information, including their biometric information.”
The ESRB, Yoti, and SuperAwesome have until August 21 to address the concerns.
How does Yoti’s age-estimating tool works?
In its application, the ESRB noted that verifiable parental consent would work as follows:
- Child visits an online service and is hit with an age verification system;
- Service operator collects a parent’s emal address from the child and sends direct notice to them;
- Parent, informed of the requirement to verify they’re an adult, can select the Privacy-Protective Facial Age Estimation method;
- Following the age estimation, a collected image is deleted and an operator uses the results to confirm whether the parent is of the appropriate age;
- If the age estimation fails, the parent can choose an alternative verification method that uses personal information or contact the operator’s customer support.
The system should only work with adults 25 years of age or older.
According to Yoti, its age verificiation system uses a “combination of AI technology, liveness anti-spoofing and document authenticity checks.” The system can’t identify people or collect any additional information about them.
The company’s trained model is designed to analyze pixels and learn patterns in images based on the existing database. More information and details can be found in Yoti’s latest white paper.
How is facial age estimation different from facial recognition?
The International Association of Privacy Professionals (IAPP) recently outlined the main difference between the methods:
- Facial recognition looks for unique geometric measures of the face (distance and relationship between facial features) and attempts to match them to an existing set of measurements from a database, along with unique information to identify a person;
- Facial age estimation converts a live facial image into numbers and compares them to patterns in its training dataset that are associated with known ages, so the goal is not to identify a person, but estimate their age.
The age estimation method is also not perfect and raises certain privacy concerns. As explained by the IAPP, if kids can’t pass through a verifiable parental consent flow because they, say, are banned from playing a game by an age verification system, they “may end up lying about their age or accessing less privacy protective services.”
According to the Association, unsafe mechanics include photo ID and payment cards because they can collect a person’s address, birthdate, unique ID number, and other sensitive data.
The IAPP noted that lawmakers and privacy regulators should “focus on creating effective, implementable, and equitable VPC and age-assurance mechanisms” to protect children in video games and other online spaces.