Use this checklist to gauge whether your platform is ready for age verification and age assurance compliance. Adjust for your jurisdiction and risk level.
Scope and obligation
Have you confirmed whether your service is in scope for the UK Online Safety Act, EU DSA, Australian codes, or US state laws? Do you know which content or features trigger age checks (e.g. harmful content, adult content, social features)?
Method
Do you use a method regulators consider "highly effective" (e.g. photo ID + liveness, facial age estimation, Open Banking, or accredited digital identity), rather than self-declaration or unverified payment alone?
Privacy and data minimisation
Do you avoid storing ID documents and face images? Do you retain only what is strictly necessary (e.g. verification outcome and audit ID)? Is your lawful basis for processing (and, if applicable, for biometric data) documented and justified under GDPR/UK GDPR?
Returning users
Do you support a lighter-touch reverification (e.g. face-only or token) for returning users instead of repeated full ID uploads? Can you still produce an audit trail for each verification?
Audit and evidence
Can you demonstrate to a regulator or auditor that verification took place (e.g. via Audit IDs or receipts) without disclosing unnecessary user data? Do you have a clear retention policy for audit data?
Cross-border obligations
If you operate in multiple jurisdictions, have you mapped obligations per region and confirmed that your solution can meet or adapt to each (e.g. different age thresholds, different accepted methods)?
Closing gaps and picking a partner
If you can answer yes to these, you are in a strong position. If not, prioritise the gaps, especially scope, method, and data minimisation, and consider a privacy-first age verification partner that provides tokens and audit trails without storing documents or faces.
Track your progress
0 of 6 items completed. Your progress is saved in this browser.
