Age checks are not simply a regulatory box to tick. They are a key point in digital journeys, where trust can be built or broken.
In this episode of Regulated Digital, Emily Hyett, Group Product Manager at Yoti, joins us to talk about digital identity in practice, and what "good" looks like when age assurance meets real user behaviour.
In regulated services, digital identity usually means proving the right attribute at the right moment, not handing over a full identity record on every interaction - especially when age assurance sits in a live customer journey.
Why Digital Identity Gets Misunderstood
A misconception comes up repeatedly when digital identity is debated in public.
People often picture a single central database that stores everyone's biometric data and personal details.
"When people think of digital identity, they think of a big central database with their facial images and personal information."
The reality is usually more specific and more modular than that mental model.
In many implementations, a user is proving one attribute in one moment, rather than handing over an entire identity record.
That difference matters because fear grows in the gaps where the journey does not explain what is happening.
If the customer thinks you are collecting "everything," they will hesitate, abandon, or look for a workaround.
If the customer understands you are asking for "just enough," the check can feel proportionate and predictable.
One practical point regulated teams sometimes miss: identity is not one thing, and digital identity is not one product category.
It can mean a reusable wallet, a one-off document check, a government login, or a certified service operating under a trust framework.
In the UK, that direction of travel is reflected in the government's work on the service register, which lets organisations and the public check which digital identity services have been independently certified.
What Age Assurance Really Means In Practice
Age assurance works as a spectrum, not a single method.
Organisations often choose different approaches depending on risk, context, and user expectations.
That might include age verification using stronger evidence, or age estimation to answer a simpler question like "is this person likely over 18."
Age Assurance Is A Journey, Not A Gate
Ofcom's guidance on "highly effective" age assurance is explicit that outcomes depend on how a method is implemented, not just what method is selected.
It also makes clear that services need to think about the end-to-end age assurance process, including placement and user experience, rather than treating age checks as a bolt-on step.
Data Protection Is Part Of The Design Constraint
Customers do not separate "privacy" and "compliance" from "experience."
That lines up with how the Information Commissioner's Office talks about age assurance, which emphasises proportionality, risk assessment, and data minimisation as core expectations.
Why Real Customer Journeys Break Down
It is critical to maintain focus on real user behaviour - where do people get stuck, and why does the friction show up when it does?
The Surprise Check Problem
A familiar failure mode shows up in digital journeys.
The user completes multiple steps, invests time, and then discovers a requirement they cannot meet in the moment.
The result is frustration, distrust, and a reluctance to try again.
"We've probably all been there where you've completed a form and then, right at the end, you're asked for something you don't have."
The point is that organisations should match the check to the decision they are making, not avoid strong checks altogether.
"When regulated firms add identity or age checks to customer journeys, the failure point is rarely the technology alone. It is the moment the customer discovers what they need too late, or sees different wording on web, app, and support."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
That principle applies when teams design attribute-level checks rather than defaulting to a full-document upload.
Make It Easy To Share Less, Not More
When a journey lets a customer share only what is needed, it reduces friction and reduces exposure.
It also creates a clearer audit story because the organisation can demonstrate that it requested only the minimum necessary attribute.
Regulation Is Driving Adoption, But Behaviour Determines Outcomes
Age assurance is often discussed as a regulatory requirement, but regulation only works when the behavioural design holds up in practice.
Online Safety Creates Real Deadlines
Ofcom has set clear expectations around how services must meet key obligations, including children's access assessments and age assurance duties for certain services.
Its guidance includes roadmaps for particular services and children's access assessments, which can help teams translate policy into operational plans.
Trust Frameworks Change Procurement Decisions
For regulated organisations, the practical move is to prepare to accept digital IDs in a way that supports choice and resilience.
That advice lands in a UK context where trust frameworks and independent certification are increasingly shaping supplier choice.
DSIT has also written about the move to public beta for the digital identity register, and why it is designed to make trusted services easier to find.
The DSIT register update is a helpful explainer for non-specialists.
What Regulated Teams Should Take From This Episode
The practical message is not "identity is coming."
It is that identity is already here, and customer experience will decide what works.
A Practical Checklist For This Quarter
Set expectations early: Tell customers what they will need before they start, and make sure the wording is plain.
Offer more than one route: Build in alternatives for people who cannot, or will not, complete a single digital method.
Design for consistency: Make sure web, app, and support channels describe the same check in the same way.
Minimise what you request: Ask for the attribute you need, not the entire identity document by default.
Use recognised standards: Treat accessibility as part of the identity design constraint, and reference standards like WCAG.
Compliance may require age assurance or other forms of identity verification.
But completion requires confidence.
Confidence is built through consistent, predictable journeys that adapt to human behaviour.
FAQs
What Is the Difference Between Age Verification and Age Estimation?
Age verification usually uses stronger evidence to confirm age, such as an identity document.
Age estimation is typically used to estimate whether someone is above or below a threshold, without collecting unnecessary personal details.
The right approach depends on risk, context, and the outcome you need to support.
How Do We Reduce Drop-Off in Age Check Journeys?
Make sure customers know what will be required before they invest time in the journey.
Use consistent language across web, app, and support channels.
Offer alternative routes for customers who cannot complete one specific method.
Do We Need to Store Identity Documents to Prove Compliance?
Many journeys only need an attribute outcome, not a retained copy of a full document.
Your retention approach should follow your risk assessment and legal obligations.
Use ICO guidance as a baseline for proportionality and data minimisation.
How Should We Prepare for EU Digital Identity Wallet Adoption?
Plan for interoperability so you can accept multiple credentials without repeating integrations.
Make sure your acceptance layer is consistent across channels.
The European Commission indicates wallets are set to launch by the end of 2026.
Sam Kendall works on digital marketing at Beyond Encryption, helping build B2B marketing activity around research, first principles, and sustainable growth. He writes about marketing effectiveness, positioning, customer communications, and digital culture, with longer-form work published at ATNL.
Sam Kendall
.svg)
Previous post