More than just a number: Costs and business impacts on startups of determining user age
By The Engine Policy Team
This is the second in a series of posts on the unintended consequences for startups of proposals to enhance Internet safety for young users. The first post, on the policy debate around young Internet users, is available here.
Key Takeaways:
- Outside of user self-declaration, no startup will create their own age-verification system, and will instead rely on third-party providers. Building a reliable in-house system would require the same investments as they’ve invested developing their actual product.
- Third-party verification systems cost thousands of dollars to procure and tens of thousands and several weeks to integrate.
- Constructive knowledge standards are unworkable for startups, and barriers to entry for markets with such legal exposure would be insurmountably high.
- Adding additional friction to user sign-up, like age verification, reduces user conversion and diminishes startup competitiveness.
Part one of this series laid out several laws, draft legislation, and proposed regulations that each require startups to determine the ages of the users that access their services. Determining user age (often called age assurance by standard setting organizations) can be done to varying degrees of certainty and through a range of methods each of which pose their own risks, costs, benefits, and drawbacks. For startups, these unique impacts can eat away at limited budgets, increase cybersecurity risks, and diminish user experience, and it is critical that startups and policymakers alike understand the implications of age verification requirements for them and the businesses they represent.
Methods for determining user age:
Self-declaration
Declaring age is the most common and most straightforward age assurance method, often done by asking a user to check a box confirming they are above a certain age or enter their birthday (to check if they are above a certain age). For startups this is straightforward, low-cost, and easy to implement, with little negative impact on user conversion. Adding another line on a form or a pop-up to enter a birthday would take an experienced developer (likely making around $75/hr) as little as an hour to implement. This method is also privacy respecting — a startup doesn’t need to know who the user is — just that they are above a certain age. Precise birth date data does not need to be maintained, because startups are often checking that a user is above a certain age, like 13, 18, or 21 — limiting cyber risks. However, asking a user their age is obviously susceptible to individuals lying about it — as some have admitted to in congressional testimony.
Government ID, credit card, or other credential verification
Asking a user to produce proof of their age — by asking for them to upload an ID or enter a credit card — is more certain, but carries additional risks, costs, and drawbacks for startups and their users. In practical terms, there are implications for equal access among adults that should otherwise be able to use — immigrants, the poor, and others might not have an ID or credit card they could use for verification. There are also privacy risks. By providing an ID, there is no way for a user to remain anonymous, and a user is also likely to incidentally hand over other sensitive information present on many types of ID, like their home address.
Startups, especially early-stage startups, are unlikely to be household names, and these additional verification steps turn away users that don’t want to provide their ID or credit card as their first interaction with an unfamiliar service. Adding additional steps to sign-up can cut conversion rates in half — requiring a user to and over sensitive information would accelerate that decline. Startups need to grow in order to continue receiving investment, and age verification poses a clear headwind.
Moreover, startups don’t want to encounter or hold the information in the first place because it makes them a more lucrative hacking target. Often, they can delete it after, but that can take a few days, or over a month under some proposals. Requiring operators to prove to a regulator they know a given user’s age — not just maintaining the signal — would require maintaining the information. Suffering a data breach would likely doom an early-stage startup. The per-record cost of a data breach in 2023 was $165. Presuming an early-stage startup has 20,000 users, a breach could cost $3.3 million, more than their entire seed round in most parts of the country. The costs for downtime and reputational impacts would additionally be near impossible to overcome, which is why most shut down following breaches.
There are few different ‘levels’ of age verification using a credential like government ID. In the least intensive, the Internet service is primarily concerned with the date of birth, and whether or not it is beyond a certain cutoff. Others will additionally run the image of the ID against an authoritative source to confirm its authenticity. Still others do facial matching where the user takes a selfie in addition to a photo of the ID, and artificial intelligence decides if they’re a match.
To build a product like this in-house, one estimate puts basic costs in the $25,000–50,000 range, just to build a minimum viable product. Data, training and testing costs to ensure accuracy, and once reliable, integration and maintenance costs would all meaningfully increase that number to the hundred thousands or millions. Those figures are on par with what startups spend building their product — and they don’t have extra time or resources to build a second that doesn’t lead to revenue growth.
Those factors — and some state laws’ requirements — lead startups to rely on third-party verification vendors, which still must be integrated, also negatively impact user conversion, and increase per-user costs. Generally, integration of third-party technology can be expensive for startups, costing up to $10,000, and taking several weeks. Routing to a third-party verification service might increase user trust, but still carries the time and invasion-of-privacy disincentive that may turn away users. Depending on how they are billed, these services may cost in the tens of cents to several dollars per verification, or several thousand per year. Many startups, especially early-stage startups operate at a loss until they reach scale, so every additional cost eats into their runway, reducing the life of the company.
Age estimation or inference
Companies can use a variety of methods to infer or estimate the age of their users. These methods may be built or used by large companies, but are unworkable for startups. One method involves monitoring user actions on the service for indications they might be a minor, and checking that against the age the user declared they were at sign-up. For example, if a user is interacting with or posting a lot of ‘my little pony’ content, the service may infer that that user is a minor. This additional data collection and monitoring invokes privacy concerns and strikes many as creepy. (Including lawmakers — ironic, given laws and legislative proposals at least in part precipitate the need for additional age assurance.) Given scale, and the cost to build a system, store, and analyze additional user content to ascertain age, this method is really only practical for large companies. Still, it might be required for all companies by some past proposals containing legal standards that amount to telling companies “you should have known” a given user’s age based on their profile or actions.
Other age estimation methods include the use of individual attributes — like their face, palm, voice, or gait — to deduce their likely age using AI. No startup (outside of one aiming to provide age assurance-as-a-service) would ever develop their own age estimation systems, because the costs would be prohibitive and uneconomical. Some established age assurance as a service firms have spent over $100 million developing their platforms.
There are obvious privacy risks to sharing biometric information. Most third-party providers delete the information within short time frames (usually around one day) but it is still transferred, processed, and stored for an amount of time, making it theoretically vulnerable. Moreover, it is likely to be unclear to an end user what the data practices of a given verification provider are when they are likely to encounter many across the Internet. The same drawbacks for user conversion are present, making it unlikely any startup would use this method unless required by law.
Parental consent
The Children’s Online Privacy Protection Act (COPPA) creates requirements for services directed to children under age 13, including that those services obtain verifiable parental consent before collecting personal information of users they have actual knowledge are under 13. The law is generally understood as splitting the Internet between services directed to kids and those only available to those over age 13. Startups that offer services directed to children know about the heightened costs and legal risks that come with entering a regulated space.
Parental consent can take a few different forms in practice, many of which are outlined in the COPPA Rule. (Some services also avoid requirements to obtain parental consent through carefully designed signup flows that do not collect any personal information besides an age self-declaration in order to limit service functionality for under 13s.) Many sites obtain parental consent via email (called the “email plus” method), but this method may only be used if the personal information of the child is not shared (by the service or the user). Other methods of consent include collecting signed forms from a parent, or having the parent call a phone number or video-conference. Parents could also enter a credit card in connection with a transaction.
Each of those methods is obviously tedious — and costly — for services. Initial estimates of costs around verification amounted to $35,000 in engineering costs and $70,000–120,000 in ongoing annual costs. The 2013 update to the COPPA rule is thought to have increased those costs even further. And they’re tedious also for parents, who often just want to get their kid onto the service, even if they might appreciate the step that lets them know what their kid is doing online.
Other attestation
Some large services have recently integrated ‘social vouching,’ where other users the service already knows are above a given age can vouch for the age of the new user. Most startups don’t have a critical mass of users or aren’t big enough to need or practically use this method, though variations, like invite-only based apps could integrate this by prompting users only to invite others of a certain age. This poses similar flaws as self-declaration.
Engine is a non-profit technology policy, research, and advocacy organization that bridges the gap between policymakers and startups. Engine works with government and a community of thousands of high-technology, growth-oriented startups across the nation to support the development of technology entrepreneurship through economic research, policy analysis, and advocacy on local and national issues.