The SDPA and the CNMC, among other institutions, launch a series of coordinated actions related to the age verification of minors online, aimed at reinforcing their protection and preventing their access to harmful content.

As in the rest of the European Union, the protection of minors online is one of the main areas of concern of Spanish authorities such as the Spanish Data Protection Agency (“SDPA“), the National Commission for Markets and Competition (“CNMC“) and the consumer authorities. At the same time, it is a matter of growing interest for a large part of society in general.

Recently, regulations have been passed which seek to strengthen the protection of minors in digital environments and to prevent their access to potentially harmful content, such as violent or adult content. For example, Regulation (EU) 2022/2065 (“DSA“) establishes the need to implement measures to protect the privacy and security of minors, while Law 13/2022, of July 7, General of Audiovisual Communication (“LGCA“) imposes age verification obligations on video sharing platforms (“VSP“).

Besides these regulations, other initiatives have also been launched, such as the Family Digital Plan or the Proposal for a State Treaty to protect minors on the Internet and social networks. The Family Digital Plan has been promoted by the Spanish Pediatrics Agency with the support of the SDPA and seeks to raise awareness among families about children’s use of technology. For its part, the Proposal for a State Treaty to protect minors on the Internet and social networks has been put forward by civil society, as well as being supported by the SDPA and the State Attorney General’s Office. It proposes some general measures to raise awareness and educate society and other more specific requirements for the design of digital products or algorithms. Its promoters hope that it will end up being approved as a state treaty by the Parliament.

In this context, on December 14th, 2023 the SDPA and the CNMC presented several coordinated actions about the age verification of minors on the Internet, with its ultimate goal being to prevent children and young people from being exposed to potentially harmful content, such as violence, harassment, adult content or viral challenges which could be potentially harmful to their health. The following is a brief description of each of these actions.

The SDPA published a proposal for an age verification system and 10 principles on age verification and the protection of minors from inappropriate content.

The SDPA has stated that the age verification systems commonly used today are insufficient and present risks such as the location of minors, the lack of certainty about the declared age, the potential compromise of identity, or the use of unnecessary information. Instead, it proposes a system hosted on the user’s device that does not allow digital platforms and websites to access information related to the person’s identity and age, while preserving anonymity online.

This system proposed by the SDPA is based on 10 principles that seek to establish a balance between the effectiveness and suitability of the measures to protect minors and the guarantee of the rights and freedoms affected, such as the need to preserve anonymity or the technological impact that it entails for digital platforms and websites. The SDPA has developed some proofs of concept in different digital environments to demonstrate how the system works in practice, as well as compliance with the aforementioned principles in different contexts.

In brief, the principles cover different issues such as being impossible to identify, track, or trace minors online; the fact that it should not be necessary to prove whether or not a person is a minor, but simply that he or she is authorized to access the website; anonymity on the Internet; the need for the system to allow effective age verification; the need for the system to prevent profiling and linking of the same user between different services; the need for the system to allow parental control; respect of fundamental rights on the Internet; and an appropriate governance framework.

Digital platforms and websites that host or publish potentially sensitive content (violence, pornography, alcohol, tobacco, or gambling, among others) should be aware of these principles.

However, in practice, the system proposed by the SDPA is not mandatory. On the one hand, the exposure of minors to harmful content does not fall within the SDPA’s scope of supervision and, on the other, data protection regulations do not provide for explicit obligations to implement age verification systems (except indirectly for the verification of consents granted by minors). Nevertheless, it does reflect the intention of the data protection regulator to exercise greater control over the protection of minors in general and age verification systems in particular, especially over the data processing practices related to them.

CNMC public consultation on age verification systems in video sharing services through platforms on content harmful to minors

At the same time, the CNMC published a public consultation aimed at gathering the opinion of relevant stakeholders on various issues related to the age verification systems that VSPs must implement to protect minors from exposure to harmful content. In this case, the LGCA does impose an explicit obligation in this regard in its articles 88.1 e) and 91.1, applicable only to VSP.

The scope of the consultation refers to issues such as its applicability to advertising content, the minimum and essential elements that age verification systems should include, the adequacy of the systems currently in use and the entities that could perform the verification or their operation. The public consultation takes the form of a series of questions on these areas and will be open until January 31st, 2024.

Regarding its practical impact, it should be noted that the CNMC recognizes that only VSPs established in Spain (which shall register in the new national register governed by Royal Decree 11/382023, of 19 December) are subject to its supervision, according to the country of origin principle provided for in Directives 2010/13/EU and 2000/31/EC. Therefore, the criteria that will be defined should not directly affect the vast majority of VSPs established in other EU Member States (at present, only one VSP is listed in the European MAVISE register as established in Spain). However, this public consultation may also have an indirect impact on VSPs established in other EU Member States, insofar as the criteria to be defined for Spain may influence the interpretation that other European regulators make of Directive 2010/13/EU and the criteria they end up adopting on this same issue of age verification systems.

You can view the Spanish version of this post here.


José María Méndez es socio responsable del área de Propiedad Intelectual y Tecnologías de la Información y Comunicaciones de Baker & McKenzie Madrid. Anteriormente, fue socio del área de Propiedad Intelectual en un despacho internacional, así como secretario general adjunto de Sogecable y director de la asesoría jurídica del área de cinematografía y televisión. Participa con frecuencia en actividades sin ánimo de lucro de organizaciones como Caritas Diocesanas y Aldeas Infantiles. Asimismo, imparte clases en el Máster de Propiedad Intelectual de la Universidad Carlos III.


Patricia Perez joined the Information Technology & Communications Department of Baker & McKenzie in Madrid in 2013. Her prior experience includes working at national law firms in the Corporate and Intellectual Property and Information Technology departments.