Many AdTech companies state that they do not target advertising to children. Typically, this is accurate and reflects genuine effort by teams trying to do the right thing, but as advertising ecosystems grow more complex, those assurances often rest on assumptions about how user age is identified, inferred, or excluded across multiple systems and partners.

Regulatory attention is increasingly focused not only on intent, but on how audience-related decisions are governed in practice. As a result, age-related data handling is emerging as a meaningful and often under-examined source of privacy risk.

How Age Is Determined in Modern AdTech

In today’s AdTech environments, age is rarely verified directly. Instead, it is typically derived from a mix of signals, such as:

• Self-declared information provided by users
• Age segments supplied by platforms or publishers
• Inferred age based on browsing behavior, content interaction, or device signals
• Probabilistic or lookalike models built from historical datasets

Each of these methods introduces some degree of uncertainty, but when age signals are layered across platforms, vendors, and intermediaries, it can become difficult to clearly understand how age-based decisions are ultimately made or validated. Despite this complexity, many organizations lack formal documentation or clear ownership over how age signals are sourced, combined, and relied upon across their advertising operations.

At the same time, regulators and policymakers are increasingly engaging with the mechanics of age assurance in more concrete terms. Recent regulatory discussions and workshops have focused on the practical realities of age verification and age estimation tools, including their limitations, accuracy, and privacy trade-offs. This signals a growing expectation that organizations understand not just whether age signals exist, but how they function in practice.

Age-related privacy risk in AdTech rarely stems from a single decision or system. More often, it develops quietly through gaps in governance, including:

• Reliance on upstream partners without sufficient oversight
• Assumptions that platform-provided segments fully exclude minors
• Inference models trained on datasets that may include youth data
• Unclear internal ownership of age-related risk decisions
• Limited processes for reviewing or challenging inherited assumptions

In mixed-audience environments, these gaps can result in children’s data being processed unintentionally, even where policies prohibit such activity. These risks are further compounded by a rapidly evolving regulatory landscape because, in the absence of a single, comprehensive federal framework governing age assurance, several states have begun proposing or enacting requirements that rely on age verification or estimation mechanisms for certain online services. For AdTech companies operating at scale, this patchwork of expectations increases the importance of understanding how age-related decisions are made and defended across jurisdictions.

Why Intent Alone Is No Longer Enough

You don’t need to overhaul eStudent data is unique in both scope and longevity. It is collected early in life, often retained for extended periods, and commonly shared Statements that an organization does not knowingly target children may no longer be sufficient if underlying systems cannot reliably support that claim, as regulators increasingly examine outcomes and controls, not just stated intent.

From a privacy standpoint, inference itself can constitute processing, but where age is derived indirectly, organizations may still be responsible for ensuring that appropriate safeguards, oversight, and governance mechanisms are in place.

Importantly, regulatory discussions on age assurance also highlight a tension that organizations leveraging AdTech tools or features must navigate, such as poorly designed age verification mechanisms that can introduce new privacy risks by collecting more personal data than necessary. This places additional pressure on organizations to balance effectiveness with proportionality when evaluating age-related tools and signals.

This shift places greater emphasis on an organization’s ability to explain and defend how age-related decisions are made across complex advertising ecosystems.

Governance Questions for AdTech Teams

To better understand and manage age-related privacy risk, AdTech teams may find it helpful to ask questions such as:

• How is age information sourced and combined across our ecosystem?
• What happens when age signals conflict or are incomplete?
• Who is responsible for reviewing and approving age-based assumptions?
• How are vendors evaluated for potential exposure to children’s data?
• Do internal controls align with public statements about audience targeting?

These questions are not about achieving perfect age verification. Instead, they support more intentional, defensible governance.

Moving Toward Defensible Age Assurance

As expectations around children’s data and age-related processing continue to sharpen, organizations leveraging AdTech tools are facing greater pressure to explain, in practical, operational terms, how age signals are sourced, assessed, and governed across increasingly complex ecosystems. Many organizations benefit from taking a structured approach to reviewing age-assurance assumptions, vendor dependencies, and related governance practices to strengthen defensibility and reduce privacy risk as regulatory and business expectations continue to evolve.

If you’d like to discuss privacy — or have questions about this post or your organization’s privacy practices — contact tiffany.soomdat@tueoris.com

— Tiffany A. Soomdat, MSL, CIPP/US • Senior Consultant @ Tueoris LLC