The ESRB recently submitted a request to the FTC for approval of a "verifiable parental consent mechanism" called privacy face age presumption. Literally like inviting Big Brother into your home, it didn't seem like a very good idea to me and many others, but in a statement sent to PC Gamer, the ESRB said the system is not really about facial recognition, but "advanced privacy protection."

The filing, filed jointly by the ESRB, digital ID company Yoti, and "youth digital media" company Superawesome, was made on June 2, but only recently became clear thanks to the FTC's request for public comment. The system, as it is described, allows parents to choose to submit a photo of themselves through an "automatic face capture module," which then analyzes the photo to determine the age of the person in question. Once confirmed as an adult, the parent or guardian can grant whatever permission they deem appropriate for their child.

This is essentially a photo verification of age, not much different from showing a driver's license before buying alcohol. At a time when companies around the world are scrambling to develop increasingly complex AI systems and experts are warning about the dangers inherent in the race, the idea of willingly submitting one's face to machine analysis has understandably drawn the ire of some.

But there have been some misconceptions, and the ESRB wants to correct them: an ESRB representative stated that the system "does not take and store 'selfies' of users or attempt to verify their identities" (the FTC filing states that "users are not required to take automatic selfies" of themselves "assisted by a face capture module," which is a bit confusing because it clearly states that they are uploaded to a remote server for analysis.) It is not about the ESRB's age rating of the game, but about U.S. privacy laws. It has to do with privacy laws in the US.

In the U.S., it is not actually illegal to sell M-rated games to minors: the age rating system developed and maintained by the ESRB represents the policy of virtually all retailers, but legally, if a 12-year-old wants to buy "Grand Theft Auto 5" If they want to buy it, they can't: in 2011, the U.S. Supreme Court actually struck down a California law prohibiting the sale of violent video games to minors, declaring that video games, like other forms of media, are protected speech under the First Amendment. [The Children's Online Privacy Protection Act (COPPA), however, is another matter; COPPA requires and legally mandates that companies obtain "verifiable parental consent" before collecting or sharing personal information from children under 13. In fact, SuperAwesome's parent company, Epic Games, agreed to pay a $275 million fine in December 2022 for violating it.Acceptable ways to consent to COPPA include submission of a signed form or credit card, toll-free or video chat conversations with a "trained representative," and answering a "series of knowledge-based challenge questions."

According to the ESRB, these systems have not been updated since 2015 and are apparently overdue for an update.

However, while the scanning system proposed in this application sounds like facial recognition, the ESRB emphasized that it does not determine identity beyond estimating age to prove that COPPA compliance requirements have been met.

"To be completely clear, the images and data used in this process will not be stored, used for AI training, used for marketing, or shared with anyone... The only information that will be communicated to the company requesting the VPC is a 'yes' or 'no' determination as to whether the person is 25 years or older The only information that is communicated to the company requesting the VPC is a 'yes' or 'no' determination as to whether the person is 25 years of age or older," said the ESRB representative. This is why we believe VPC is a highly privacy-protective solution."

(The proposed system sets 25 as a minimum threshold to "prevent teenagers and children who appear older from impersonating their parents"; those determined to be in the 18-24 "buffer zone" would have to pursue verification through other channels)

The proposed system does not work like a traditional facial recognition system, but there is certainly a semantic component to the ESRB's argument. The proposed system may not be used to recognize me, but it does use my picture to guess my age.

Concerns about bias, accuracy, and privacy remain valid. After all, you are giving corporate organizations permission to snoop around your home to make sure everything is normal: we are protecting the privacy of our children by allowing corporations to take mug shots in our living rooms. [The ESRB Privacy Certified [EPC] program is a "COPPA safe harbor" and therefore has the authority to make changes to the verifiable parental consent system without FTC involvement. An ESRB representative stated, "Nevertheless, the EPC takes its role (and its responsibilities to its members) very seriously, and given how new this technology is, the EPC preferred to obtain approval directly from the FTC through the application process before approving its use by EPC member companies."