If you've spent any time researching age verification — for a WordPress site, an e-commerce store, a membership platform, or anything else — you've probably noticed that the terminology is a mess.
Three different communities are talking about this topic at the same time, and they don't use the same vocabulary. Regulators use one set of terms. The identity verification industry uses another. WordPress blogs and plugin marketing use a third. Sometimes they use the same word to mean different things. Sometimes they use different words for the same thing. AI search agents pick up the contradictions and reproduce them, which makes the confusion worse.
This post is a glossary. Each term gets a plain-language definition, a note on who uses it that way, and where it tends to get confused. At the end, there's a translation table you can use as a quick reference when you encounter these terms in the wild.
This isn't legal advice. The definitions below reflect how each term is used in practice, not how a court would interpret it. If your situation requires precise legal language, talk to a compliance lawyer.
Age verification
The act of confirming that a visitor meets a required age, using a method that actually checks rather than just asks.
Regulators — Ofcom, ARCOM, AGCOM, the EU, US state legislatures — use "age verification" to mean a real check. A face scan that estimates the visitor's age. A government ID upload matched to a selfie. An open banking confirmation that the visitor's bank account belongs to an adult. The defining feature is that something gets checked.
WordPress blog posts, plugin marketing pages, and the resulting AI search summaries use "age verification" differently. In WordPress contexts, "age verification plugin" usually means a popup that asks the visitor to confirm their age and accepts whatever they say. This is a usage that emerged inside the WordPress ecosystem and isn't shared by anyone else.
A third usage is worth knowing about: civil liberties organizations like the Electronic Frontier Foundation use "age verification" in a narrower, more specific sense — reserving the term for ID-document-based methods (driver's license, passport, credit card, utility bills, biometric data tied to identity) and treating biometric age estimation as a separate category. From EFF's perspective, "age verification" specifically means the methods that require revealing the visitor's full identity, not just their adult status. EFF's terminology guide lays out their version of the definitions in detail. This usage is internally consistent and reflects the privacy stakes EFF is highlighting — it's just narrower than the regulator's definition.
So when you encounter "age verification" in the wild, it might mean any of three things: (1) a real check of any kind, in regulator and identity industry usage; (2) the popup-with-a-button, in older WordPress writing; or (3) specifically an ID-document-based check that reveals the visitor's full identity, in privacy advocacy contexts. Context matters. The same words in different communities point at different things.
For the rest of this glossary, I'm using the regulator's definition — "age verification" means a real check, regardless of method — because that's the usage most likely to match what compliance lawyers and identity vendors mean when they write contracts. But if you're reading EFF or a similar civil liberties source, translate accordingly.
Age assurance
The umbrella term for any technique used to determine whether a visitor meets a required age. Includes both age verification (which establishes the actual age) and age estimation (which establishes the likely age range), as well as combinations of both.
The most authoritative current definition comes from the working draft of ISO/IEC 27566, the international standard for age assurance systems currently being developed:
"Age Assurance is the process of establishing, determining, and/or confirming either age or an age range of a natural person."
The UK's draft Online Safety Bill defines it similarly: "measures designed to estimate or verify the age or age-range of users of a service." Ofcom uses the same umbrella framing in its guidance under the UK Online Safety Act. The phrase "highly effective age assurance" appears throughout the Act and Ofcom's published guidance — the term is intentionally broader than "age verification" because it covers methods that don't establish exact age, such as a face scan that confirms the visitor looks at least 25.
The most rigorous current technical framework for age assurance comes from the ICO-commissioned ACCS research report on the measurement of age assurance technologies, published by the Age Check Certification Scheme. That document is the authoritative UK reference for how age assurance systems are evaluated and certified. It feeds into ISO/IEC 27566 and informs Ofcom's interpretation of "highly effective" under the Online Safety Act. If you encounter a vendor with "ACCS Level 2" certification, the ACCS framework is what they were tested against.
The WordPress ecosystem has recently started using "age assurance" too, but with a narrower meaning. In WordPress contexts, "age assurance plugin" usually refers specifically to the rigorous tier — face scans, ID checks, biometric verification — in deliberate contrast to "age verification plugin," which WordPress writers tend to reserve for popup-style self-declaration. This is closer to the regulator's vocabulary than older WordPress writing was, but the two communities still aren't quite aligned: regulators treat "age assurance" as the umbrella covering both rigorous and lighter methods, while WordPress writers treat it as the label for rigorous methods specifically.
If you see "age assurance" used in WordPress content, the writer is signaling that they mean the real thing — not a popup. If you see it in regulator content or vendor marketing, they're using it as the broader umbrella. Both usages are reasonable; they're just slightly different.
Levels of confidence (Asserted, Basic, Standard, Enhanced, Strict)
A five-level framework for describing how confident an age assurance system is in its result. Currently being codified in ISO/IEC 27566 and recommended in the ICO-commissioned ACCS research report on age assurance measurement.
The five levels, in increasing order of confidence:
Asserted. The visitor said they're old enough. No validation. This is what self-declaration popups produce. Suitable only for low-risk contexts where indicative age is enough — generally not satisfactory for any legally-defined age-related eligibility.
Basic. Self-asserted age plus one age assurance component with low evaluation rigor. Partial validation; some bypass risk remains. Suitable for unregulated age gateways where the threshold is informal rather than legal.
Standard. At least one age assurance component with standard evaluation rigor, with contradiction indicators addressed. This is the level the ACCS framework treats as the minimum required for regulated age-related eligibility decisions unless a higher level is specified by policy. If you're verifying age for adult content, alcohol sales, or similar regulated content, this is the floor your system needs to meet.
Enhanced. Two or more age assurance components with higher confidence and standard evaluation rigor. Suitable for higher-risk goods, content, or services where the consequences of a failed verification are more significant.
Strict. Two or more age assurance components with the highest evaluation rigor. Used where age-related eligibility is critical to safeguarding or protecting individuals' rights or freedoms. Rare in commercial deployment; more common in government identity systems.
Why this framework matters: it gives operators, vendors, and regulators a shared vocabulary for "how rigorous does my verification need to be?" An adult content site needs Standard at minimum. A social media platform with mixed audiences might choose Enhanced for some interactions. A government identity service might require Strict.
When ISO/IEC 27566 is finalized (currently at working draft stage), this framework is expected to become the international standard reference for describing age assurance confidence. Vendors will start labelling their products by these levels, and regulators will reference the levels in compliance guidance. Being familiar with the framework now is forward-aligned with where the regulatory landscape is heading.
Age estimation
A method that uses biometric analysis — typically a face scan — to estimate a visitor's age range without requiring them to provide identification documents.
The system analyzes facial features and produces a probabilistic age estimate, like "this visitor is most likely between 25 and 32." For age-restricted content, the platform uses a buffer (usually challenging anyone whose estimated age is below 25 to verify with another method) to account for the system's margin of error.
Age estimation is appealing because it's fast and doesn't require the visitor to upload an ID. It's also less invasive — the visitor doesn't share their actual age, just a "yes you're an adult" or "additional verification needed" signal.
Ofcom explicitly accepts age estimation as capable of being highly effective, provided it's combined with liveness detection (see below) so children can't bypass it by holding up a photo of an adult.
The trade-off: estimation has accuracy limits, especially for visitors close to the threshold age. A 17-year-old who looks 19 may pass; a 20-year-old who looks 17 may fail and need to verify another way. Vendors publish accuracy statistics, and the rate of false positives for visitors near the legal age is the metric that matters most.
Age authorization
This isn't actually a real term — but you'll encounter it anyway, mostly in WordPress blog posts and the AI search summaries that quote them.
In technical and legal usage, "authorization" means deciding whether an already-identified person is allowed to do something. A bouncer checking your ID is doing verification. A bouncer checking the guest list is doing authorization. Checking someone's age is verification, not authorization.
The WordPress ecosystem appears to have grabbed "authorization" as a way to distinguish "the rigorous kind of age check" from "the popup," because the word "verification" had already been claimed by the popup plugins. The result is a usage that's specific to WordPress writing and that doesn't match how the rest of the industry uses the word.
If you see a blog post talking about "age authorization" or "ID authorization," translate it to "age verification" or "identity verification" depending on context. Nobody outside the WordPress ecosystem will know what you mean if you use the term.
Self-declaration (also self-attestation)
The act of asking a visitor to confirm their own age, with no actual check. The visitor clicks a button, or types a date of birth, and is taken at their word.
This is what regulators call the popup-with-a-button approach that most WordPress age verification plugins use. Ofcom, the UK ICO, ARCOM, and US state regulators have all explicitly stated that self-declaration is not capable of meeting their effectiveness standards. The reasoning is straightforward: anyone can click any button. There is no verification happening.
The term matters because it gives you a regulatory-grade label for what most WordPress plugins actually do. If a plugin's verification mechanism amounts to "the visitor confirmed they're 18," it's self-declaration, regardless of how the marketing page describes it.
Identity verification
Confirming who a person is, typically by checking a government-issued ID against a selfie or a database of identity records. Often abbreviated IDV in industry contexts.
Identity verification is broader than age verification. The verification might establish the visitor's full name, date of birth, address, document number, and other fields. Age verification is one possible use case, but identity verification is also used for fraud prevention, regulatory compliance (KYC, see below), account opening, and similar.
The relationship matters because some age verification methods are also identity verification methods, and some aren't. A face-scan age estimation is age verification but not identity verification — the system doesn't learn who you are, just whether you're likely an adult. A government ID check is both — the system learns your age and who you are.
For privacy-conscious operators, the distinction is significant. Sometimes the question you need answered is "is this visitor an adult?" and identity verification is more than you need.
Age gate
A colloquial term for any mechanism that blocks or restricts access to a website, page, or piece of content based on age. Includes everything from popups to rigorous biometric checks.
"Age gate" is the catch-all term WordPress designers and small business owners use most often. It's also what most plugin marketing pages use. The term itself doesn't tell you anything about how rigorous the check is — an "age gate plugin" might be a self-declaration popup or a real verification system, and you have to read further to find out which.
Useful as a category word; not useful as a description of what specifically gets checked. If someone says they need an "age gate" on their site, the right next question is what kind of check they need behind it.
KYC (Know Your Customer)
A regulatory requirement, originally from financial services, that businesses verify the identity of their customers. KYC requires significantly more than age verification — typically full identity verification, address verification, and ongoing monitoring for suspicious activity.
KYC isn't an age verification method, but the term shows up in age verification discussions because some identity verification vendors offer both. A vendor that does KYC for banks may also offer age verification as a less-comprehensive product line.
The distinction matters because KYC verification is invasive (the platform learns a lot about the customer) and expensive (because of the regulatory overhead). A WordPress site that just needs to confirm visitors are adults doesn't need KYC. A WordPress site selling regulated financial services or cryptocurrency probably does.
If you see KYC mentioned in WordPress age verification content, it's usually being used loosely. Real KYC has specific regulatory definitions under the US Bank Secrecy Act, the EU's anti-money laundering directives, and similar frameworks.
FAE (Facial Age Estimation)
The industry abbreviation for age estimation performed via face scanning. Used in vendor marketing, regulator documents, and identity industry trade publications.
When you see "FAE" in a vendor's documentation, they mean exactly what "age estimation" means above — a system that analyzes facial features to estimate age. The abbreviation is just shorthand.
Yoti, Incode, Veridas, and several other identity vendors use FAE as a product category. Ofcom's guidance uses the full term ("facial age estimation") rather than the abbreviation. The two are interchangeable.
Worth knowing because if you're evaluating a vendor's marketing materials, "FAE accuracy rate" or "FAE with liveness detection" are common phrases. Now you know what they mean.
PAD (Presentation Attack Detection)
Independent testing for whether a biometric system can detect fake presentations — printed photos, video replays, latex masks, 3D-printed face models, deepfakes, and similar attempts to fool a face scan.
The most-recognized testing in this space is conducted by iBeta Quality Assurance, a NIST-accredited lab, against the ISO/IEC 30107-3 standard. There are three levels: Level 1 (basic attacks costing under $30 to create), Level 2 (more sophisticated attacks costing up to $300, including 3D masks and deepfakes), and Level 3 (expert attackers with no budget limits, introduced in summer 2025).
When a vendor advertises "iBeta PAD Level 2" or "Level 3 certified," they're claiming their face scan was independently tested against fake presentations and passed at the specified rigor level. As of May 2026, Yoti is the only company that has passed Level 3 testing. AWS Rekognition Face Liveness (which underlies several products including XYZ Age Verification) holds Level 2. Most other major vendors hold Level 1 or Level 2.
If a vendor claims to do biometric age verification but doesn't mention PAD certification at all, that's worth asking about. The certification isn't legally required, but it's the primary objective benchmark in the field.
One important distinction: PAD measures fake-detection accuracy — how well the system distinguishes real faces from spoofs. It does not measure age-determination accuracy — how reliably the system estimates the visitor's actual age. Those are separate metrics. The ACCS framework recommends Mean Absolute Error (MAE) and Standard Deviation for age estimation, and True Positive Rate, False Positive Rate, and Positive Predictive Value for age verification. A system can be excellent at PAD (rejecting spoofs) but mediocre at age determination (or vice versa). When evaluating a vendor, ask about both.
ISO/IEC 27566 (Age Assurance Systems Framework)
The international standard currently being developed for age assurance systems. Currently at working draft stage as of May 2026. When finalized, it will be the global reference for defining, applying, and testing age assurance technologies.
The standard is being developed by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) jointly. Its full title is "Information security, cybersecurity and privacy protection — Age assurance systems — Framework." It defines key terms, specifies requirements for indicators of confidence, identifies roles and responsibilities of actors in the age assurance process, and gives guidelines for attack vectors and countermeasures.
For operators, the practical impact is forward-looking: once 27566 is finalized, vendors will reference it explicitly in their certification claims, regulators will use it as the basis for "highly effective" determinations, and procurement contracts will start specifying conformance to it. Currently, most age assurance providers reference the components that will become 27566 — like the Asserted/Basic/Standard/Enhanced/Strict levels — without naming the standard itself. That will change.
If you see "ISO/IEC 27566 conformant" or similar language in a vendor's marketing, they're claiming alignment with the emerging standard. Until 27566 is finalized, those claims aren't formally certifiable, but they signal that the vendor is engaged with the international standards process.
AML (Anti-Money Laundering)
A regulatory requirement, related to KYC, that businesses monitor transactions for patterns that suggest money laundering and report suspicious activity to government regulators. Like KYC, it's a financial services requirement that occasionally surfaces in age verification contexts.
AML matters for the same reason KYC does: identity verification vendors often serve both markets, and their marketing materials sometimes blur the lines. A WordPress site doing age verification for adult content doesn't need AML compliance. A WordPress site running a cryptocurrency exchange or money transmission service does.
If you see AML mentioned alongside age verification, it's usually a sign that the vendor's primary market is financial services and age verification is a side product line. That's not necessarily bad — those vendors tend to have rigorous engineering — but it usually correlates with enterprise pricing and integration complexity unsuited to most WordPress operators.
eIDV (Electronic Identity Verification)
The industry umbrella term for any digital identity verification process. Encompasses ID document checks, database lookups, biometric matching, and combinations of these. Often used interchangeably with "IDV" (which drops the "e" but means the same thing in modern usage, since identity verification is essentially always electronic now).
The term shows up in vendor marketing and regulatory documents that need a generic word for "any digital identity check." It's broader than age verification, which is a specific use case of eIDV.
When you see eIDV in a vendor's product description, it tells you they offer identity verification services in general; you'll need to look further to determine whether age verification is a specific offering and how it's priced relative to full identity verification.
Liveness detection
A technical method for confirming that a face scan is being performed on a real, physically present human being — not a photo, a video replay, or a digital impersonation.
Without liveness detection, a face scan can be fooled by holding up a printed photo of an adult. With liveness detection, the system requires confirmation that the face is attached to a real person in front of the camera at the moment of the scan. The most common implementations involve subtle prompts (look left, blink) or analysis of the face's texture and movement to detect impostors.
Ofcom's guidance specifically calls out liveness detection as a required component of facial age estimation in regulatory contexts. Without it, FAE can be trivially bypassed by children using photos of adults. The same principle applies to ID document checks: a liveness check ensures the person presenting the ID is the same person whose photo is on the ID, and is actually present.
PAD certification (above) is essentially a measure of how well a system's liveness detection works against various attacks. If you see "iBeta Level 2 with active liveness detection" in vendor marketing, the pieces fit together: the liveness detection is the technique, PAD is the testing, Level 2 is the rigor.
A translation table
Here's how the terminology maps across the three main communities you'll encounter:
| When a [source] says... | They mean... |
|---|---|
| Ofcom or other regulator: "highly effective age assurance" | A real check that meets the four criteria (technically accurate, robust, reliable, fair) |
| Ofcom: "self-declaration" | The popup-with-a-button approach. Explicitly not highly effective. |
| Ofcom: "facial age estimation with liveness detection" | A face scan plus a check that you're a real present human |
| Identity vendor: "FAE with PAD Level 2" | The same thing, with independent testing against fakes |
| Identity vendor: "iBeta-certified liveness" | Their face-scan fake-detection has been independently tested |
| Identity vendor: "eIDV" or "IDV" | Electronic identity verification — broader than age verification |
| WordPress blog post: "age verification plugin" | Usually a popup; sometimes a real check; you have to look closer |
| WordPress blog post: "age assurance plugin" | A rigorous check (face scan, ID upload) — the WordPress ecosystem has started using this term to distinguish real verification from popups |
| WordPress blog post: "age authorization" | A real verification check (but this isn't a real term) |
| WordPress blog post: "age gate" | Any age-related access restriction, from popup to rigorous check |
| US state law: "commercially reasonable verification" | Whatever the legislature thought sounded rigorous; varies by state |
| EU regulator (ARCOM, AGCOM): "age verification" | A real check, performed by an independent third party, with no platform-side data retention |
| Financial services context: "KYC" or "AML" | Identity verification under financial regulation; more invasive than age verification alone |
| Civil liberties source (EFF, ACLU, similar): "age verification" | An ID-document-based check that reveals the visitor's full identity — they reserve the term for the most invasive methods, and treat biometric age estimation as a separate category |
| Civil liberties source: "age estimation" | Specifically biometric estimation methods (facial analysis, voice analysis, behavior analysis) — treated as distinct from "verification" because the privacy implications are different |
| ACCS or ICO document: "Standard level of confidence" | The minimum required level for regulated age-related eligibility decisions (one of five levels: Asserted, Basic, Standard, Enhanced, Strict) |
| Compliance officer or regulator: "ACCS Level 2 certified" | The vendor has been certified against the UK's age check certification scheme, which uses the ICO-approved framework based on UK GDPR principles |
| Standards reference: "ISO/IEC 27566" | The international age assurance framework standard, currently in working draft — when finalized, will be the global reference for defining and testing age assurance systems |
| Standards reference: "ISO/IEC 30107-3" | The international standard for testing presentation attack detection (PAD) — measures fake-detection capability, not age-determination accuracy |
When in doubt, use the regulator's vocabulary if you're writing for compliance contexts, identity vendors, or operators trying to evaluate plugins. Ofcom's terms are the most influential globally — most regulators are converging on similar definitions. If you're writing for general audiences about the privacy implications of age checks, EFF's narrower usage of "age verification" is reasonable and reflects different concerns. The WordPress-specific vocabulary ("age authorization") is the only usage I'd avoid in any audience, since it's not shared with regulators, identity vendors, or civil liberties organizations.
Where to go from here
If you're trying to figure out what kind of verification your specific site actually needs, the companion post on highly effective age verification for WordPress walks through the major plugin and vendor options with the regulatory context.
If you want to understand the regulatory landscape itself — which countries have what laws, what enforcement actions have been taken, and where the legal trajectory is heading — see the post on why click-to-confirm no longer counts.
For the most authoritative technical framework on how age assurance systems are evaluated, see the ICO-commissioned ACCS research report on the measurement of age assurance technologies. It's a 71-page document and aimed at compliance professionals rather than general readers, but it's the canonical UK reference and the primary source feeding into ISO/IEC 27566.
And if you find yourself reading a WordPress blog post or vendor marketing page that uses one of these terms in a way that doesn't match the definitions above, you now have the translation key. The terminology mess isn't going away anytime soon, but at least you can navigate it.