How Often Do Consumers Balk at Doing Online Age Authentication?

In search engine parlance, the “bounce” rate is the percent of searchers who click on a search results link and then immediately hit the back button. High bounce rates usually signal that something has gone wrong. Either the destination website didn’t appeal to the user enough to convert them to engage more, or the search result wasn’t what the consumer was looking for (or both).

I’m going to analogize bounce rates to the rate that consumers fail to overcome age authentication walls, which I’ll call the “balk rate.” (We could more granularly distinguish between voluntary refusals and technical inability, but the outcome is the same either way). There is no single standard or expected balk rate for age authentication walls. Instead, a service’s balk rate likely varies based on factors such as:

• the nature of the destination. How critical is it that the consumer overcome the wall? For example, there will be a lower balk rate for access to an essential government service than a site that consumers consider non-essential. A related issue is how long the consumer anticipates the relationship will run. Consumers who expect a one-off interaction are more likely to balk than a consumer planning to make a long-term commitment.
• the availability of competitive alternatives that have less onerous age authentication procedures. For example, pornography consumers can easily find online alternatives that don’t require age authentication (at least for now), so those consumers are more likely to balk when they encounter an age authentication wall.
• the nature of the authentication process.
  • how many steps are involved in the process? Each additional step in the authentication process will increase the overall balk rate.
  • relatedly, how much time does the process take? Consumers are impatient.
  • what disclosures must the consumer make to overcome the wall? The more sensitive the disclosure, the higher the balk rate. Most age authentication processes that achieve decent accuracy levels necessarily rely on the disclosure of sensitive consumer information (such as government IDs or face scans) that will produce a lot of balks, but there still may be balk rate differences between them.
  • how much trust do consumers have in the authenticator? Trust is also a proxy for consumer concerns about privacy and security.

There are likely other considerations I didn’t capture here. I welcome your suggestions.

In this post, I’ll highlight three data points about balk rates. (If you know of other published data on this topic, please email me).

Pornhub’s Experiences

Pornhub has shared some data about its balk rates. In Louisiana, Pornhub says its traffic dropped 80% in Louisiana when it implemented an age authentication wall. Elsewhere, Porhub has said that “over 99% of users subjected to a verification requirement did not verify their age.”

Going back through the factors I identify above, you can see why these numbers might be so high. Pornography services have competitive alternatives that aren’t age-authenticated, and there are high privacy and security risks to pornography consumers.

The high balk rates also explain why Pornhub opted-out of states that have imposed age authentication mandates. If it’s going to lose 99% of those consumers due to the mandate, it’s already out of the market either way, so officially withdrawing from the market has no real opportunity cost.

An EU Study

In 2022, the EU did a comprehensive study of age authentication balk rates in the “Pilot Execution Report – first large scale euCONSENT pilot“. The study assigned EU consumers three authentication “missions” to complete and then studied consumers’ mission completion rates.

The missions differed depending on the age and status of the user, so it’s pretty hard to draw any definitive conclusions. Most importantly, the study doesn’t reveal the completion rate of the first mission, which was to do the initial age authentication. To me, this seemed like the most essential datapoint, but the report didn’t mention it. 🤔 The second mission was to navigate to another site without reauthenticating. That had about an 80% completion rate. The third mission was to jump through a more rigorous authentication hoop. Only about 63% of the group who completed the first mission were able to complete that third mission.

There was a follow-on study (“Pilot Execution Report – third euCONSENT“) with more missions. Collectively, some of the data points that stood out to me:

• 12% of adults and 21% of parents failed to complete the authentication and reauthentication process; and 22% of parents failed to complete the parental authorization process.
• 85% of consumers said they wouldn’t wait more than 5 minutes to do an authentication process, even if that was a one-time process for a permanent web-wide authentication.
• If given the choice, 68% of consumers preferred face scans, 15% preferred document scanning, and only 3% preferred credit card authentication (which, as I mention in my Segregate-and-Suppress paper, isn’t considered to be a credible authentication nethod).
• 21% of the study participants reported a technical problem trying to do the authentication.
• With respect to trying to buy alcohol online, 22% said they would do something other than complete the online age authentication.

I’ve been through these studies a few times, and each time I was confused by the methodology and results. The reports left open obvious questions, may be specific to the EU’s consent process, and may be outdated based on developments in the past 4 years. And yet, these reports make it clear that there will be tens of millions of EU consumers who will fail to navigate (or would prefer not to navigate) the authentication systems the EU is putting in place.

The Carnegie Mellon Study

A Carnegie Mellon research team (plus one Princeton researcher) posted a preview of an experiment on age authentication balk rates. The study is called “Measuring User Responses to Online Age Verification Mechanisms Through A Deceptive Experiment.” The researchers solicited participants to watch R-rated video clips. However, before the survey takers could watch the clips, the researchers said they had to navigate an age authentication barrier to see how they reacted. The survey indicates the following balk rates:

• checkbox self-attestation: 1% balk rate (i.e., 99% completion rate). This option is meaningless because I don’t believe any regulators consider self-attestation a permissible method of age authentication.
• “Email-based estimation”: 14% balk rate.
• “AI facial estimation”: 49% balk rate.
• government-ID methods: 73-77% balk rate (the variation depended on assurances about privacy and security).

The researchers conclude: “technically robust verification methods may be ineffective in practice if users systematically decline to comply.”

Two observations of mine:

• Consistent with the EU report showing consumers prefer face scans over document ID reviews, the balk rate was noticeably lower for face scans than government-issued IDs (though both balk rates were high). As face scans roll out across the Internet, I wonder if consumers are becoming desensitized to doing face scans and increasingly view them as an inevitable and standard price of admission?
• The preview doesn’t mention what motivations participants had to complete the process. For example, were they promised any compensation? If the only motivation for navigating the authentication wall was altruism (i.e., to support the research), then we should expect much higher balk rates than we would find in the field, when users are trying to achieve their self-directed objectives.

Implications

The Carnegie Mellon paper references the constitutional principle of tailoring, i.e., how likely is the law to achieve its desired outcome? Higher balk rates are a sign that an age authentication mandate isn’t appropriately tailored because it’s suppressing constitutionally protected conversations. However, there is no numerical cap on balk rates before an age authentication mandate becomes constitutionally impermissible. Instead, in the Free Speech Coalition v. Paxton decision, the majority opinion said “adults have no First Amendment right to avoid age verification.” That implies that the court may not care about balk rates at all.

Age authentication mandates always shrink the Internet, and balk rates are one way of measuring the shrinkage. Every time an adult fails to navigate an age authentication process (whether by choice or due to technical challenges), that’s another lost customer for the authenticating service. If the Carnegie Mellon study accurately predicts field behavior, face scans or document reviews will cost the authenticating services half of their customers or more. Such high balk rates would collapse the Internet ecosystem, because there won’t be enough authenticating customers for services to operate profitably. Even a 10-20% balk rate will have major consequences for many services that are already operating on razor-thin margins, such as content publishers who have already seen their ad revenues shrink over time. These Internet shrinkages have significantly economic and social consequences for all of us, yet regulators routinely ignore these issues completely when clamoring for more age authentication manates.

To reduce balk rates, governments around the globe are trying to build an infrastructure to reduce the friction of age authentication. Less friction addresses one problem (the balk rate) and creates a host of other problems.

The EU plans to rely on widespread adoption of digital IDs combined with an API wrapper that exposes only age authentication information to services around the Internet. Digital IDs raise a host of privacy and security concerns. They are also the foundational infrastructure for comprehensive government monitoring and control of constituent movements online. I’m also unclear how the EU plans to address the fact that tens of millions of EU residents won’t have digital IDs for the foreseeable future.

Alternatively, some governments are trying to force one-time age authentications when a user acquires a device or first logs into an app store. By moving the age authentication process forward to a central point (the device or the app store), the user avoids doing repetitive authentications downstream. However, that assumes the user can or wants to complete the authentication in the first place; anyone blocked at the beginning is stuck. The high-value authentication data also will act as attractive centralized honeypots for malefactors. Also, this approach normalizes age authentication and will make it seem routine for interactions that today don’t require age authentication. It will likely shift the default about when we need to age-authenticate. Today, we can enter websites or use apps without presenting credentials, just as we do in most physical spaces; in the future, that presumption will be reversed. Finally, whoever is doing the centralized authentication won’t do it for free. A small number of entities are poised to extract monopoly rents by taking a cut of this government mandated process.

* * *

Blog Posts on Segregate-and-Suppress Obligations

• Court Enjoins Another Arkansas Segregate-and-Suppress Law–NetChoice v. Griffin
• Too Many Courts Are Letting States Take Wrecking Balls to the Internet (Roundup)
• Texas Judge Enjoins App Store Authentication Law–CCIA and SEAT v. Paxton
• Courts Enjoin Internet Censorship Laws in Louisana and Arkansas
• Challenge to Maryland’s “Kid Code” Survives Motion to Dismiss–NetChoice v. Brown
• My Testimony Against Mandatory Online Age Authentication
• Read the Published Version of My Paper Against Mandatory Online Age Authentication
• Prof. Goldman’s Statement on the Supreme Court’s Demolition of the Internet in Free Speech Coalition v. Paxton
• Court Permanently Enjoins Ohio’s Segregate-and-Suppress/Parental Consent Law–NetChoice v. Yost
• Arkansas’ Social Media Safety Act Permanently Enjoined—NetChoice v. Griffin
• Why I Emphatically Oppose Online Age Verification Mandates
• California’s Age-Appropriate Design Code (AADC) Is Completely Unconstitutional (Multiple Ways)–NetChoice v. Bonta
• Another Conflict Between Privacy Laws and Age Authentication–Murphy v. Confirm ID
• Recapping Three Social Media Addiction Opinions from Fall (Catch-Up Post)
• District Court Blocks More of Texas’ Segregate-and-Suppress Law (HB 18)–SEAT v. Paxton
• Comments on the Free Speech Coalition v. Paxton SCOTUS Oral Arguments on Mandatory Online Age “Verification”
• California’s “Protecting Our Kids from Social Media Addiction Act” Is Partially Unconstitutional…But Other Parts Are Green-Lighted–NetChoice v. Bonta
• Section 230 Defeats Underage User’s Lawsuit Against Grindr–Doll v. Pelphrey
• Five Decisions Illustrate How Section 230 Is Fading Fast
• Internet Law Professors Submit a SCOTUS Amicus Brief on Online Age Authentication–Free Speech Coalition v. Paxton
• Court Enjoins the Utah “Minor Protection in Social Media Act”–NetChoice v. Reyes
• Another Texas Online Censorship Law Partially Enjoined–CCIA v. Paxton
• When It Comes to Section 230, the Ninth Circuit is a Chaos Agent–Estate of Bride v. YOLO
• Court Dismisses School Districts’ Lawsuits Over Social Media “Addiction”–In re Social Media Cases
• Ninth Circuit Strikes Down Key Part of the CA Age-Appropriate Design Code (the Rest is TBD)–NetChoice v. Bonta
• Mississippi’s Age-Authentication Law Declared Unconstitutional–NetChoice v. Fitch
• Indiana’s Anti-Online Porn Law “Is Not Close” to Constitutional–Free Speech Coalition v. Rokita
• Fifth Circuit Once Again Disregards Supreme Court Precedent and Mangles Section 230–Free Speech Coalition v. Paxton
• Snapchat Isn’t Liable for Offline Sexual Abuse–VV v. Meta
• 2023 Quick Links: Censorship
• Court Enjoins Ohio’s Law Requiring Parental Approval for Children’s Social Media Accounts–NetChoice v. Yost
• Many Fifth Circuit Judges Hope to Eviscerate Section 230–Doe v. Snap
• Louisiana’s Age Authentication Mandate Avoids Constitutional Scrutiny Using a Legislative Drafting Trick–Free Speech Coalition v. LeBlanc
• Section 230 Once Again Applies to Claims Over Offline Sexual Abuse–Doe v. Grindr
• Comments on the Ruling Declaring California’s Age-Appropriate Design Code (AADC) Unconstitutional–NetChoice v. Bonta
• Two Separate Courts Reiterate That Online Age Authentication Mandates Are Unconstitutional
• Minnesota’s Attempt to Copy California’s Constitutionally Defective Age Appropriate Design Code is an Utter Fail (Guest Blog Post)
• Do Mandatory Age Verification Laws Conflict with Biometric Privacy Laws?–Kuklinski v. Binance
• Why I Think California’s Age-Appropriate Design Code (AADC) Is Unconstitutional
• An Interview Regarding AB 2273/the California Age-Appropriate Design Code (AADC)
• Op-Ed: The Plan to Blow Up the Internet, Ostensibly to Protect Kids Online (Regarding AB 2273)
• A Short Explainer of Why California’s Social Media Addiction Bill (AB 2408) Is Terrible
• A Short Explainer of How California’s Age-Appropriate Design Code Bill (AB2273) Would Break the Internet
• Is the California Legislature Addicted to Performative Election-Year Stunts That Threaten the Internet? (Comments on AB2408)
• Omegle Denied Section 230 Dismissal–AM v. Omegle
• Snapchat Isn’t Liable for a Teacher’s Sexual Predation–Doe v. Snap
• Will California Eliminate Anonymous Web Browsing? (Comments on CA AB 2273, The Age-Appropriate Design Code Act)
• Minnesota Wants to Ban Under-18s From User-Generated Content Services
• California’s Latest Effort To Keep Some Ads From Reaching Kids Is Misguided And Unconstitutional (Forbes Cross-Post)
• Backpage Gets Important 47 USC 230 Win Against Washington Law Trying to Combat Online Prostitution Ads (Forbes Cross-Post & More)
• Backpage Gets TRO Against Washington Law Attempting to Bypass Section 230–Backpage v. McKenna
• MySpace Wins Another 47 USC 230 Case Over Sexual Assaults of Users–Doe II v. MySpace
• MySpace Gets 230 Win in Fifth Circuit–Doe v. MySpace
• Website Isn’t Liable When Users Lie About Their Ages–Doe v. SexSearch