BSI launches first global standard for online age checks

BSI has published what it describes as the first global framework for trustworthy age assurance, as governments weigh tougher rules on children's access to social media and other online services.

The standard, titled Information security, cybersecurity and privacy protection - Age assurance systems - Framework, carries the reference BS ISO/IEC 27566-1. BSI said it sets out a common framework and core characteristics for age assurance systems. Age assurance covers processes that determine the age of online users and support decisions about age-based access.

Policy discussions on age checks have intensified in several jurisdictions. The UK Government has said it would consult on a potential social media ban for under-16s. In Canada, Culture Minister Marc Miller has said he is looking at approaches taken elsewhere, including Australia, and has not ruled out a ban for children under 14.

BSI positioned the framework as an attempt to address uneven approaches across platforms and services. It also highlighted concerns often raised about age checks, including privacy, security, bias and user acceptability.

What it covers

BSI said BS ISO/IEC 27566-1 does not mandate a single method for age assurance. It instead sets out characteristics of what it considers robust systems. Those characteristics include privacy protection, security safeguards, transparency and practical controls that apply across digital and physical contexts.

BSI said the framework is intended for those running online platforms and content services, and for organisations that provide age-restricted goods, content or services. It also targets policymakers, regulators, age assurance providers and technology suppliers.

The organisation said the framework supports age-related eligibility decisions without requiring full identity verification in all cases. It said this approach reduces unnecessary data collection and supports data minimisation and selective disclosure.

BSI also linked the publication to broader regulatory themes. It pointed to the UK Online Safety Act. It also referenced initiatives such as the EU Digital Services Act and the EU Digital Identity Wallet as examples of regulators converging around principles that balance effective protections and individual rights.

Research findings

BSI published research alongside the framework. It said almost half of UK adolescents surveyed wished they were growing up in a world without the internet. It also said half supported the idea of a social media curfew.

The research also described routine workarounds of age gates. BSI said 42% of UK adolescents surveyed had pretended to be a different age to access online content. It said two-thirds spent more than two hours on social media daily. It added that 42% admitted lying to adults about what they do online, 27% had pretended to be a different person online, and 40% had set up fake or decoy accounts.

BSI also cited external research on current practice in the market. It referenced OECD research that found just two in 50 online services aimed at children systematically assure age at account creation.

Industry implications

Age assurance has become a contested area for technology firms, regulators and civil society groups. Companies face pressure to keep young users away from harmful content and to comply with legal requirements on age-restricted services. At the same time, many proposals involve collecting sensitive personal data or expanding identity checks.

BSI framed BS ISO/IEC 27566-1 as a response to those tensions. It said the framework addresses unclear processes, weak controls and disproportionate data use, which it said have reduced market confidence in age assurance.

It also said the standard can be used to design and assess age assurance systems. It said policymakers can use it to set outcome-focused requirements without forcing identity verification. It added that the framework promotes clearer expectations for individuals around privacy, transparency and usability.

Standards roadmap

BSI said BS ISO/IEC 27566-1 is the first in a planned series. It said ISO/IEC 27566-2 and ISO/IEC 27566-3 are in development and will build on the framework.

BSI said the UK played a significant role in developing the standard. It cited UK expert leadership in the editorial process and input coordinated through BSI's national committee on age assurance into ISO and IEC technical work on privacy technologies and identity management. It said that work involved regulators, industry, civil society and assurance communities.

BSI set out its view of the wider context for age checks and online harms for young users. It said the digital world will remain central to how children grow up, while also pointing to evidence of behaviour it described as worrying.

"Safeguarding the online well-being of adolescents and children is paramount, and we are seeing evidence of worrying behaviors. At the same time, the digital world is here to stay and we need to focus on fostering human-centric design of platforms, then empowering children and parents through education to navigate them safely.

"Age assurance is a vital tool in the armory of creating an online world in which children can thrive safely and securely, while still building the skills and digital literacy they will need throughout their lives. BS ISO/IEC 27566-1 can act as a starting point in our journey towards a safe online world, by providing a practical framework establishing clear characteristics for trustworthy systems," said Laura Bishop, Digital Sector Lead Artificial Intelligence & Cyber Security, BSI.

BSI said the follow-on parts of the ISO/IEC 27566 series will add guidance on technical approaches and on methods for analysis or comparison.