First international standard on age assurance sees publication

The first international standard for age assurance technologies, ISO/IEC 27566-1:2025, has been published, capping off a remarkable year for the age assurance sector.

Developed over years with extensive input from industry working groups, the standard plants a much-needed stake in the ground for age assurance technologies, and should help bring a measure of stability to an industry that has been on a regulatory roller-coaster ride in 2025.

“This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions,” reads the section on scope. The language is carefully chosen to provide both solidity and enough breadth to accommodate inevitable change. “Age-related eligibility” is a novel term that fills a linguistic gap for the quality of being old enough to access a specific site or service. However, definitions for age verification, age estimation, age inference and successive validation are refined and precise.

A major driver of the standard is Tony Allen, head of the UK Age Check Certification Scheme (ACCS), architect of the Global Age Assurance Standards Summit and lead on Australia’s Age Assurance Technology Trial (AATT). He calls the publication of ISO 27566-1:2025 (which he helped author) “a major breakthrough for age assurance at a global level.”

“It’s been a pleasure to lead the development of this foundational standard for a safer connected world for children,” Allen says in comments made to Biometric Update. “If we don’t have adequate age assurance, we cannot deliver age appropriate experiences. ISO/IEC 27566-1 is a critical part of that global net of protection and, as we start to certify providers, intermediaries and relying parties against it, we can build trust and confidence in the privacy and security of these systems as they are deployed.

His organization will now offer certification against the new standard, “to be able to provide accredited evidence of conformity to the five key characteristics in the standard: Functionality, Performance, Privacy, Security and Acceptability.”

In celebrating the age assurance standard, Allen brings a larger perspective on standards in general. In a holiday-themed LinkedIn post nodding at the British Standards Institution (BSI), he notes how “there is so much work by so many people, both volunteers and professionals, that goes in all year round to making sure that when our children open their presents, what they find inside isn’t going to kill or injure them.” It’s a good reminder that standards are a big part of why your kids’ toys no longer come covered in lead paint, or why your instant hot chocolate can’t be 35 percent sawdust – and that the internet also needs some rules to stop it from doing real damage.

Delme Stephenson, lead digital standards development manager at BSI, tells BU that the organization “has led the development of the age assurance standards, firstly by creating a Publicly Available Specification (PAS 1296:2018) and then through leadership of this new international standard for age assurance. All of this is about providing the framework for safer online experiences for children in our connected world.”

A sample of ISO 27566-1:2025 is available for free (access to the full document requires purchase). One interesting storyline will be how frequently it requires updates. Age assurance technology continues to evolve, with new approaches and innovations constantly in the works. Witness the relatively new area of age inference, exemplified by the YouTube algorithm that infers a user’s age based on their behavior and preferences.

With certain marquee pieces of legislation in place, notably in the EU, UK and Australia, that pace may slow. Indeed, part of the point of the standard is to (yes) standardize the tech.

However, innovation in age assurance won’t stop, so the standard will need to factor that in. Typically, ISO standards require a review at least once every five years, although updates can be made to accommodate tech and market changes. Five years ago, there was no ChatGPT, and “AI” still primarily referred to the Steven Spielberg film. Even 27566-1:2025 is, in itself, something of a disruptor, in that it replaces BSI PAS 1296:2018 and forces updates on IEEE 2089.1.

The annual Global Age Assurance Standards Summit will be a regular forum for discussion on these matters. Yet, while there remains much work to be done, the 2026 event (to be held in Manchester in April) is likely to devote some time to celebrating the realization of its raison d’etre.

Article Topics

Age Check Certification Scheme (ACCS)  |  age inference  |  age verification  |  biometric age estimation  |  ISO 27566-1  |  ISO standards