Bright lights shine on age assurance as Australian law, ISO standard forge new paths

If Australia’s Social Media Minimum Age (SMMA) law is an experiment in regulation, it is currently under a microscope. The attention focused on Australia leading up to the passage of its so-called under-16 ban for major social platforms has been equaled by interest in how it is playing out in real time. Multiple regional conversations are happening in tandem, notably in the EU and the UK, where similar age assurance regulations are on the policy table. But evidence goes both ways, and there are those who point to now-proven loopholes in Australia’s law to demonstrate the flaws at its core.

The Australian rollout is sure to be at the center of discussions, alongside ISO/IEC 27566-1, at the upcoming 2026 Global Age Assurance Standards Summit, being held in Manchester this April. In essence, the big question will be, is age assurance in Australia working? And can it work elsewhere?

VPNs continue to throw wrench in age assurance works

Among the most frequently cited workarounds for age verification and age estimation technologies, Virtual Private Networks (VPNs) remain a thorn in the side of online safety legislation. The European Parliamentary Research Service has published a backgrounder that looks at the rise of VPNs to bypass age checks, and summarizes the current state of the discussion.

“While privacy advocates argue that imposing  age verification requirements on VPNs would pose significant risks to anonymity and data protection, child safety campaigners claim that their widespread use by minors requires a regulatory response.” The UK has floated the idea of banning kids from using VPNs.

In a post on LinkedIn, the European Parliamentary Research Service says that “as the EU reviews cybersecurity and privacy legislation, VPN services may also come under stricter regulatory scrutiny. For instance, it is likely that the revised Cybersecurity Act will introduce child-safety criteria, potentially including measures to prevent the misuse of VPNs to bypass legal protections.”

Three regulators set the bar

Australia, meanwhile, is happy to share its findings with other regulatory bodies. The eSafety Commissioner, Julie Inman Grant, met this week with UK regulator Ofcom’s cooperation group on age assurance, which also includes the European Commission, to discuss insights into the implementation of the Australian age restrictions for social media.

According to a release, “throughout 2026, the three regulators will continue to have regular exchanges to further explore effective age-assurance approaches, enforcement against adult platform services and other providers to ensure minors are protected, relevant technological developments, and the essential role of data access and independent research in supporting effective regulatory action.”

Roundtables, keynotes highlight 2026 GAAS Summit agenda

The agenda for the 2026 Global Age Standards Summit is “evolving,” says organizer Tony Allen on LinkedIn – but already hosts “a fantastic range of speakers, participants and activities.”

On the government side, that includes keynotes by the eSafety Commissioner, the UK Information Commissioner’s Office, Ofcom and Brazil’s Ministry of Justice. Meta also scores a keynote, as well as a fireside chat.

Providers scheduled to appear include VerifyMy, OneID, Persona, Yoti and NeonGuard. Roundtables cover various topics, such as how to make age checks work at scale, in a debate-style format.

Digital rights groups in attendance include the 5Rights Foundation, which contributed to the development of the new ISO/IEC 27566-1 standard covering age assurance systems.

A blog post from the organization says “5Rights firmly believes that in order for age assurance to effectively support compliance efforts, it must be privacy-preserving, proportionate, and respectful of children’s internationally agreed rights. ISO/IEC 27566-1 aims to address these considerations, offering a useful exploratory guide for what an age assurance ecosystem may look like, encompassing key definitions, roles, processes and metrics. It covers critical topics such as accessibility, inclusion, privacy by design and cybersecurity.”

The new standard is “largely compatible with the IEEE 2089.1 Standard for Online Age Verification, part of the wider 2089 family of IEEE standards co-developed with 5Rights and grounded in 5Rights principles.”

“Both standards can be used together without conflict, though they somewhat serve different purposes,” says 5Rights: “ISO/IEC 27566-1 breaks down age assurance in core characteristics, while IEEE 2089.1 offers more prescriptive guidance on the role of each actor in the ecosystem, with an explicit recommendation to consider the unique needs of children.”

A release from the British Standards Institution (BSI) also lauds the “international framework to support consistent, trustworthy age assurance information security practices worldwide.”

The group cites research showing that almost half of UK adolescents wish they were growing up in a world without the internet, and fully half say a social media curfew would improve their lives. It says the findings point to a strong need for “robust privacy safeguards, clearer protections, and more trustworthy approaches to age-related access online.”

“Safeguarding the online well-being of adolescents and children is paramount, and we are seeing evidence of worrying behaviours. At the same time, the digital world is here to stay and we need to focus on fostering human-centric design of platforms, then empowering children and parents through education to navigate them safely.”

“Age assurance is a vital tool in the armoury of creating an online world in which children can thrive safely and securely, while still building the skills and digital literacy they will need throughout their lives. BS ISO/IEC 27566-1 can act as a starting point in our journey towards a safe online world, by providing a practical framework establishing clear characteristics for trustworthy systems.”

Article Topics

Age Assurance Standards Summit (2026)  |  age verification  |  Australia age verification  |  British Standards Institution  |  ISO 27566-1  |  VPN (virtual private network)