Skip to main content
Go back
Written by
5Rights Compliance Team
29th January, 2026

New ISO/IEC standard provides framework for privacy-preserving age assurance

5Rights contributed to the development of the new ISO/IEC 27566-1 standard, a new international framework for privacy-preserving age assurance systems.

Age assurance increasingly plays a role in efforts around the world to comply with changing regulation and legislation, including the Digital Services Act in the EU, the Age-Appropriate Design Code in the UK, and the Digital Personal Data Protection Act in India. The new BS ISO/IEC 27566-1: Information security, cybersecurity and privacy protection – Age assurance systems standard provides a framework for age assurance systems, offering policymakers and industry practical guidance on implementation. Given the global reach of ISO/IEC standards, this framework provides a widely recognised benchmark that can inform regulatory approaches and industry practices internationally.

Over the past few months, 5Rights contributed to the development of this standard, both in the national committee led by the British Standards Institute (BSI) that refined the framework for adoption as a British Standard. 5Rights firmly believes that in order for age assurance to effectively support compliance efforts, it must be privacy-preserving, proportionate, and respectful of children’s internationally agreed rights.

BS ISO/IEC 27566-1 aims to address these considerations, offering a useful exploratory guide for what an age assurance ecosystem may look like, encompassing key definitions, roles, processes and metrics. It covers critical topics such as accessibility, inclusion, privacy by design and cybersecurity.

This standard is largely compatible with the IEEE 2089.1 Standard for Online Age Verification, part of the wider 2089 family of IEEE standards co-developed with 5Rights and grounded in 5Rights principles. Both standards can be used together without conflict, though they somewhat serve different purposes. ISO/IEC 27566-1 breaks down age assurance in core characteristics, while IEEE 2089.1 offers more prescriptive guidance on the role of each actor in the ecosystem, with an explicit recommendation to consider the unique needs of children. Critically, IEEE 2089.1 is explicitly grounded in children’s rights, as defined by the UN Convention on the Rights of the Child and its associated General comment No. 25.

That being said, the publication of BS ISO/IEC 27566-1 is still particularly significant for policymakers and industry in the EU and UK, where ISO/IEC standards carry significant weight. In this context, this framework provides a recognised benchmark that can help shape age assurance in line with privacy by design principles.BS ISO/IEC 27566-1 is available for purchase from the British Standards Institute (BSI) website. The generic ISO/IEC 27566-1 (for territories that do not use BSI standards) is also available in the ISO online store.

You can access the framework here.