ISO/IEC 27566-1 (Age Assurance Systems – Part 1: Framework)

ISO/IEC 27566-1: Information security, cybersecurity and privacy protection – Age assurance systems describes a general framework for the key terms, processes, ecosystem actors and characteristics common to age assurance systems. The term ‘age assurance’ is inclusive of a variety of approaches spanning age verification, age estimation, and age inference.

This standard includes:

• A collection of key terms and definitions;
• Descriptions of the roles and responsibilities of key actors in the age assurance process;
• Descriptions of some of the core characteristics necessary for age assurance to be implemented responsibly, such as system security, inclusivity, and a high level of privacy by design;
• Metrics and considerations (such as risk assessments) that decision-makers in the age assurance ecosystem ought to maintain awareness of.

This standard largely aligns with the previously published international standard IEEE 2089.1 on Online Age Verification. There are, however, some key differences:

• Structure: ISO/IEC 27566-1 breaks down age assurance into core characteristics, whereas 2089.1 breaks down age assurance into core phrases of activity.
• Scope: ISO/IEC 27566-1 applies to wider system cybersecurity, meanwhile IEEE 2089.1 includes considerations of system interoperability and approaches where a third party (namely a legal guardian) attests to the age of a user on their behalf.

Furthermore, IEEE 2089.1 is explicitly grounded in children’s rights and best interests as defined by in the UN Convention on the Rights of the Child and its associated General Comment 25.

As a whole, ISO/IEC 27566-1 is a useful exploratory guide for what an age assurance ecosystem may look like. Meanwhile, IEEE 2089.1 is more instructive of what each actor in the ecosystem should do, with an explicit requirement to consider the unique contexts of children. Both standards can be used together, as they have no significant conflicts in content and have somewhat different use cases.

5Rights strongly urges industry to ground any approach to the design and use of age assurance systems in considerations of children’s rights and best interests, according to internationally agreed definitions.