18 June 2026: The UK Government is being advised to draw on an existing internationally agreed age assurance framework to underpin its recently announced ban on social media for children under 16 and assuage concerns that restrictions are unworkable or could infringe people’s privacy.
Ministers have yet to confirm how the ban – or related restrictions on functions such as infinite scrolling, or curfews – would be implemented. A guidance document from the Department for Science, Innovation & Technology simply states that ‘having a range of methods to prove age is important to ensure online spaces are accessible’ and confirms that different options will be set out by Ofcom in the coming months.
BSI, the UK’s national standards body, responded to the initial DSIT consultation calling for officials to draw from the internationally agreed standard, BS ISO/IEC 27566-1, Information security, cybersecurity and privacy protection of age assurance systems, highlighting BSI’s 2025 research showing that 42% of young Britons had lied to adults about what they did online and 27% had pretended to be a different person online.
The framework, published in February and with related guidance due to publish imminently, clarifies how to introduce age checks without this being overly burdensome for people or technology companies, or increasing risks to privacy and security through harvesting of data. While concerns have been raised about the workability of the ban and how to implement it, the standard is already available for use.
Initiated and developed with significant input from UK experts, it provides a clear structure and core characteristics for age assurance systems, supporting organizations in making age-related eligibility decisions without requiring people to always undergo full identity verification.
If this approach is used by the government, it would mean social media users would not need to give up personal data to confirm they are old enough, while still protecting young people from content and services that aren’t suitable, and providing confidence in the age assurance system. By putting privacy first, it would avoid the need for people to automatically have to upload passports or share full identities just to prove their age. Instead, the framework promotes sharing the minimum information needed, reducing the risk of data misuse or breaches.
This approach can also benefit firms by reducing complexity. In addition, the standard is international, enabling businesses to adopt a solution to age verification that could be harmonized with other countries.
Research by BSI last year found that almost half (47%) of UK adolescents wished they were growing up in a world without the internet, while 50% said a social media curfew would improve their lives. Two-thirds of young Britons were spending more than two hours on social media daily, with parents left in the dark by their children’s online activities, and 40% had set up fake or decoy accounts. The findings make clear the importance of action to protect children online, but also the need to ensure market confidence in the approach the UK takes.
Laura Bishop, Digital Sector Lead Artificial Intelligence & Cyber Security, BSI said: “Safeguarding the online well-being of adolescents and children is paramount, given the clear evidence of worrying behaviours. The government is right to take steps on this. If a complete ban is to be a success, it needs to be implemented in a straightforward way, without introducing new risks to privacy and data collection Age restrictions on any product or service can be difficult to enforce. The international framework BS ISO/IEC 27566-1 can act as a starting point on this journey towards a safe online world, by providing a practical framework establishing clear characteristics for trustworthy systems. Given the ambition to move at pace on this, we hope Government and Ofcom will choose to make use of this existing approach rather than start from scratch.
More broadly, given that children will eventually age out of the ban into a world where they are still expected to be digital natives, we need to consider how we equip them for the complexities of the digital world. This includes ensuring all platforms are designed so that they are human-centric and safe by design and default.”
While the government’s focus is on social media, recent BSI research has highlighted the need for a ‘safety by design’ approach to other technology they have access to. Research last month by BSI found that, despite being relatively new to the market,
half of children have already had an AI enabled toy or learning device purchased for them (50%), with 38% owning two or more. The FocalData survey, covering 1,000 parents of children up to age 16, found that three quarters of parents (75%) were worried about AI toys connected to the internet exposing their child to unwanted content or data risks. More than eight in ten (83%) felt that manufacturers should comply with established standards or codes of conduct, while 72% wanted clearer information about whether products meet safety or security requirements. The government recently published its
proposed new product safety framework, highlighting that this should address risks of harm linked to AI and automated decision-making, including in toys.
Alongside the age assurance framework, there are several standards social media organizations can utilize to help protect children from online harms, to be secure from cyber-attacks and to ensure privacy is by design and default. These include BS EN ISO/IEC 27701:2025, Privacy Information Management System , BS ISO 31700-1, Privacy by Design and BS ISO/IEC 42005:2025, AI System Impact Assessment.
Notes to editors
The age assurance framework BS ISO/IEC 27566-1 responds directly to issues that have eroded market confidence in age assurance thus far, including unclear processes, weak controls and disproportionate data use. It describes characteristics that support functionality, performance, privacy protection, security safeguards and user acceptability, across both digital and physical contexts.
Rather than mandating specific technologies or a single approach, the standard sets out the characteristics of robust age assurance systems and defines what good looks like, across effectiveness, privacy, security and acceptability. It is intended to support organizations in designing and assessing age assurance systems, enable policymakers to set outcome-focused requirements without forcing identity verification, and promote clearer expectations for individuals around privacy, transparency and usability, helping to build trust and acceptability.
BS ISO/IEC 27566-1 is relevant to policy makers and regulators; organizations providing age-restricted goods, content or services; age assurance and technology providers; and online platforms and content services. It is the first in a planned series. ISO/IEC 27566-2[2] and ISO/IEC 27566-3[3], currently in development, will build on this foundation and further support consistent, trustworthy age assurance globally.
The UK played a pivotal role in its development, with UK expert leadership in the editorial process and coordinated input via BSI’s national committee on age assurance (IST/33/5/5) into ISO/IEC JTC 1/SC 27 Working Group 5 on Privacy Technologies and Identity Management. This collaborative effort brought together expertise from regulators, industry, civil society and assurance communities, supporting international alignment and practical adoption.
About BSI
BSI is a global professional services company, providing training, assurance, certification and consultancy services worldwide. We partner with more than 77,500 clients globally to make the world safer, more secure and more sustainable by building trust in the things that matter most.
In the UK, BSI is appointed by Government as the National Standards Body. In this remit we play a vital role in shaping best practice across a range of industries. Our 14,000 committee members contribute to standards that underpin global trade and help organizations not only access new markets but also accelerate innovation.
For 125 years, we have helped turn good intentions into reliable outcomes that have a positive impact, guided by a simple belief: progress only works when it is safe, consistent and credible. From standardizing steel beams in 1901 to protecting society with helmet safety standards or leading the way in AI, net zero, and the next generation of global best practice – BSI works across society and industry to improve performance, reduce risk and drive sustainable growth.
Standards are voluntary, practical tools that capture shared best practice and provide a common language. BSI develops standards through collaboration and consensus, bringing together unmatched expertise across industry, government, consumers and academia. We then help organizations adopt, embed and demonstrate best practice through assurance, certification, training and insight — turning shared agreement into measurable impact. While we operate commercially, we are purpose-driven: reinvesting in our mission to serve the public good.
As BSI marks its
125th year, we continue to evolve what we do to keep pace with emerging technologies, new risks and changing societal expectations.
