persona-logo
Published November 10, 2025
Last updated January 12, 2026

A guide to ISO 27566-1: The new standard for age assurance systems

ISO 27566-1 establishes a global standard and framework for age assurance systems. It recommends a privacy-first design and the use of layered age assurance methods.
Brandon Chen
Brandon Chen
9 min
Key takeaways
The ISO 27566-1 is a new international standard for age assurance systems. It builds on existing age assurance recommendations and regulations, and focuses on five key characteristics: functionality, performance, privacy, security, and acceptability. become a well-recognized sign
The standard defines three core age assurance methods: verification (checking official documents), estimation (analyzing biological or behavioral characteristics), and inference (using verified information to infer age). It recommends a layered, "step-up" approach for combining multiple methods to reduce friction and increase confidence.
Privacy and security are central to the standard. Organizations should collect only the minimum necessary data, provide age assurance results without disclosing sensitive details, and automatically delete personal information after use.

As global regulations requiring age-appropriate access to online content and services expand, organizations face a critical challenge: How do you effectively check a user's age without creating a frustrating experience or compromising their privacy?

The International Organization for Standardization (the ISO) has provided a clear answer with its new standard, ISO 27566-1. The new standard offers a global blueprint for building trustworthy, effective, and fair age assurance systems without setting specific age requirements. Whether you're refining an existing age gate or building one from scratch, understanding this framework is essential for staying on top of many new and proposed age-related regulations.

In this post, we’ll cover Part 1, the framework of the ISO 27566-1 standard based on preliminary drafts. As of early November 2025, ISO 27566-1 is going through the publication process. To set the table, we’ll go over what the ISO is and how the frameworks in the standard are already being referenced in existing regulations.

What is the ISO?

The International Organization for Standardization is a worldwide federation of national standards bodies. It develops and publishes international standards for a vast range of industries, ensuring that products, services, and systems are safe, reliable, and of good quality. 

For example, ISO 27001 is a well-known standard for managing an organization’s sensitive data. Its importance is highlighted by its adoption, with major companies like Microsoft, Persona, Google, and Amazon all having undergone a third-party ISO 27001 certification process.

What is ISO 27566-1?

The ISO developed ISO 27566-1 to address the problem of poorly defined age assurance processes and the resulting lack of trust. It provides a comprehensive guide for designing, implementing, and evaluating age assurance systems by focusing on five key characteristics: functionality, performance, privacy, security, and acceptability.

The goal is to enable organizations to make confident, age-related eligibility decisions in a consistent, fair, and secure way.

Many regulations already align with the ISO 27566-1 framework

The frameworks proposed by ISO 27566-1 already exist in some global policies. For example, two pieces of legislation reference some of the same principles:

  • UK Online Safety Act (OSA): The UK’s Online Safety Act (OSA) applies to user-to-user, search, and pornography services. It requires service providers to complete risk assessments for illegal content, determine whether users under 18 can access the service, and implement highly effective age assurance measures. The law requires organizations to balance freedom of expression and privacy rights. 

  • Australia's Social Media Minimum Age Act: Australia's Social Media Minimum Age (SMMA) Act requires certain platforms that enable user interaction, such as social media companies, to take reasonable steps to verify that users are at least 16 years old. eSafety, the regulator, requires platforms to take "reasonable steps" to assess users’ ages and preserve their privacy.

The United Kingdom and Australia are notable for pioneering age-related legislation for online platforms. But many other governments are in the midst of forming or enforcing age-related regulations, including:

  • Ireland's Online Safety Code: Effective July 2025, Ireland’s Online Safety Code (OSC) requires video-sharing platforms that are headquartered in Ireland to prevent children from accessing pornography and extreme or gratuitously violent content.

  • France's Law on Securing and Regulating the Digital Space: France’s Law on Securing and Regulating the Digital Space (SREN Law) requires websites with pornographic content to implement robust, third-party age verification systems. 

  • Singapore's app store regulations: Effective March 2025, Singapore requires major app stores (like those from Apple, Google, and Samsung) to implement age assurance measures to prevent users under 18 from downloading apps with mature or adult-rated content.

  • United States state-level legislation: A wave of legislation is sweeping across the US. States like Utah, Texas, Florida, and Louisiana have passed laws requiring social media companies and/or sites with content "harmful to minors" to verify the age of their users and, in many cases, obtain parental consent for users under 18. 

These ongoing regulations serve to underscore the importance of understanding this standard, especially as regulators move away from the traditional self-attestation method of age verification.

Key age assurance metrics and definitions

To ensure an age assurance system is performing correctly, the ISO framework outlines several key metrics. When evaluating solutions, it's important to understand these terms:

  • True positive (TP): The system correctly identifies a user who meets the age requirement (e.g., allows an 18-year-old access to 18-plus content).

  • False positive (FP): The system incorrectly identifies a user who does not meet the age requirement (e.g., allows a 16-year-old access to 18-plus content).

  • True negative (TN): The system correctly blocks a user who does not meet the age requirement (e.g., blocks a 16-year-old from 18-plus content).

  • False negative (FN): The system incorrectly blocks a user who does meet the age requirement (e.g., blocks an 18-year-old from 18-plus content).

These metrics are used to calculate classification accuracy, a key indicator of a system's overall performance. 

The formula for classification accuracy is: (TP + TN) / (TP + TN + FP + FN). 

The Age Check Certification Scheme (ACCS), a third-party certification organization, uses a similar approach to test the accuracy and reliability of age estimation solutions. Similarly, the Australian Age Assurance Technology Trial, which evaluated different solutions to determine if today’s technology could support the Australian SMMA Act, focused on accuracy. 

It’s also important to be aware of the different parties that may be involved in passing, enforcing, and complying with age assurance regulations. The ISO 27566-1 shares three examples of stakeholders: 

  • Policy makers: The government entities that establish age-related requirements for access to goods, content, services, venues, or spaces.

  • Relying parties: Entities, such as a company providing an age-restricted good, that rely on age assurance results to make decisions. This is most likely where your company falls if you’re evaluating age assurance solutions.

  • Age assurance providers: Entities, such as Persona, that are responsible for providing age assurance solutions and results.

In addition to covering metrics commonly used for age estimation, ISO 27566-1 also defines different categories of age assurance methods that you can use to gauge a user’s age.

Categorizing and layering age assurance methods

ISO 27566-1 categorizes age assurance methods into three core groups and notes that simply asking users their age without any further checks won’t be effective. The three groups are:

  • Age verification: Calculating a user's age by checking their date of birth against an official source, such as a driver's license or passport. The system also must ensure the document is genuine and belongs to the person presenting it, which may require a selfie check

  • Age estimation: Estimating a user's age based on their biological or behavioral characteristics, such as facial analysis from a selfie or analysis of their digital presence. It determines a likely age range without requiring or confirming the user's identifying information.

  • Age Inference: Inferring a user's age based on other verified information. For example, in some countries, people need to be 18 to get a credit card. If you can verify a card’s authenticity and ownership, you can infer that the owner is 18 or older.

The framework also promotes successive validation — a layered or "step-up" approach that can combine multiple methods to reduce friction and increase confidence. For example, you might try to infer the user’s age or use a low-friction age estimation check to start. If the user passes, you don’t require any further information. But if their inferred or estimated age is close to the required age threshold, you automatically "step them up" to a more robust method, like ID verification.

Australia directly references this concept in its regulatory guidance for the Social Media Minimum Age, stating that “applying the design principle of successive validation has the potential to support inclusive, proportionate and scalable age assurance.” It can also be a good business practice because starting with low-friction options can increase conversion and improve user experience. 

The importance of privacy and security in age assurance systems

ISO 25766-1 emphasizes protecting user data, with the understanding that age assurance systems rely on processing large amounts of personal information. Some of the core principles that the framework highlights are: 

  • Privacy: Treating privacy as a core component of the system’s design rather than an afterthought. The framework suggests making the most privacy-protective settings the default and securing data throughout the user life cycle. 

  • Data minimization: Only collecting the minimum personal data necessary, using it for age assurance purposes, protecting it with access controls, and automatically deleting it after use. Additionally, the system should provide the final age assurance result (e.g., "over 18") to the relying party without disclosing the underlying sensitive information, like a date of birth or biometric data.

  • Security: Embedding multi-layered information security into the age assurance system with continuous threat modeling and strong encryption for data at rest and in transit. The system should also have traceable updates and a formal incident response plan to ensure a rapid and effective response to security breaches.

The privacy and security frameworks focus on protecting the privacy and data of legitimate users. However, many organizations also need to defend against bad actors who try to bypass age requirements. Adding step-up identity verification checks to an age assurance system can be an effective way to keep minors from accessing age-restricted content and protect your platform from fraudsters and other bad actors. 

How Persona aligns with the ISO 27566-1 framework

Persona offers a comprehensive and flexible age assurance solution that aligns with the core principles of the ISO framework. You can create compliant and user-friendly age assurance flows with the: 

  • Age assurance solutions: Support for various age inference, estimation, and verification solutions, including email-based age inference and selfie age estimation. Choose from various age verification options, including database verifications and government ID checks with support for IDs from over 200 countries and territories. 

  • Successive validation: With the no-code Dynamic Flow editor, you can easily build a step-up system that layers age assurance methods. Customize verification options and create fallbacks to balance strong compliance and user experience.

  • Reusable age tokens: The framework encourages services that allow users to provide evidence of age via reusable tokens. Persona’s Reusable Personas feature does just that, allowing a previously verified user to reuse their verification instantly, often by just re-authenticating with their face.

  • Fraud detection: Persona’s comprehensive suite of verification checks is engineered to stop bad actors. From detecting sophisticated GenAI deepfakes to blocking users with physical disguises, the platform helps protect organizations from novel and scaling fraud attacks.

Persona takes a security- and privacy-first approach to design, and you can learn more about the platform's certifications and guiding principles on the security page.

Get ready for the future of age assurance

ISO 27566-1 provides a clear path for regulators that want to create age assurance requirements and organizations that need to implement age assurance systems. By aligning with its principles, you can build a system that will likely comply with emerging regulations and earn the trust of your users.

Book a consultation to learn more about designing an age assurance system that aligns with global standards

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Brandon Chen
Brandon Chen
Originally from Taiwan, Brandon Chen is a California resident who loves to go fishing. By day, he works on the product marketing team.
Continue reading
  • How does the Age Check Certification Scheme help businesses assess age estimation solutions?

    How does the Age Check Certification Scheme help businesses assess age estimation solutions?

    Learn how third-party certification programs like the Age Check Certification Scheme (ACCS) make it easier to compare age assurance solutions.

    Blog Post·10 min
  • How to prepare for Australia's Social Media Minimum Age requirements

    How to prepare for Australia's Social Media Minimum Age requirements

    Compare age assurance methods, review eSafety's guiding principles, and design your compliant age assurance system.

    Blog Post·7 min
  • Building your age verification strategy: how to navigate global regulations

    Building your age verification strategy: how to navigate global regulations

    Age verification and privacy regulations can be complicated. Learn more about how to deconstruct what the regulations mean for you,...

    Blog Post·5 min