Human Rights Experts Should Engage in Age Assurance Standards

As more countries restrict social media for children, what is currently missing from the discussion is the hidden children’s rights and human rights cost of mandatory age assurance, the necessary enforcement mechanism.

On June 15, 2026, the United Kingdom became the sixth country to announce age restrictions on social media platforms for children under the age of 16 as part of a wave of similar regulatory moves following the passing of Australia’s law in 2025. Different countries have chosen different ages at which to restrict access, different services for the restrictions to apply to (for example, extending to AI chatbots in some cases as well) and different enforcement models, creating a global regulatory patchwork for platforms to respond to.

Age restriction laws are a blunt tool that can be seen as an expression of frustration by governments who believe that social media platforms are causing children untold harm. Despite strong regulatory efforts across the world such as the UK Online Safety Act, the EU Digital Services Act and India’s IT Rules 2021, surveys of parents in Australia, the US, the UK, Malaysia and India show that parents are still concerned about social media and support a ban. The social media sector globally is worth more than $200 billion, and some companies have been accused of prioritizing engagement-driven profit over child safety.

Underpinning all of these social media bans across the world are age assurance technologies which are needed to determine who is under the restricted age, and who is old enough to access the platforms. Age assurance is a bucket heading for a multitude of different kinds of technology, all of which vary in terms of accuracy, ease of circumvention and data processing requirements. Age assurance tools are also developed by tech companies, and the age assurance industry is predicted to be worth more than $10 billion by 2029. Looking at the proliferation of recent laws around the world requiring age assurance measures to be put in place, it is not hard to imagine that figure increasing wildly.

All age assurance tools process data (including children’s data) to some degree, and are often underpinned by algorithms, and they all carry risks related to privacy, security, bias, discrimination and exclusion, for both children and the broader public. Under the UN Convention on the Rights of the Child, which is one of the most ratified international human rights laws globally, children’s privacy (Article 16 CRC) can only be interfered with if the reason for doing so is provided by law, is intended to serve a legitimate purpose and is proportionate. Even then, the UN Committee on the Rights of the Child, in its General Comments No. 25 on children’s rights in relation to the digital environment, makes it clear that the principle of data minimization must be respected, and the result must be in the best interests of the child.

Some recently enacted laws, for example in Australia and the UK, set parameters for age assurance technologies, requiring them to be effective, non-discriminatory and ‘privacy-preserving.’ While it is too early to tell whether laws currently under development in other countries will set similar parameters, it is clear that such parameters are only effective if they are actually enforced by the relevant authorities. Where such parameters are missing, data protection law can serve as a minimum layer of protection. However, this heavily depends on the scope of the data protection law and the financial and human resources of relevant authorities to enforce these laws. Other countries, for example, Malaysia and Rwanda, conflate age assurance with identity verification, stripping users of their anonymity and creating the potential for widespread online activity tracking and surveillance.

Widespread social media bans create a dangerous paradox. Such bans are introduced in part to protect children from surveillance capitalism's mechanics such as profiling, targeted advertising, and recommender systems. However, enforcing these bans requires an additional layer of extensive data collection with minimal safeguards actually implemented by regulators, potentially exposing users to increased government and private sector surveillance.

Enforcement means more data collection

Age assurance companies increasingly market themselves as 'privacy-preserving,' while positioning themselves alongside child protection advocates. The Global Age Assurance Standards Conference in 2026 ran with the tagline of “The world's leading experts on privacy-preserving, secure, reliable age assurance measures enabling a safer online experience for children”, featuring age assurance companies in a program alongside regulators and child protection specialists. In some countries, such as the UK, Australia, Europe, and Kenya, governments have produced guidance related to the requirements for age assurance tools to be accurate, fair, privacy-preserving, secure, and in line with data protection legislation. However, it is not clear whether there is any proactive enforcement of these guidelines, except for after the fact, where there is a security breach at an age assurance company. There is an urgent need for robust governance and regulatory oversight over age assurance, but this is not currently happening.

In the absence of proactive regulatory enforcement, technical standards are becoming more important for age assurance vendors. Complying with them lets vendors demonstrate due diligence to customers and signal that they are meeting the state of the art in terms of technical requirements.

Technical standards have been part of the digital ecosystem since the internet began, and were originally pioneered by engineers to ensure consistency, conformity and interoperability across networks. In more recent years, many standards have become more like implementing rules for law and policy, incorporating social requirements related to human rights, equality and inclusion, as well as technical aspects. This presents both a risk and an opportunity: if experts in human rights and children’s rights are part of the drafting process of technical standards, then these rights can be integrated into the architecture of products such as age assurance tools and translated into practice for engineers. However, if such experts are left out of the process, then it is likely that rights-based language such as ‘privacy-preserving’ and ‘fairness’ will be used incorrectly and with the potential to cause harm. This form of ‘rights-washing’ is similar to ‘green-washing,’ labeling a technology ‘privacy-preserving’ borrows the language of human rights to create the impression of compliance, without actually living up to any of the human rights standards.

The UN Office of the High Commissioner for Human Rights points out that historically, human rights considerations have only played a minor role in technical standard-setting processes. Participants generally have engineering, computer science and natural science backgrounds, with an underrepresentation of human rights expertise or other fields, such as social sciences, constitutional law, ethics and risk management. Participants in standard-setting processes overall lack diversity in terms of thematic expertise, cultural, professional, institutional, socioeconomic backgrounds, geographical representation and gender.

Participation is costly

Involving the required human rights and children’s rights experts in standards-making processes sounds simple, but in reality, having meaningful input into standards-making processes requires sustained input over a long period of time. First, it is necessary to join your national standards-making body, which sometimes carries a fee of more than $1,000 per year. Then there are meetings to attend, submissions to be made, and the whole process requires time, resources and stamina. All things that tend to be scarce within the human rights and children’s rights sector. Because technical standards are generally led by industry, the imbalance of power in this situation is stark, and as standards take on a quasi-regulatory role in the tech sector, there is a real risk of regulatory capture.

While the first technical standard on age assurance, PAS 1296:2018, was pioneered by the British Standards Institute, followed by the IEEE 2089.1 standard in 2024, ISO is now dominating the global technical standards space on this topic, with ISO/IEC 27566-1:2025 Age Assurance Systems being the most advanced effort to create a global standard for age assurance. This is a three-part set of standards consisting of an overarching framework which has already been published, together with two more detailed standards which cover technical approaches, guidance for implementation and approaches to analysis or comparison. According to a UNICEF case study, there is potential for this standard to detail how age-assurance tools can be developed to ensure they are effective while also respecting broader human rights, and to set clear guidelines for the collection and use of training data in AI-driven age-assurance solutions, helping to reduce bias for child users.

The extent to which the final ISO standard incorporates comprehensive protections for children’s rights and human rights principles more broadly depends largely on who is part of the drafting process. So this is a call to action if you are with a digital rights organization or an individual human rights expert to get involved via your national standards-making body. And if you are a donor wondering where your funds might have a targeted and tangible impact, go fund some of these digital rights groups to get involved with their national standards-making bodies, especially those in the Global South who tend to be underrepresented in the development of ‘global’ standards.

We predict that technical standards are likely to be where the rubber hits the road when it comes to implementing human rights and children rights respecting age assurance tools. That is why this is important right now.

Standards alone aren’t enough

Once global standards on age assurance are finalized, whether by ISO or another standards-making body, the next step will be to ensure that certification bodies are equipped with the expertise to audit age assurance companies against the human rights and children’s rights requirements written into the standards. It is also important, of course, for experts in human rights and children’s rights to be part of any subsequent certification process to assess whether any specific age assurance tool meets the designated standard.

This does not, however, by any means let regulators off the hook. Technical standards should never be a replacement for robust regulations drafted by governments, along with detailed implementing regulations that incorporate constitutional and human rights laws.