BSI urges existing age standard for social media ban

BSI has urged the Government and Ofcom to use an existing international age assurance standard for any social media ban on under-16s, arguing that it could enforce restrictions without expanding personal data collection.

The intervention follows the Prime Minister’s announcement of a proposed ban for children under 16, alongside possible limits on features such as infinite scrolling and curfews. Ministers have not yet explained how the measures would work in practice, and Ofcom is expected to outline options for age checks.

BSI said officials should draw on BS ISO/IEC 27566-1, an international framework for age assurance systems published earlier this year. It argues that the standard provides a practical structure for making age-related eligibility decisions without requiring full identity verification in every case.

The issue has become politically sensitive because critics of tighter online restrictions have questioned both whether they can be enforced and whether they would require people to hand over excessive personal information. BSI argues that an existing standard addresses those concerns and could be adopted more quickly than designing a new model from scratch.

Privacy concerns

The framework is intended to reduce the amount of data shared when users prove their age. In practice, that means people would not automatically need to upload passports or disclose their full identity simply to show they are old enough to access a service.

The standard sets out the characteristics of age assurance systems, covering privacy, security, effectiveness and user acceptability. Rather than prescribing a single technology, it defines what a robust system should look like while allowing for different methods.

BSI also pointed to a broader commercial argument. Because the standard is international, companies operating across multiple markets could adopt a more harmonised approach to age verification instead of adapting to different national systems.

That matters for social media platforms and technology providers facing growing pressure from regulators in several countries to protect children online while avoiding unnecessary collection of sensitive data. A common framework could also help policymakers set rules focused on outcomes rather than mandating a single form of identity checking.

BSI backed its call with research on young people’s online behaviour, saying its 2025 findings showed that 42% of young Britons had lied to adults about what they did online, while 27% had pretended to be a different person online.

Separate research cited by the organisation found that 47% of UK adolescents wished they were growing up in a world without the internet, while 50% said a social media curfew would improve their lives. It also found that two-thirds spent more than two hours a day on social media and 40% had set up fake or decoy accounts.

Those figures are likely to strengthen the case for intervention, but they also highlight the difficulty of designing restrictions that are both workable and proportionate. Age checks that are too weak may be easy to bypass, while systems that are too intrusive could deter users and create new privacy risks.

Laura Bishop, Digital Sector Lead, Artificial Intelligence & Cyber Security, BSI, said: “Safeguarding the online well-being of adolescents and children is paramount, given the clear evidence of worrying behaviours. The Government is right to take steps on this. If a complete ban is to be a success, it needs to be implemented in a straightforward way, without introducing new risks to privacy and data collection. Age restrictions on any product or service can be difficult to enforce. The international framework BS ISO/IEC 27566-1 can act as a starting point on this journey towards a safe online world by providing a practical framework that establishes clear characteristics for trustworthy systems. Given the ambition to move at pace on this, we hope the Government and Ofcom will make use of this existing approach rather than start from scratch.”

Wider safety

Bishop also linked the social media debate to the wider question of how children interact with digital products. In BSI’s view, online protection should not be treated solely as a matter of access controls, but also of product design.

It cited separate research into AI-enabled toys and learning devices, where uptake among families appears to be rising despite concerns over data use and exposure to inappropriate material. According to the survey, half of children had already had one of these devices bought for them, and 38% owned two or more.

The same poll found that 75% of parents were worried about internet-connected AI toys exposing children to unwanted content or data risks. More than eight in ten said manufacturers should comply with established standards or codes of conduct, while 72% wanted clearer information about whether products met safety or security requirements.

BSI said this points to the need for a “safety by design” approach across digital services and connected devices. The Government’s proposed product safety framework has already identified harm linked to AI and automated decision-making as an area needing attention, including in toys.

“More broadly, given that children will eventually age out of the ban into a world where they are still expected to be digital natives, we need to consider how we equip them for the complexities of the digital world. This includes ensuring all platforms are designed so that they are human-centric and safe by design and default,” Bishop said.