What is IEEE 2089? Understanding the international age assurance standard
New age mandates continue to emerge across the world. For product managers, compliance officers, and legal professionals responsible for implementing age assurance, understanding internationally recognized frameworks is essential.
ISO 27566 and IEEE 2089 are the two leading internationally recognized standards for age assurance referenced by regulatory bodies creating guidelines for recent age mandates. While both standards address age assurance, they serve complementary purposes:
ISO 27566-1 breaks down age assurance technical solutions into core characteristics and focuses on secure and privacy-preserving frameworks.
IEEE 2089.1 offers more prescriptive guidance on the role of each actor in the ecosystem, offers advice on how to evaluate whether your organization should apply age assurance, and explicitly grounds its recommendations in children's rights as defined by the UN Convention on the Rights of the Child.
This guide focuses primarily on IEEE 2089.1-2024, which addresses online age verification technology as part of the broader IEEE 2089 framework for age-appropriate digital experiences.
What is the IEEE 2089 standard?
The IEEE 2089 family of standards provides a framework for designing digital experiences with children in mind. It operates on the principle that digital services should account for a child's age, developmental capacity, and rights. The IEEE Standards Association (IEEE SA) published IEEE 2089.1-2024 in May 2024 using the 5Rights Principles as an ethical blueprint.
Before diving into the specifics, let’s take a closer look at the organizations and principles behind this standard:
What is the IEEE SA? The IEEE Standards Association (IEEE SA) is the standard-setting body of the IEEE. It develops globally recognized frameworks through an accredited consensus process that brings together industry, academic, and scientific experts.
What are the 5Rights Principles? The 5Rights Principles assert that children have specific digital rights, including the right to remove their digital footprint, know how their data is used, receive safety and support, engage in conscious use, and access digital literacy. The UK-based 5Rights Foundation developed these principles to clearly outline rights set out by the United Nations Convention on the Rights of the Child (UNCRC).
Why is the IEEE 2089 standard significant? As lawmakers around the world enforce strict age requirements, this standard gives organizations a practical set of guidelines and best practices. It offers a trusted level of validation for age assurance decisions, helping companies meet legal requirements and mitigate risks while promoting children's safety, privacy, and autonomy. According to UNICEF, one in three internet users is a child, making age assurance a critical consideration for most organizations.
The IEEE 2089 family of standards
IEEE 2089 isn't just one standard; it's a family of related standards. Understanding how they fit together helps clarify where IEEE 2089.1-2024 fits into the broader framework:
IEEE 2089-2021: The foundational standard that established the overarching age-appropriate digital services framework based on the 5Rights Principles.
IEEE 2089.1-2024: Provides technical requirements for designing, evaluating, and deploying online age verification and estimation systems.
IEEE P2089.2: An active project developing standards for formatting terms and conditions for children's online engagement.
IEEE P2089.3: An active project establishing standards for managing and verifying online parental consent.
This post covers IEEE 2089.1-2024. Contact our team to learn more about the other standards in this family.
Understanding your role and how to use the standard
Before you can implement IEEE 2089.1-2024, you need to understand which role your organization plays in the age assurance ecosystem.
The standard defines three key actors: relying parties (platforms requiring age assurance), age assurance providers (companies like Persona offering verification technology), and users (people being verified). In addition to those key actors, process assessors (auditors evaluating systems) may assess your system after implementation, based on your applicable regulatory requirements.
For organizations implementing or evaluating age assurance, here's how the standard applies:
Role | Who this is | How to use IEEE 2089.1-2024 |
Relying party | An information society service (ISS) offering content, goods, or services to users online that require age assurance. If you operate a platform, app, or website restricting content by age, this is you. | Develop vendor agreements concerning processes that deliver age assurance up to legally required or publicly promised standards. |
Age assurance provider | An internal team or third-party company, such as Persona, that supplies age verification or estimation technology to a relying party. | Select, structure, and employ elements necessary to deliver compliant age assurance to clients. |
Process assessor | Organizations that audit and evaluate age assurance systems for compliance and effectiveness. | Use as a process reference model for auditing and improving digital services. |
Note: Users (the individuals whose age is being verified) are central to the ecosystem but don't directly use or implement the standard.
Seven scenarios where IEEE 2089 applies to your platform
You may need to implement age assurance if your platform meets any of these seven scenarios outlined by IEEE 2089.1-2024:
You provide services or products that engage with children intentionally or in the course of general operations.
You’re building a new generic or application-specific online service from scratch that may be accessed by children.
You’re majorly revising an existing product, service, or system that engages with children.
You’re planning to acquire a tailored product, service, or system that may engage with children.
You want to or are required to prevent all children, or children of a specific age range, from accessing a service.
You want to or are required to deliver age-specific benefits to children of a certain age range (e.g., a children's news portal).
You’re conducting research (e.g., universities) and adapting systems that may engage with children.
Implementing age assurance: A phased approach
Once you know you need age assurance, IEEE 2089.1-2024 provides an implementation roadmap broken into seven phases. Think of these less as sequential steps and more as interconnected considerations — privacy and data security, for example, should inform your approach throughout the entire process.
Phase 1: Assessing whether you need age assurance
The first phase involves assessing what risks your platform poses to children. Before you can choose the right level of age assurance, you need to understand these risks.
IEEE 2089.1-2024 uses the "4 Cs" framework to classify risks:
Content risks: Exposure to harmful material E.g. Violent content, CSAM, disinformation | Contact risks: Interaction with malign actors E.g. Grooming, catfishing, scams |
Conduct risks: Participation in harmful exchanges, either as a victim or perpetrator E.g. Trolling, cyberbullying, sharing intimate material | Contract risks: Exposure to inappropriate commercial pressures E.g. Hidden costs, gambling, compulsive use, excessive data collection |
By evaluating your platform across these four categories, you can determine both the type and severity of potential harm, which then informs what level of age assurance you need.
For example, a minor on a social media platform might face content risks (adult content), contact risks (inappropriate messages from adults), conduct risks (cyberbullying), and potentially contract risks (in-app purchases). This combination of risks would likely require a Standard or Enhanced assurance level.
Phase 2: Choosing your assurance level
Once you understand your platform's risk profile, you can determine which of the five assurance levels you need. The standard defines these levels — strict, enhanced, standard, basic, and asserted (self-declared) — to scale with the potential harm:
IEEE 2089.1-2024 evaluates age assurance systems across six indicators. A system's overall level matches whichever indicator scores lowest across these six categories:
Accuracy of the outcome: Evaluated via strict margins of absolute error and false positive/negative rates.
Frequency: How often age assurance must take place (e.g., weekly, monthly, annually).
Counter-fraud: The extent to which false claims are deterred and investigated.
Authenticity: The strength of the authentication method (from simple PINs to biometrics with liveness detection).
Frequency of authentication: How often a returning user's authenticity is verified.
Birth date requirements: Whether a specific birth date must be retained, included but not stored, or is not required at all.
Phases 3-7: Implementation, privacy, and ongoing management
After selecting your approach, the remaining phases guide you through execution:
Phase 3 (Assurance): Verify or estimate the age of each user to ensure they meet the restriction requirements before granting access.
Phase 4 (Categorization): Assign a confidence level to each completed age assurance check.
Phase 5 (Interoperability): Allow your age assurance provider to securely exchange the results of an age check with other providers in a privacy-preserving fashion to prevent the child from having to reverify multiple times.
Phase 6 (Privacy): Ensure solutions protect user privacy by design (e.g. no personal attributes other than age are passed on, data is minimized, etc.).
Phase 7 (Data security): Ensure any personal data used or retained during the process is stored securely and in accordance with all applicable laws.
Putting it into practice: What this means for your platform
IEEE 2089.1-2024 provides a clear framework, but implementing it at scale requires the right technology partner. Your platform should look for age assurance providers that offer privacy by design, layered verification methods, and configurable workflows that adapt to different risk levels and regulatory requirements. By combining the standard's guidance with the right tools, you can protect minors while maintaining a positive user experience.
How Persona supports IEEE 2089 compliance
Persona is a configurable identity platform whose age assurance solutions align with the IEEE 2089.1-2024 framework, offering the flexibility you need to meet compliance requirements across jurisdictions and use cases.
Our platform supports:
Multiple verification methods, from government ID checks and database verification to selfie age estimation, so you can build layered, step-up flows that balance friction and assurance.
Configurable workflows: use Dynamic Flow to create custom age assurance experiences tailored to your risk profile and regulatory requirements.
Privacy by design with automated data minimization, PII redaction, and consent management built into every verification.
Fraud prevention, including liveness detection and spoof and presentation attack detection to stop bad actors from bypassing age requirements.
Whether you're implementing age assurance for the first time or refining an existing program, understanding IEEE 2089.1-2024 gives you a strong foundation. Contact us to learn how we can help you build an age assurance system that meets global standards without sacrificing user experience.