Children's Rights and AI: Age-Appropriate Design and Protection Requirements

EU AI Act Protections for Children

The AI Act provides specific protections for children in several provisions. Article 5(1)(a) prohibits AI systems that exploit vulnerabilities of specific groups, including children, due to their age, to materially distort their behavior in a manner that causes or is likely to cause significant harm. Article 5(1)(b) prohibits social scoring by public authorities that leads to detrimental treatment, with children as a particularly protected group. For high-risk AI systems, Article 9 risk management must account for foreseeable impacts on children. Recital 28 clarifies that the prohibition on exploitation of vulnerabilities covers AI systems designed to distort behavior of children "in a way that is likely to cause them or another person significant harm." The threshold is behavior distortion plus harm likelihood, not actual demonstrated harm.

UK Age Appropriate Design Code

The ICO's Age Appropriate Design Code (Children's Code), effective since September 2021, establishes 15 standards for online services likely to be accessed by children. For AI systems, key standards include: best interests of the child as a primary consideration in design (Standard 1); age-appropriate application of standards (Standard 4); data minimization limiting data collection for AI processing (Standard 8); default settings providing the highest privacy by default for child users (Standard 9); and profiling restrictions turning off profiling by default for children unless there is a compelling reason (Standard 14). AI-powered services that profile children for content recommendation, advertising targeting, or behavioral prediction must implement these standards. The ICO has enforcement powers including fines up to GBP 17.5 million or 4% of worldwide turnover under the UK GDPR.

COPPA and AI Data Collection from Children

The US Children's Online Privacy Protection Act (15 U.S.C. Sections 6501-6506) and the FTC's COPPA Rule (16 CFR Part 312) require operators of websites and online services directed to children under 13, or with actual knowledge of child users, to: provide parental notice of data practices, obtain verifiable parental consent before collecting personal information, allow parents to review and delete data, and limit data collection to what is reasonably necessary. For AI systems, this means: AI services likely used by children under 13 cannot collect training data from children without parental consent; AI chatbots interacting with children must implement age gates; and AI-generated profiles of children constitute personal information subject to COPPA. The FTC's 2023 COPPA Policy Statement emphasized that persistent identifiers used for AI-based behavioral advertising targeting children violate COPPA.

DSA Child Safety Obligations for Platforms

The Digital Services Act Article 28 requires online platforms to put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors on their service. For AI-powered platforms, this includes: designing recommender systems and content moderation AI to consider child safety; not presenting advertisements based on profiling when the platform is aware with reasonable certainty that the user is a minor (Article 28(2)); and implementing systemic risk assessments that specifically evaluate risks to minors (Article 34(1)(d) for VLOPs). AI-powered age assurance mechanisms used to enforce these protections must themselves comply with data protection and proportionality requirements.

Age-Appropriate AI Design Principles

Designing AI systems for child safety requires: (1) safety-by-design embedding child protection into the AI system architecture, not added as an afterthought; (2) age estimation or verification proportionate to the risk, using privacy-preserving methods (such as on-device age estimation rather than document upload); (3) content filtering AI calibrated for age-appropriate outputs, with false-negative rates (allowing harmful content) weighted more heavily than false-positive rates; (4) limitation of persuasive design techniques (nudges, streaks, infinite scroll) powered by AI when interacting with children; (5) human escalation for AI interactions that detect potential harm or distress; and (6) transparency about AI use in language understandable to the relevant age group.

Enforcement and Liability Considerations

Enforcement against AI systems that harm children is intensifying. The FTC has ordered deletion of algorithms trained on children's data collected in violation of COPPA (Fortnite/Epic Games order, 2022). The ICO has investigated platforms for Children's Code violations related to recommendation algorithms. Under the AI Act, violations of Article 5 prohibitions carry the maximum penalty tier: EUR 35 million or 7% of global turnover. Organizations should conduct child impact assessments before deploying AI systems in contexts where children may be users, documenting the safeguards implemented and their effectiveness. The burden of demonstrating appropriate child protection measures falls on the provider and deployer.

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.