Children's digital safety in the AI age is moving rapidly from voluntary best-practice space into active regulation across major jurisdictions. The picture is uneven, some frameworks are mature and in active enforcement, some are nascent, some are still being drafted, but the overall trajectory is unmistakable.
This article maps the major regulatory frameworks affecting AI products for or accessed by children. The focus is operational: what developers, families, regulators, and researchers need to understand about the regulatory environment to act effectively within it.
United Kingdom
The UK has been an early and influential mover on children's digital safety regulation, particularly through three instruments.
The Online Safety Act
The Online Safety Act establishes statutory duties on platforms and services to protect children from harmful content. Ofcom enforces. Codes of practice address content, design, and risk assessment. The Act's scope extends to AI-generated content and to AI-enabled services where children are foreseeable users.
The Age-Appropriate Design Code
The Age-Appropriate Design Code, the Children's Code, sets 15 standards for the design of online services likely to be accessed by children, enforced by the ICO. Standards include data minimization, default high privacy, no detrimental use of data, transparency, parental controls, and several others. The Code influenced California's AB-2273 and is referenced in policy debates across other jurisdictions.
The AI Security Institute
The AI Security Institute, formerly AI Safety Institute, does technical evaluation work that increasingly informs the regulatory environment for AI affecting children. Its work on model evaluation, red-teaming, and risk assessment is relevant to children's safety even where children are not the primary frame.
European Union
The EU has a comprehensive regulatory environment for digital products affecting children, with multiple instruments interacting.
The AI Act
The AI Act prohibits certain AI practices specifically when they target children, including subliminal manipulation and exploitation of vulnerabilities of children. Other practices are classified as high-risk with corresponding obligations. The AI Act's child-specific provisions are among the strictest globally.
GDPR Article 8
GDPR Article 8 sets specific rules for processing of children's data based on consent, with age thresholds between 13 and 16 depending on member state. GDPR-K provisions interact with AI Act and DSA requirements.
The Digital Services Act
The Digital Services Act establishes due diligence obligations for online platforms, with specific provisions on the protection of minors. Very large online platforms have additional obligations including risk assessment and mitigation for systemic risks to minors.
The Better Internet for Kids strategy
The Better Internet for Kids strategy provides the broader policy framework, with operational support for member states and platforms.
For products marketed to or accessed by children in the EU, the compliance surface is substantial and tightening. Operational implication: products designed with EU child-safety regulation as the binding constraint will satisfy most other jurisdictions' frameworks.
United States
US children's digital safety regulation operates through federal and state-level frameworks, with active development in both directions.
COPPA
COPPA, the Children's Online Privacy Protection Act, has governed children's online privacy since 1998. FTC rules under COPPA are being updated, and COPPA 2.0 legislative efforts seek to extend the framework. AI-specific applications of COPPA are being clarified through FTC enforcement actions.
The Kids Online Safety Act
The Kids Online Safety Act, KOSA, has been the most prominent federal legislative effort to extend the framework beyond privacy to broader child safety online, including design considerations affecting AI products. Its progress through legislation has been protracted but the principles it embodies are referenced across the broader regulatory debate.
State laws
State laws are increasingly important. California's AB-2273, the Age-Appropriate Design Code, mirrors much of the UK Children's Code. State attorneys general have pursued enforcement actions against AI products affecting children. State-level AI laws, Colorado, NYC LL144, others, have child-specific provisions or implications.
The operational picture for US developers is that of federal baseline through COPPA plus a patchwork of state-level laws plus FTC enforcement plus state AG enforcement. Designing to the strictest applicable state framework is the operationally simpler path.
India
India's DPDP Act includes specific provisions on processing of children's personal data: verifiable parental consent for processing of children's data, prohibition of behavioral monitoring and tracking of children, and prohibition of targeted advertising directed at children. India is also developing broader child online safety frameworks through MeitY and related ministries.
The Indian regulatory environment for children's digital safety is in active development. Operational implication for products serving Indian children: DPDP child-specific provisions plus emerging child safety guidance plus sector-specific rules, particularly for education through MoE and NCERT frameworks, need to be tracked together.
Other major frameworks
Australia operates under the eSafety Commissioner framework, with specific Basic Online Safety Expectations and powers to address harms to children. Canada is developing its own framework through PIPEDA updates and proposed legislation. Singapore operates through IMDA frameworks and the Online Safety Code. The UAE and South Africa have child-specific provisions through their data protection laws and emerging digital safety frameworks.
Across the globe, the trend is consistent: child-specific provisions are being added to data protection frameworks, and dedicated child online safety frameworks are emerging where they didn't previously exist.
Where the frameworks converge
Despite jurisdictional differences in specific provisions, major frameworks converge on similar broad principles for AI affecting children.
● Verifiable parental consent for collection of personal data from young children, with age thresholds varying between 13 and 16
● Data minimization, collection limited to what is necessary for the service
● Restriction on behavioral profiling and tracking of children
● Restriction on targeted advertising directed at children
● High default privacy settings for child users
● Transparency requirements, information about data handling provided to families in accessible form
● Specific protection against manipulation, exploitation of vulnerabilities, and addictive design directed at children
● Age-appropriate design as a substantive standard, not only a marketing claim
● Risk assessment obligations for platforms and services with foreseeable child users
● Enforcement mechanisms, regulator action, parental rights, sometimes private rights of action
Practical implications for developers
● Build to the strictest applicable framework and apply that standard everywhere, the cost saving from country-by-country variation is rarely worth the operational complexity and reputational risk
● Treat AI Act and the UK Children's Code as the practical floor for products with serious child exposure; they represent the most articulated current expectations
● Track regulatory evolution actively, the field is moving fast and frameworks change
● Invest in independent evaluation; regulators increasingly expect it and absence is itself a finding
● Engage with regulatory consultations; the frameworks being drafted now will define the operating environment for years
The shift to make
Stop treating children's digital safety regulation as a compliance burden that will catch up to your product eventually.
Start treating it as the regulatory environment your product is being designed for, with frameworks converging across jurisdictions on broadly similar principles, with enforcement maturing across regulators, and with public expectations rising in step with regulator expectations.
Developers, families, and researchers operating with regulatory awareness contribute to a field that improves children's digital safety as the technology evolves. The alternative, products designed to a 2018 understanding of children's digital safety, deployed into the 2026 regulatory environment, is the position most current products are in. The Foundation's work, in part, is to make the cost of that position visible.
