(a)

Proportionality and appropriateness: Article 28(1) of Regulation (EU) 2022/2065 requires any measure taken to comply with that provision to be appropriate and proportionate to ensure a high level of privacy, safety, and security of minors. Since different online platforms may pose different types of risks for minors, it will not always be proportionate or appropriate for all providers of online platforms to apply all, or only some of the measures described in these guidelines. Determining whether a particular measure is proportionate and appropriate, in particular where it entails an interference with individuals’ fundamental rights, will require a case-by-case review by each provider (i) of the risks to minors’ privacy, safety and security stemming from its online platform or parts of it, considering among others the size, reach and type of the service it provides and its nature, its intended or current use, its specific features and the user base of the service, (ii) of the impact of the measure on children’s rights and other rights and freedoms enshrined in the Charter of Fundamental Rights of the European Union (‘the Charter’); and of (iii) the need to base such measures on the highest available standards and existing good practices, as well as the perspective and rights of children (see Section 5 on Risk review).

(b)

Protection of children’s rights: These rights are enshrined in the Charter, which guarantees the protection of children’s rights in implementing Union law, and the United Nations Convention on the Rights of the Child (‘the UNCRC’), which all Member States have ratified (18). Children’s rights form an integral part of human rights, and all those rights are interrelated, interdependent and indivisible. In line with Article 24 of the Charter, in all actions relating to children, whether taken by public authorities or private institutions, the best interests of the child must be a primary consideration. Therefore, to ensure that measures to achieve a high level of privacy, safety and security for minors on an online platform are appropriate and proportionate, all children’s rights should be considered and their best interests taken as a primary consideration. Any discrimination based on any ground such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation shall be prohibited, in line with Article 21 of the Charter. Children’s rights include for instance their right to protection (19), non-discrimination, inclusion, privacy, access to information and education, freedom of expression as well as participation (20) and to have their views taken into account in all matters that concern them (21).

(c)

Privacy-, safety- and security-by-design: providers of online platforms accessible to minors should integrate high standards of privacy, safety and security in the design, development and operation of their services (22). By-design concepts aim to harness the influence of providers of online platforms, designers and policymakers to shape product and service development in ways that prioritise values that promote human well-being. They refer to embedding privacy, safety and security protections by default into the design, operation and management of organisations, as well as in products and services from the start (23).

(d)

Age-appropriate design: providers of online platforms accessible to minors should design their services to align with the developmental, cognitive and emotional needs of minors, while ensuring their safety, privacy, and security. Age-appropriate designs are suitable for children considering their rights and well-being as well as their diversity and specific age or stage of development and take account of the evolving capacities of children (24).

(a)

How likely it is that minors will access its service, notably in view of its nature, purpose, intended use as well as criteria relevant to determine whether the service is accessible to minors.

(b)

The actual or potential impact on the privacy, safety and security of minors that the online platform may pose or give rise to, based on the 5Cs typology of online risks to children (Annex). This includes an examination of how different aspects of the platform may give rise to these risks, their likelihood and severity, as well as consideration of their positive impact on children’s rights and well-being, taking into consideration the age and evolving capacities of children. For example, aspects such as the purpose of the platform, its design, interface, value proposition, marketing, features, functionalities, number and type of users and uses (actual and expected) may all be relevant. This should include an indication of the level of risk for minors on the platform (e.g. low, medium or high), based on clear criteria, in accordance with existing standards and best practices, for example for child rights impact assessment as mentioned in paragraph 22.

(c)

The measures that the provider is already taking to prevent and mitigate these risks.

(d)

Any additional measures that are identified in the review as appropriate and proportionate to ensure a high level of privacy, safety and security for minors on their service. The measures that providers may need to take should address the risks to privacy, safety, and security that originate from the experience of minors with the service, including those risks that originate from the actions of other users of the service.

(e)

How measures uphold the general principles of Section 4.

(f)

Metrics that allow the provider to monitor over time the effectiveness of the measures they have in place to address certain risks.

(g)

The potential positive and negative effects on children’s or other users’ rights of any measure that the provider currently has in place and any additional measures, ensuring that these rights are not disproportionately or unduly restricted and positive effects can be maximised. Children’s or other users’ rights that may be adversely affected by some measures include, for example, children’s rights to participation, privacy, protection of personal data, freedom of expression and information. This is relevant when determining the proportionality of measures.

(a)

Self-declaration consists of methods that rely on the individual to supply their age or confirm their age range, either by voluntarily providing their date of birth or age, or by declaring themselves to be above a certain age, typically by clicking on a button online.

(b)

Age estimation consists of methods which allow a provider to establish that a user is likely to be of a certain age, to fall within a certain age range, or to be over or under a certain age (33).

(c)

Age verification is a system that relies on physical identifiers or verified sources of identification that provide a high degree of certainty in determining the age of a user.

(a)

Where certain products or services pose a high risk to minors and those risks cannot be mitigated by less restrictive measures, considering applicable Union and national laws, such as by way of example:

(b)

Where, due to identified risks to minors, the terms and conditions or any other contractual obligations of the service require a user to be 18 years or older to access the service even if there is no formal age requirement established by law.

(c)

Any other circumstances in which the provider of an online platform accessible to minors has identified risks to minors' privacy, safety, or security, including content, conduct and consumer risks as well as contact risks (e.g., arising from features such as live chat, image/video sharing, anonymous messaging), where these risks cannot be mitigated by other less intrusive measures as effectively as by access restrictions supported by age verification (36).

(d)

Where Union or national law, in compliance with Union law, prescribes a minimum age to access certain products or services offered and/or displayed in any way on an online platform, including specifically defined categories of online social media services (37).

(a)

Where, due to identified risks to minors’ privacy, safety and security, the online platform service’s terms and conditions or similar contractual obligations of the service require a user to be above a required minimum age that is lower than 18 to access the service, based on the provider’s assessment of risks for minors on the platform (45) (46).

(b)

Where the provider of the online platform has identified medium risks to minors on their platform as established in its risk review (see Section 5 on Risk Review) (47) and those risks cannot be mitigated by less restrictive measures. The Commission considers this will be the case where the risk is not high enough to require access restriction based on age verification but not low enough that it would be appropriate to not have any access restriction or to have access restriction that is not supported by any age assurance methods or is only supported by self-declaration. Self-declaration is not considered to be an appropriate age-assurance measure as further explained below.

(a)

Accuracy. How accurately any given method determines the age of the user.

The accuracy of an age verification or estimation method should be assessed against appropriate, clear, and publicly available metrics. These metrics are necessary to evaluate the extent to which the method can correctly determine whether a user is above or below a certain age, or a person's age range (50). Providers of online platforms should periodically review whether the technical accuracy of the method used still matches the state-of-the-art.

(b)

Reliability. How reliable a given method works in practice in real-world circumstances.

For a method to be reliable, it should be available continuously at any time, and work in different real-world circumstances, beyond ideal lab conditions. Providers of online platforms accessible to minors should assess, before employing a specific age assurance solution, that any data relied upon as part of the age assurance process comes from a reliable source. For example, a self-signed proof of age would not be considered reliable.

(c)

Robustness. How easy it is to circumvent a given method.

A method that is easy for minors to circumvent will not be considered robust enough and will therefore not be considered effective. Such level of ‘easiness’ shall be assessed by providers of online platforms accessible to minors on a case-by-case basis, considering the age of the minors to which the specific measures are addressed. Providers of online platforms accessible to minors should also assess whether the age assurance method provides safety and security, in line with the state-of-the-art, to ensure the integrity of the age data being processed.

(d)

Non-Intrusiveness. How intrusive is a given method on users’ rights.

Providers of online platforms accessible to minors should periodically assess the impact the chosen method will have on recipients' rights and freedoms, including their right to privacy, data protection, and freedom of expression (51). According to the European Data Protection Board, and in line with Article 28(3) of Regulation (EU) 2022/2065 (52), a provider should only process the age-related attributes that are strictly necessary for the specific purpose and age assurance should not be used to provide additional means for providers to identify, locate, profile or track natural persons (53). If the method is more intrusive than another method that provides the same level of assurance and effectiveness, the less intrusive method should be chosen. This includes an assessment of whether the method provides full transparency about the process in line with Article 12 of Regulation (EU) 2016/679 and/or provides information about the user at risk. In no circumstances can the data processed for the purposes of ascertaining whether a user is above or below a certain age be stored or used for other purposes.

(e)

Non-discrimination. How a given method can discriminate against some users.

Providers of online platform accessible to minors should make sure that the chosen method is appropriate and available for all minors, regardless of disability, language, ethnic, gender, religious and minority backgrounds.

(a)

Explain to users the benefits and risks of registration and, where relevant, why registration is necessary (see Section 8.4 on Transparency).

(b)

Ensure that the registration process is easy for all minors to access and navigate, according to their evolving capacities, including those with disabilities or additional accessibility needs, and in a language that they can understand.

(c)

Ensure that the registration process includes measures to help users to understand whether they are old enough to use the service. In line with point d. below, these measures should only be presented to users after an age assurance method, including self-declaration, has been applied.

(d)

Avoid encouraging or enticing users who are below the minimum age required by the online platform accessible to minors to create accounts or to access the service and take measures to reduce the risk of this happening (55).

(e)

Ensure that it is easy for minors to log out and to have their account deleted at their request.

(f)

Use the registration process as one opportunity to carry out age assurance if necessary, in view of recommendations in Sections 5 and 6.1 (56), as well as highlight the safety features of the platform or service, the rules of conduct along with their respective consequences for violating terms, any identified risks to a minor’s privacy, safety or security and resources available to support users.

(g)

Ensure that the registration process does not encourage or entice children to make available or share on their profile more information than necessary for the functioning of the service, and that consent from the child’s parent or guardian is sought where necessary under Union or Member State law.

(a)

Ensure that privacy, safety and security by design principles are consistently applied to all account settings for minors.

(b)

Set accounts for minors to the highest level of privacy, safety and security by default. This includes designing default settings in such a way as to ensure safe and age-appropriate settings for minors, taking into account their evolving capacities. These settings should ensure that by default for all minors, as a minimum:

(c)

Consider whether, depending on minors’ ages and evolving capacities and the outcome of a provider’s risk review, it is necessary to go beyond the minimum standard for default settings set out in this Section 6.3.1, and design and implement default settings that are more restrictive. For example, by designing default settings for younger minors where no other user is allowed to engage in certain types of interactions.

(d)

Regularly test and update default settings, ensuring that they remain effective after all updates, and against emerging online risks and trends, including any risks to minors’ privacy, safety and security identified by the provider in the course of their review of risks (see Section 5 on Risk review).

(e)

Ensure that minors are not in any way encouraged or enticed to change their settings to lower levels of privacy, safety and security, and that any options to change default settings are presented in a neutral way.

(f)

Ensure that minors are provided with incremental degrees of control over their settings, according to their age, evolving capacities and needs, to support their growing autonomy and provide them with more agency (58).

(g)

Ensure that settings are explained to minors in a child-friendly and accessible way (see Section 6.4 on Online interface and other tools).

(a)

Empower minors with the ability to choose between temporarily changing their default settings, for example for a period of time or for current use in that session and permanently changing their default settings.

(b)

Enable easy return to default settings, such as a one-click reset or a history-based undo feature for settings that have been changed.

(c)

Present warning signals at the point at which the minor changes their settings, clearly explaining the potential consequences of their changes.

(d)

Periodically provide reminders to minors about the potential consequences of their change and periodically provide them with the opportunity to return to their default settings.

(e)

Automatically turn off geolocation, microphone and camera as well as not strictly necessary tracking features after the session ends, if a minor turns them on.

(f)

When geolocation, microphone and camera are switched on, make this obvious to minors throughout the period during which they are switched on.

(a)

Consider whether some settings, features or functionalities should be removed from minors’ accounts altogether and/or whether any of the default settings set out in the previous Section 6.3.1 should be made irreversible or unchangeable for all minors or for minors of certain ages, taking into account their age and evolving capacities, and remove and/or make irreversible such settings on the basis of that assessment. When making this assessment, providers of online platforms accessible to minors should assess the manner in which those settings and functionalities may impact the high level of privacy, safety and security of minors on their platform.

(b)

Ensure that irrespective of the account settings chosen by minors:

(c)

Ensure that minors are provided with the possibility to restrict the visibility of their profile photo and of individual pieces of content that they publish, as well as the possibility to restrict the visibility of their content generally.

(d)

Ensure that minors are provided with the possibility to accept or reject any tagging by other users, whether in content, comments or otherwise.

(e)

Implement measures to prevent minors from inadvertently accepting unwanted contacts by, for example, requiring users to include a message when they request to connect with a minor.

(a)

Ensuring that online interface design offers an age-appropriate experience for minors.

(b)

Ensuring that minors are not exposed to persuasive design features that are aimed predominantly at engagement and that may lead to extensive use or overuse of the platform or problematic or compulsive behavioural habits. This includes the possibility to scroll indefinitely, the superfluous requirement to perform a specific action to receive updated information on an application, automatic triggering of video content, notifications artificially timed to regain minors’ attention, notifications that are artificial, including those that pretend to be another user or social notifications about content that the user has never engaged with, signs communicating scarcity and/or urgency (59), and the creation of virtual rewards for performing (repeated) actions on the platform.

(c)

Introducing customisable, visible, easy-to access and use, child-friendly and effective time management tools to increase minors’ awareness of their time spent on online platforms. To be effective, these tools should deter minors from spending more time on the platform. These could also include nudges that favour safer options. There should also be systematic implementation of active notifications informing minors of the time spent online.

(d)

Ensuring that any tools, features, functionalities, settings, prompts, options and reporting, feedback and complaints mechanisms are child-friendly, age-appropriate, easy to find, access, understand and use for all minors, including those with disabilities and/or additional accessibility needs, are engaging, and do not require changing devices to complete any action involved.

(e)

Ensuring that, if AI features, such as AI chatbots and filters, are integrated into an online platform accessible to minors, they are not activated automatically and minors are not encouraged or enticed to use them, and that such systems are in line with their evolving capacities and designed in a way that is safe for them. In this regard, the Commission considers that AI features should only be made available on online platforms accessible to minors after an assessment of the risks those AI features may pose to minors’ privacy, safety and security, and that they should be easy to turn off and it should be clear when they are not.

(f)

Ensuring that technical measures are implemented to warn (60) minors that interactions with an AI feature is different from human interactions and that these features can provide information that is factually inaccurate and can be misleading. This warning should be easily visible, drafted in child-friendly language, and directly accessible from the interface and throughout the entire duration of the minor’s interaction with the AI feature. For example, AI chatbots should not be displayed prominently, they should not be part of suggested contacts or grouped with users the minor is connected to. Providers of online platforms should ensure that minors and their guardians have options to opt out of the use of AI chatbots and should not be nudged towards using those features (61). Such AI features cannot be used to influence or nudge minors towards commercial content or purchases.

(a)

Regularly test and adapt their recommender systems to enhance the privacy, safety and security of minors and in accordance with the risk review provided under Section 5, which includes a consideration of children’s broader rights. Such testing and adaptation should be conducted by consulting minors, guardians and independent experts.

(b)

Take into account specific needs, characteristics, disabilities and additional accessibility needs of minors, also with due consideration to their age group, when defining the objectives, parameters and evaluation strategies of recommender systems. Parameters and metrics related to accuracy, diversity, inclusivity and fairness should be prioritised.

(c)

Ensure that recommender systems do not rely on the collection of any behavioural data that captures the minor's activities off the platform.

(d)

Ensure that, if a recommender system relies on the processing of behavioural data about a minor, the suggestions of specific information to minor recipients of the service or the prioritisation of that information does not rely on the processing of behavioural personal data that is so extensive as to capture all or most of the minor’s activities on the platform, which may give rise to the feeling that the minor's private life is being continuously monitored.

(e)

Ensure that recommender systems rely on ‘implicit engagement-based signals’ only after having assessed whether it is in the best interests of the minor, taking into account the principles of data minimisation and transparency, and provided that such use is clearly defined and subject to appropriate safeguards as further defined in the recommendations above.

(f)

For the purposes of the present guidelines, ‘implicit engagement-based signals’ shall be understood as referring to signals and data that infer user preferences from their activities (browsing behaviour on a platform), such as time spent viewing content and click-through rates.

(g)

Prioritise ‘explicit user-provided signals’ to determine the content displayed and recommended to minors. The selection of such signals should be justified in the best interests of the minor, taking into account the principles of data minimisation and transparency, which will help to ensure that they contribute to a high level of safety and security for minors. For the purposes of the present guidelines, ‘explicit user-provided signals’ shall be understood as referring to user feedback and interactions that indicate users’ explicit preferences, both positive and negative, including the stated and deliberative selection of topics of interest, surveys, reporting (65), and other quality-based signals.

(h)

Implement measures to prevent minors’ exposure to content recommendations that could pose a risk to their safety and security, particularly when encountered repeatedly, such as content promoting unrealistic beauty standards or dieting, content that glorifies or trivialises mental health issues, such as anxiety or depression, discriminatory content, radicalisation content and distressing content depicting violence or encouraging minors to engage in dangerous activities. This includes content that has been reported or flagged by users, trusted flaggers or other actors or content moderation tools, and whose lawfulness and adherence to the platform’s terms and conditions have not yet been verified, in accordance with the relevant obligations under Regulation (EU) 2022/2065 and with Section 6.7.

(i)

Implement measures to ensure that recommender systems do not enable or facilitate the dissemination of illegal content or the commitment of criminal offences against and by minors.

(j)

Ensure that minors’ search results and suggestions for contacts prioritise accounts whose identity has been verified and contacts are connected to the network of the minor, or contacts in the same age range as the minor.

(k)

Ensure that search features, including but not limited to text autocomplete on the search bar and suggested terms and key phrases, do not recommend content that is illegal and/or qualifies as harmful to the privacy, safety or security of minors, for instance by blocking search terms that are well-known to trigger content that is deemed to be harmful to minors’ privacy, safety and/or security, such as particular words, slang, hashtags or emojis (66). Upon queries related to such content, providers of online platforms should redirect minors to appropriate support resources and helplines.

(a)

Provide minors with the opportunity to reset their recommended feeds completely and permanently.

(b)

Within the prioritisation of parameters and metrics related to accuracy, diversity, inclusivity and fairness, provide information and nudge minors toward searching for new content after a certain amount of interaction with the recommender system.

(c)

Assess whether, in light of the specific features of the platform and in order to ensure a high level of privacy, safety, and security of minors on such platform, it considers it appropriate to ensure that minors can choose an option of their recommender system that is not based on profiling. This recommendation is without prejudice to the obligations of providers of VLOPs and VLOSEs under Article 38 of Regulation (EU) 2022/2065.

(d)

In case that, as a result of the assessment referred to in the point above or as a result of the obligations stemming from Article 38 of Regulation (EU) 2022/2065 in relation to the providers of VLOPs and VLOSEs, they have put in place an option of their recommender system that is not based on profiling, assess whether this should be provided as a default setting and if they consider it appropriate, put in place the necessary safeguards and transparency measures to inform minors of such option and the potential consequences of turning off such default setting.

(e)

Ensure that relevant reporting and feedback mechanisms set out in Section 7.1 have a swift, direct and lasting impact on the parameters, editing and output of the recommender systems. This includes permanently removing reported content and contacts from recommendations (including content reported for hiding and blocked/reported contacts) and reducing the visibility of similar content and accounts.

(a)

Ensure that any settings and information provided to minors about their recommender systems, including but not limited to their Terms and Conditions, are presented in child-friendly and accessible ways, adapted to the age and evolving maturity of the child, and in a language they could understand (see Sections 6.4 on Online interface design and other tools and Section 8.4 on Transparency for more details).

(b)

Meaningfully explain why each specific piece of content was recommended to them, including information about the parameters used and the user signals collected for that specific recommendation.

(c)

Offer minors, in an accessible way and tailored to child-friendly language and design, the options to modify or influence the parameters of their recommender systems by, for example, allowing them to select content categories and activities they are most or least interested in including explanations in child-friendly language. This should be offered during the account creation process and regularly throughout the minor’s time on the platform. These preferences should directly influence the recommendations provided by the system, ensuring that they align more closely with the minor’s age and best interests (67).

(a)

Ensure that minors’ lack of commercial literacy is not exploited by considering minors’ age, vulnerabilities and limited capacity to engage critically with commercial practices on the platform and provide relevant support (72).

(b)

Ensure that minors are not exposed to harmful, unethical and unlawful advertising (73). This may entail, for example considering the appropriateness of advertising campaigns for different age groups, addressing their adverse impact, and taking adequate security measures to protect minors as well as to ensure that they have access to information that is in their best interests (74).

(c)

Regularly review the relevant protective measures in consultation with minors, guardians and other relevant stakeholders.

(d)

Ensure that minors are not exposed to excessive total volumes, frequency and recommendation of commercial content, that can lead to excessive or unwanted spending or addictive behaviours and have detrimental effects on their privacy, safety and security.

(e)

Ensure that minors are not exposed to AI systems integrated in the platform that influence or nudge children for commercial purposes, particularly through conversational or advisory formats such as chatbots (75).

(f)

Ensure that declarations of commercial communication are clearly visible, child-friendly, age-appropriate and accessible (see Section 8.4 on Transparency) and consistently used throughout the service, for instance with the use of an icon or a similar sign to clearly indicate that content is advertising (76). These should be regularly tested and reviewed in consultation with minors, their guardians and other relevant stakeholders.

(g)

Ensure that minors are not exposed to marketing and communication of products or services that can have an adverse impact on their privacy, safety and security, including as identified in the provider’s risk review, including those associated with negative impacts on their physical and mental health (see Section 5 on Risk review).

(h)

Ensure that minors are not exposed to hidden or disguised advertising, whether placed by the provider of the online platform or the users of the service (77). In this context, the Commission recalls that providers of online platforms are also obliged, under Article 26(2) of Regulation (EU) 2022/2065, to provide recipients of the service with a functionality to declare whether the content they provide is or contains commercial communications (78). Examples of disguised commercial communications may include, but are not limited to, product placements by influencers, product showcases and other forms of subtle promotion that may deceive or manipulate minors into purchasing products or services.

(i)

Ensure that children are not exposed to techniques which can have the effect of reducing transparency of economic transactions and may be misleading for minors, such as certain virtual currencies (79), and other tokens or coins, that can be exchanged with real money (or, where applicable, for the purchase of another virtual currency) and used to purchase virtual items, thus also cause unwanted spending (80).

(j)

Ensure that minors, when accessing online platforms or parts and features thereof that are presented or appear as being free (81), are not exposed to in-app or in-game purchases that are or appear to be necessary to access or use the service. If minors are exposed to any other in app or in-game purchases, they should always be priced in the national currency.

(k)

Ensure that minors are not exposed to practices that can lead to excessive or unwanted spending or overuse of the platform or compulsive or addictive behaviours, by ensuring that minors are not exposed to virtual items such as paid loot boxes, other products, where they offer random or unpredictable outcomes or gambling-like features, and by introducing separation or friction between content and the purchasing of related products.

(l)

Ensure that minors are not exposed to manipulative design techniques (82), such as scarcity (83), intermittent or random rewards, or persuasive design techniques (84), that can lead to excessive, impulsive or unwanted spending or addictive behaviours.

(m)

Ensure that minors are not exposed to unwanted purchases, e.g. by considering deploying effective tools for guardians or submitting any financial commitment made by minors under a certain age to the review or consent of guardians (see Section 7.3 on Tools for guardians).

(n)

Review the platform’s policy to offer economic transactions, based on the evolving capacities of children, considering that certain age groups should not be exposed or allowed to enter into economic transactions as they do not yet possess the ability to comprehend spending and money.

(a)

Define clearly and transparently what the platform considers as content and behaviour that is harmful for minors’ privacy, safety and security, in cooperation with minors, civil society and independent experts, including academia. This should include any content and behaviour that is illegal under EU or national law. Providers of online platforms accessible to minors should communicate information concerning their standards and expectations regarding content and behaviour clearly to minors using their service and this information should be available during the set-up of an account and easy to locate on the platform.

(b)

Establish moderation policies and procedures that set out how content and behaviour that is harmful for the privacy, safety and security of minors is detected and how it will be moderated aiming at limiting minors’ exposure to harmful content. Providers of online platforms should also ensure that these policies and/or procedures are enforced in practice.

(c)

Assess and review policies and procedures to ensure that they remain effective as technologies and online behaviours change. In particular, the Commission considers that providers of online platforms accessible to minors should take into account the following factors when prioritising moderation: the likelihood and seriousness of the content causing harm to a minor’s privacy, safety and/or security, the impact of the harm on that minor, specific vulnerabilities and the number of minors who may be harmed. Additionally, reports made by minors should be prioritised.

(d)

Ensure human review is available in addition to automated content review and any other relevant tools for reported accounts or content that the provider suspects may pose a risk of harm to minors’ privacy, safety or security.

(e)

Ensure that content moderation teams are well-trained and resourced and that moderation mechanisms are active and functioning at all times (24 hours a day, 7 days a week) to deliver effective moderation, including at least one employee who is on call to respond to urgent requests and emergencies at all times.

(f)

Ensure that content moderation systems and practices are available and operational in the official language(s) of the Member State the service is provided in.

(g)

Put in place effective technologies, internal mechanisms and preventative measures to reduce the risk of content and behaviour that are harmful to minors’ privacy, safety or security from being recommended to minors, including by implementing effective technical solutions to tackle known harmful and illegal content, such as hash matching and URL detection. Providers should also explore potential added benefits of emerging technical solutions such as AI classifiers to detect new or altered content and conduct.

(h)

Implementing technical solutions to prevent the AI systems on their platform from allowing users to access, generate and disseminate content that is harmful for the privacy, safety and/or security of minors.

(a)

Implement reporting, feedback and complaints mechanisms that:

(b)

Ensure that the reporting, feedback and complaints mechanisms established under Article 20 of Regulation (EU) 2022/2065 (89):

(c)

Ensure the availability of an option that allows minors to provide their own reasons for a report or complaint. Providers should avoid reporting categories, but if they are used, ensure that they are adapted to the youngest users allowed on the platform.

(d)

Ensure that reporting, feedback and complaints are confidential and anonymous by default, while providing the option for minors to remove anonymity. If anonymity is removed, the provider should explain to minors when, how and what information related to reports and/or complaints they share with other users or third parties.

(e)

Prioritise reports that concern the privacy, safety and security of minors. Providers of online platforms should provide an option to indicate if the minor thinks a report or compliant is urgent, especially when there is an indication of an ongoing privacy, safety or security issue. Response times should be appropriate to the issue being reported or complained about. This should not negatively affect the priority given to the notices submitted by trusted flaggers, in accordance with Article 22(1) of Regulation (EU) 2022/2065.

(f)

Provide each minor that submits a report or complaint with a confirmation of receipt of the report or complaint without undue delay. Minors should also be able to access an age-appropriate explanation of the process that will be followed when reviewing the report or complaint and an explanation of any actions or non-actions taken. The information should include an indicative timeframe for deciding the report or complaint and possible outcomes. The Commission is also of the view that providers of online platforms should provide a mechanism for tracking progress and communicating with the platforms.

(g)

Regularly review the reports, feedback and complaints that they receive. They should use this information to identify and address any aspects of their platform that may compromise the privacy, safety and/or security of minors, refine their recommender systems and moderation practices, improve overall safety standards, and foster a more trustworthy and responsible online environment. These actions should be documented to be reviewable.

(a)

Have clear, easily identifiable and accessible support tools that allow minors to seek help when encountering suspicious, illegal or inappropriate content, accounts or behaviour that make them feel uncomfortable. This includes providing block and mute buttons. The support tools should be child-friendly, clearly visible, immediately accessible (see Section 6.4 on Online interface and other tools) and should connect minors directly with the most appropriate support services for their location and age, such as those that form part of the national Safer Internet Centres, INHOPE networks and national child helplines.

(b)

Limit the use of support tools based on AI, as they should not be used as the main mechanism to interact with children.

(c)

Introduce directly visible warning messages, links to relevant national support lines (90) and other authoritative sources when minors search for, upload, generate, share and receive content that is potentially illegal or harmful for the privacy, safety and security of minors (as explained in the Section 6.7 on Moderation). Providers of online platforms should also refer minors to relevant national support lines when a minor submits a report related to such content. The referral should be made immediately after the provider of the online platform becomes aware of the activity or the minor submits a report.

(d)

If the online platform includes features or functionalities related to user connection, posting content or user communication, it should provide minors with the option to anonymously block or mute any other user or account, including those that are not connected to them. The blocking systems should be easy to find and accessible. No information about the user or their account should be available to any accounts that the user has blocked.

(e)

If the online platform enables comments on content, it should provide minors with the option to restrict the types of users who can comment on their content and content about them and/or prevent other users from commenting on their content and content about them, both at the time of posting and thereafter, even if the possibility to comment is restricted to accounts previously accepted as contacts by the minor (as recommended in Section 6.3 on Account settings).

(f)

If the online platform offers group functions, it should ensure that minors join a group only after being notified of the invitation and upon accepting that they wish to be part of that group.

(a)

Be age-appropriate and in line with the evolving capacities of minors. Tools for guardians should be grounded in communication, learning and empowerment rather than control and enable autonomy and agency of minors. They should be effective and not disproportionately restrict minors’ rights to privacy or access services, considering the best interests of the minor, as a primary consideration.

(b)

Be easy to use, access and activate for example by allowing the guardian to use the tool without creating an account on the service.

(c)

Apply regardless of the device or operating system used to access the service.

(d)

Provide a clear notification to minors of their activation by guardians and put other safeguards in place considering their potential misuse by guardians such as, for example, providing a clear sign to the minor in real time when any monitoring functionality is activated.

(e)

Ensure that changes can only be made with the same degree of authorisation required in the initial activation of the tools.

(f)

Be compatible with the availability of interoperable one-stop-shop tools for guardians gathering all settings and tools.

(a)

Implementing internal policies that outline how the provider of the online platform seeks to ensure a high level of privacy, safety and security for minors on its service.

(b)

Assigning to a dedicated person or team the responsibility for ensuring a high level of minors’ privacy, safety and security. This person or team should have sufficient resources as well as sufficient authority to have direct access to the senior management body of the provider of the online platform and should also be a central point of contact for regulators, users and trusted flaggers in matters related to minors’ privacy, safety and security.

(c)

Fostering a culture of privacy, safety and security for minors on the service. This includes:

(a)

Include information about:

(b)

Are easy to find and searchable throughout the user’s experience on the platform.

(c)

Do not unduly restrict any rights of minors, including their right to freedom of expression and information.

(d)

Are upheld and implemented in practice.

(a)

Regularly monitoring and evaluating the effectiveness of any elements of the platform that concern the privacy, safety and security of minors on the platform. This includes, for example, the platform’s online interface, systems, settings, tools, functionalities and features and reporting, feedback and complaints mechanisms, and measures taken to comply with Article 28(1) of Regulation (EU) 2022/2065 (100). Providers should consider making these evaluations available for review and input by independent third parties such as experts or other relevant stakeholders.

(b)

Regularly consulting with minors, guardians, academia, civil society organisations, child rights experts and other relevant stakeholders on the design and evaluation of any elements of the platform that concern the privacy, safety and security of minors on the platform. This should include testing these elements with minors and taking their feedback into account. To contribute to non-discrimination and accessibility, providers should, where possible, involve minors from a diverse range of cultural and linguistic backgrounds, of different ages, with disabilities and/or additional accessibility needs in these consultations.

(c)

Adjusting the design and functioning of the aforementioned elements based on the results of these consultations and on technical developments, research, changes in user behaviour or policy, product and usage evolutions, and changes to the harms and risks to the privacy, safety and security of minors on their platform.

(a)

Information about any measures put in place to ensure a high level of privacy, safety and/or security of minors on the platform. This includes information about:

(b)

Ensure that this information, all warnings and any other communication recommended in the present guidelines are:

(c)

Any measures and changes implemented to comply with Article 28(1) of Regulation (EU) 2022/2065 could be communicated internally and made public to the extent possible.