◆ Back to Dashboard ◆ Safety Scores
AESOP AI Academy — Compliance Review Document

Child Safety & COPPA
Compliance Rubric

A structured multi-LLM review framework for evaluating child privacy, safety, and regulatory compliance across all AESOP AI Academy content and delivery systems.
Legal & Regulatory Foundation

⚠ Mandatory Compliance Standards

This rubric evaluates compliance with the following frameworks. All reviewers apply these standards regardless of primary role:

Note: This rubric is a review tool, not legal advice. Formal legal review is a separate process.

Why This Review Exists

AESOP AI Academy serves learners as young as 5. Every design decision — from data storage to narrative content to third-party scripts — must be evaluated through the lens of child protection. This review is not a one-time audit. It is a living process designed to run on a regular schedule and after any content or platform update.

Scoring Scale

0–5 Per Criterion

0
Absent / Violation
Not addressed; active breach
1
Critical Gap
Serious deficiency; compliance risk
2
Partial
Addressed but incomplete
3
Adequate
Meets minimum standard
4
Strong
Clear, correct, child-centered
5
Exemplary
Best-practice; proactive protection

Total possible: 100 points. Weighted criteria (×2) = up to 10 pts each. Two override rules apply — see Dimensions 1 and 3.

Tiers Under Review

Introduction Tier

⭐ Ages 5–10 (approx.)

Highest protection. Full COPPA applicability. Parental consent required for any persistent data.

Basic Tier

🔬 Ages 11–14 (approx.)

Transition zone. COPPA still applies below 13. Safety messaging must be age-appropriate.

Advanced Tier

🎯 Ages 15–18 (approx.)

Near-adult. Privacy rights are active curriculum here. Platform must model what it teaches.

Reviewer Roles
Claude
Content Safety & Age-Appropriateness

Narrative content, language calibration, psychological safety, and whether content could harm a child at the stated tier — including unintentional harm.

Gemini
Technical Privacy & Data Architecture

Third-party scripts, localStorage, Firebase data flows, cookies — any technical mechanism touching user data, especially for users under 13.

ChatGPT
Regulatory Compliance & Policy Language

Privacy policy completeness, COPPA disclosures, parental consent mechanisms, data retention statements, and clarity of legal language.

Perplexity
Third-Party Risk & External Dependencies

All external resources (CDN scripts, fonts, analytics, Firebase) — evaluating data collection risk and compliance exposure for child users.

The Five Safety Dimensions
1

Data Privacy & COPPA Compliance

Primary: Gemini (Technical) · ChatGPT (Policy) · All reviewers score
30 pts
Override Rule: If Dimension 1 scores below 10/30, the platform cannot pass regardless of total score. Mishandling child data is the most fundamental failure mode.

COPPA requires verifiable parental consent before collecting personal information from children under 13. This dimension evaluates whether the platform collects only what it must, protects what it collects, and gives parents meaningful control.

CriterionEvaluating QuestionMax
Data MinimizationDoes the platform collect only the minimum data necessary? Is any PII (name, age, email, location) collected that could be avoided without losing core function?10 pts (×2)
Parental Consent MechanismIs there a verifiable parental consent process for users under 13? Is it implemented before data is collected? Is it easy to find and understand?5 pts
Data Retention & DeletionIs there a clear, enforceable policy on how long data is retained? Can a parent request deletion? Is deletion actually implemented in Firebase/backend?5 pts
Third-Party Data SharingIs any data shared with third parties (Firebase, Google, CDN, analytics)? Is sharing disclosed? Is it avoidable for under-13 users?5 pts
Privacy Policy CompletenessDoes a published privacy policy exist covering: what is collected, how it is used, how parents can access/delete data, and operator contact info?5 pts
0–1: Active Violation

Data collected from minors without consent. No privacy policy. Third-party trackers active and undisclosed.

2–3: Partial

Privacy policy exists but incomplete. Consent present but not before data collection. Some third-party sharing undisclosed.

4–5: Strong

Minimal data collected. Verifiable parental consent before any PII stored. Privacy policy complete, accurate, visible. Deletion real and enforceable.

2

Content Safety & Age-Appropriateness

Primary: Claude · All reviewers score
25 pts

Every piece of content — narrative, concept text, lab instruction, quiz question — must be safe and appropriate for the youngest learner who might encounter it at that tier. This includes not only explicit content but psychological safety: stress, fear, shame, and pressure.

CriterionEvaluating QuestionMax
Age-Appropriate Language & ThemesIs language, tone, and thematic content appropriate for the tier's youngest likely user? Does it avoid adult themes, violence, sexual content, or distressing material?10 pts (×2)
Psychological SafetyDoes content avoid creating fear, anxiety, shame, or undue pressure? Does it treat wrong answers in ways that could damage a child's self-worth?5 pts
AI-Generated Content RiskIf any content is AI-generated or AI-assisted, is there a safety review layer? Could AI outputs expose children to harmful, biased, or inappropriate material?5 pts
External Link SafetyDo any links lead outside the platform? If so, are those destinations vetted as child-safe? Are outbound links clearly labeled as external?5 pts
0–1: Unsafe

Content inappropriate for the stated tier. External links not vetted. AI outputs unreviewed. Psychological safety not considered.

2–3: Adequate

No obviously harmful content but age-calibration inconsistent. External links present but unlabeled. Psychological framing not always considered.

4–5: Strong

Content clearly calibrated for the tier's youngest user. Psychological framing intentional. External links vetted, labeled, and minimized. AI outputs reviewed before delivery.

3

Technical Security

Primary: Gemini · Perplexity · All reviewers score
20 pts
Override Rule: If Dimension 3 scores below 6/20, the platform cannot pass. Exploitable technical vulnerabilities on a child-facing platform create direct risk of data theft, unauthorized access, or contact with harmful actors.

Child-facing platforms face heightened security obligations. A breach involving children's information carries regulatory, legal, and reputational consequences beyond adult-facing equivalents.

CriterionEvaluating QuestionMax
HTTPS & Transport SecurityIs all content served over HTTPS? Are there mixed-content warnings? Are external resources loaded securely?5 pts
Authentication & Session SecurityIs the Firebase auth implementation secure? Are sessions properly managed and expired? Is there protection against session hijacking?5 pts
Input Sanitization & XSS PreventionIs user input sanitized before storage or display? Are there XSS or injection risks in form fields or URL parameters?5 pts
Third-Party Script RiskAre third-party scripts loaded from pinned, verified sources? Could a compromised CDN inject malicious code into a child-facing page?5 pts
0–1: Critical Risk

HTTP content, unsanitized inputs, unpinned external scripts, or exploitable auth flows. Immediate remediation required.

2–3: Partial

HTTPS present but mixed content exists. Auth functional but edge cases unhandled. External scripts loaded but versions not pinned.

4–5: Strong

HTTPS enforced. Sessions properly managed and expired. All inputs sanitized. External scripts from pinned, trusted sources.

4

Anti-Manipulation & Dark Pattern Prevention

Primary: ChatGPT · Claude · All reviewers score
15 pts

Children are more susceptible to persuasive and manipulative design patterns than adults. The FTC and UK Age Appropriate Design Code specifically prohibit "nudge techniques" that exploit developmental vulnerabilities — including gamification mechanics, streaks, and pressure features.

CriterionEvaluating QuestionMax
Absence of Addictive MechanicsDoes the platform use streaks, countdown timers, scarcity messaging, or compulsive engagement features? If gamification exists, does it serve learning or maximize time-on-site?5 pts
Commercial TransparencyIs the platform free of behavioral advertising? If any commercial content exists, is it clearly labeled in a way a child can understand? No disguised affiliate links?5 pts
Consent Pattern IntegrityAre consent flows (cookies, data, accounts) designed for genuine informed consent — or do they use pre-checked boxes, confusing language, or bright-pattern buttons to push acceptance?5 pts
0–1: Manipulative

Active dark patterns present. Streak mechanics, FOMO messaging. Consent flows maximize acceptance rather than inform. Advertising unlabeled.

2–3: Adequate

No active dark patterns but gamification not clearly tied to learning. Consent functional but not child-optimized. Minor commercial gaps.

4–5: Strong

Design actively avoids addictive mechanics. Gamification explicitly serves learning. Consent flows clear, uncoerced, age-appropriate. No advertising. No affiliate content.

5

Safety Communication & Reporting

⬆ Required Infrastructure — All reviewers
10 pts

Children must be able to report something wrong. Parents must be able to reach the operator. The operator must have processes to respond. This dimension evaluates whether that chain exists, is discoverable, and works.

CriterionEvaluating QuestionMax
Child-Facing Safety ContactIs there a visible, simple way for a child to report something uncomfortable — accessible without requiring an adult intermediary?5 pts
Parent / Educator ChannelIs there a clear, working contact method for parents and educators — including COPPA-required data access and deletion requests? Is a response time stated?5 pts
0–1: No Channel

No way for a child or parent to report anything. A black box to the people it serves.

2–3: Partial

Contact email exists but hard to find. No child-specific reporting. Parent requests handled on no stated timeline.

4–5: Strong

Child-facing "I need help" link visible and prominent. Parent/educator channel includes COPPA-required data request process with stated response time.

Required Output Format

How to Report Your Safety Review Scores

One block per scope item. This feeds directly into the Safety Scoring Dashboard.

REVIEWER: [Claude / Gemini / ChatGPT / Perplexity]
SCOPE: [e.g. "Full Platform" / "Module 3 Intro Tier" / "AI-Academy Landing Page"]
REVIEW DATE: [Today]
PLATFORM VERSION: [e.g. ai-academy-index v1.0.1]

DIMENSION 1 - DATA PRIVACY & COPPA (max 30)
  Data Minimization:              [0-5]
  Parental Consent Mechanism:     [0-5]
  Data Retention & Deletion:      [0-5]
  Third-Party Data Sharing:       [0-5]
  Privacy Policy Completeness:    [0-5]
  D1 SCORE: [sum] / 30
  D1 Override: [PASS if >=10 | FAIL if <10]
  D1 Notes: [What exists, what is missing, any active violations]

DIMENSION 2 - CONTENT SAFETY (max 25)
  Age-Appropriate Language:       [0-5]
  Psychological Safety:           [0-5]
  AI-Generated Content Risk:      [0-5]
  External Link Safety:           [0-5]
  D2 SCORE: [sum] / 25
  D2 Notes: [List flagged items with lesson/section reference]

DIMENSION 3 - TECHNICAL SECURITY (max 20)
  HTTPS & Transport Security:     [0-5]
  Authentication Security:        [0-5]
  Input Sanitization / XSS:       [0-5]
  Third-Party Script Risk:        [0-5]
  D3 SCORE: [sum] / 20
  D3 Override: [PASS if >=6 | FAIL if <6]
  D3 Notes: [Technical findings - list script URLs, auth concerns, inputs]

DIMENSION 4 - ANTI-MANIPULATION (max 15)
  Absence of Addictive Mechanics: [0-5]
  Commercial Transparency:        [0-5]
  Consent Pattern Integrity:      [0-5]
  D4 SCORE: [sum] / 15
  D4 Notes: [Describe gamification features and whether they serve learning]

DIMENSION 5 - SAFETY COMMUNICATION (max 10)
  Child-Facing Safety Contact:    [0-5]
  Parent/Educator Contact:        [0-5]
  D5 SCORE: [sum] / 10
  D5 Notes: "A parent who needs to request data deletion can ___"

TOTAL SCORE: [sum] / 100
VERDICT: [PASS >=70 / CONDITIONAL 55-69 / FAIL <55 or override triggered]
CRITICAL FINDINGS: [Any finding requiring immediate action regardless of score]
RECOMMENDED ACTIONS: [Prioritized remediation steps]
Scoring Thresholds

Pass / Conditional / Fail

70+
PASS
No overrides. No critical findings. Platform meets minimum child safety standards.
55–69
CONDITIONAL
Gaps must be remediated within 30 days. Platform may continue with disclosed limitations.
<55
FAIL
Serious deficiencies. Content access should be restricted until remediated. Also fails if any override triggered.

Override triggers: D1 < 10/30 or D3 < 6/20 = automatic FAIL regardless of total score.

AESOP-Safety-Rubric-v1.0 · aesopacademy.org/review/ · April 2026