This rubric evaluates compliance with the following frameworks. All reviewers apply these standards regardless of primary role:
Note: This rubric is a review tool, not legal advice. Formal legal review is a separate process.
AESOP AI Academy serves learners as young as 5. Every design decision — from data storage to narrative content to third-party scripts — must be evaluated through the lens of child protection. This review is not a one-time audit. It is a living process designed to run on a regular schedule and after any content or platform update.
Total possible: 100 points. Weighted criteria (×2) = up to 10 pts each. Two override rules apply — see Dimensions 1 and 3.
Highest protection. Full COPPA applicability. Parental consent required for any persistent data.
Transition zone. COPPA still applies below 13. Safety messaging must be age-appropriate.
Near-adult. Privacy rights are active curriculum here. Platform must model what it teaches.
Narrative content, language calibration, psychological safety, and whether content could harm a child at the stated tier — including unintentional harm.
Third-party scripts, localStorage, Firebase data flows, cookies — any technical mechanism touching user data, especially for users under 13.
Privacy policy completeness, COPPA disclosures, parental consent mechanisms, data retention statements, and clarity of legal language.
All external resources (CDN scripts, fonts, analytics, Firebase) — evaluating data collection risk and compliance exposure for child users.
COPPA requires verifiable parental consent before collecting personal information from children under 13. This dimension evaluates whether the platform collects only what it must, protects what it collects, and gives parents meaningful control.
| Criterion | Evaluating Question | Max |
|---|---|---|
| Data Minimization | Does the platform collect only the minimum data necessary? Is any PII (name, age, email, location) collected that could be avoided without losing core function? | 10 pts (×2) |
| Parental Consent Mechanism | Is there a verifiable parental consent process for users under 13? Is it implemented before data is collected? Is it easy to find and understand? | 5 pts |
| Data Retention & Deletion | Is there a clear, enforceable policy on how long data is retained? Can a parent request deletion? Is deletion actually implemented in Firebase/backend? | 5 pts |
| Third-Party Data Sharing | Is any data shared with third parties (Firebase, Google, CDN, analytics)? Is sharing disclosed? Is it avoidable for under-13 users? | 5 pts |
| Privacy Policy Completeness | Does a published privacy policy exist covering: what is collected, how it is used, how parents can access/delete data, and operator contact info? | 5 pts |
Data collected from minors without consent. No privacy policy. Third-party trackers active and undisclosed.
Privacy policy exists but incomplete. Consent present but not before data collection. Some third-party sharing undisclosed.
Minimal data collected. Verifiable parental consent before any PII stored. Privacy policy complete, accurate, visible. Deletion real and enforceable.
Every piece of content — narrative, concept text, lab instruction, quiz question — must be safe and appropriate for the youngest learner who might encounter it at that tier. This includes not only explicit content but psychological safety: stress, fear, shame, and pressure.
| Criterion | Evaluating Question | Max |
|---|---|---|
| Age-Appropriate Language & Themes | Is language, tone, and thematic content appropriate for the tier's youngest likely user? Does it avoid adult themes, violence, sexual content, or distressing material? | 10 pts (×2) |
| Psychological Safety | Does content avoid creating fear, anxiety, shame, or undue pressure? Does it treat wrong answers in ways that could damage a child's self-worth? | 5 pts |
| AI-Generated Content Risk | If any content is AI-generated or AI-assisted, is there a safety review layer? Could AI outputs expose children to harmful, biased, or inappropriate material? | 5 pts |
| External Link Safety | Do any links lead outside the platform? If so, are those destinations vetted as child-safe? Are outbound links clearly labeled as external? | 5 pts |
Content inappropriate for the stated tier. External links not vetted. AI outputs unreviewed. Psychological safety not considered.
No obviously harmful content but age-calibration inconsistent. External links present but unlabeled. Psychological framing not always considered.
Content clearly calibrated for the tier's youngest user. Psychological framing intentional. External links vetted, labeled, and minimized. AI outputs reviewed before delivery.
Child-facing platforms face heightened security obligations. A breach involving children's information carries regulatory, legal, and reputational consequences beyond adult-facing equivalents.
| Criterion | Evaluating Question | Max |
|---|---|---|
| HTTPS & Transport Security | Is all content served over HTTPS? Are there mixed-content warnings? Are external resources loaded securely? | 5 pts |
| Authentication & Session Security | Is the Firebase auth implementation secure? Are sessions properly managed and expired? Is there protection against session hijacking? | 5 pts |
| Input Sanitization & XSS Prevention | Is user input sanitized before storage or display? Are there XSS or injection risks in form fields or URL parameters? | 5 pts |
| Third-Party Script Risk | Are third-party scripts loaded from pinned, verified sources? Could a compromised CDN inject malicious code into a child-facing page? | 5 pts |
HTTP content, unsanitized inputs, unpinned external scripts, or exploitable auth flows. Immediate remediation required.
HTTPS present but mixed content exists. Auth functional but edge cases unhandled. External scripts loaded but versions not pinned.
HTTPS enforced. Sessions properly managed and expired. All inputs sanitized. External scripts from pinned, trusted sources.
Children are more susceptible to persuasive and manipulative design patterns than adults. The FTC and UK Age Appropriate Design Code specifically prohibit "nudge techniques" that exploit developmental vulnerabilities — including gamification mechanics, streaks, and pressure features.
| Criterion | Evaluating Question | Max |
|---|---|---|
| Absence of Addictive Mechanics | Does the platform use streaks, countdown timers, scarcity messaging, or compulsive engagement features? If gamification exists, does it serve learning or maximize time-on-site? | 5 pts |
| Commercial Transparency | Is the platform free of behavioral advertising? If any commercial content exists, is it clearly labeled in a way a child can understand? No disguised affiliate links? | 5 pts |
| Consent Pattern Integrity | Are consent flows (cookies, data, accounts) designed for genuine informed consent — or do they use pre-checked boxes, confusing language, or bright-pattern buttons to push acceptance? | 5 pts |
Active dark patterns present. Streak mechanics, FOMO messaging. Consent flows maximize acceptance rather than inform. Advertising unlabeled.
No active dark patterns but gamification not clearly tied to learning. Consent functional but not child-optimized. Minor commercial gaps.
Design actively avoids addictive mechanics. Gamification explicitly serves learning. Consent flows clear, uncoerced, age-appropriate. No advertising. No affiliate content.
Children must be able to report something wrong. Parents must be able to reach the operator. The operator must have processes to respond. This dimension evaluates whether that chain exists, is discoverable, and works.
| Criterion | Evaluating Question | Max |
|---|---|---|
| Child-Facing Safety Contact | Is there a visible, simple way for a child to report something uncomfortable — accessible without requiring an adult intermediary? | 5 pts |
| Parent / Educator Channel | Is there a clear, working contact method for parents and educators — including COPPA-required data access and deletion requests? Is a response time stated? | 5 pts |
No way for a child or parent to report anything. A black box to the people it serves.
Contact email exists but hard to find. No child-specific reporting. Parent requests handled on no stated timeline.
Child-facing "I need help" link visible and prominent. Parent/educator channel includes COPPA-required data request process with stated response time.
One block per scope item. This feeds directly into the Safety Scoring Dashboard.
REVIEWER: [Claude / Gemini / ChatGPT / Perplexity] SCOPE: [e.g. "Full Platform" / "Module 3 Intro Tier" / "AI-Academy Landing Page"] REVIEW DATE: [Today] PLATFORM VERSION: [e.g. ai-academy-index v1.0.1] DIMENSION 1 - DATA PRIVACY & COPPA (max 30) Data Minimization: [0-5] Parental Consent Mechanism: [0-5] Data Retention & Deletion: [0-5] Third-Party Data Sharing: [0-5] Privacy Policy Completeness: [0-5] D1 SCORE: [sum] / 30 D1 Override: [PASS if >=10 | FAIL if <10] D1 Notes: [What exists, what is missing, any active violations] DIMENSION 2 - CONTENT SAFETY (max 25) Age-Appropriate Language: [0-5] Psychological Safety: [0-5] AI-Generated Content Risk: [0-5] External Link Safety: [0-5] D2 SCORE: [sum] / 25 D2 Notes: [List flagged items with lesson/section reference] DIMENSION 3 - TECHNICAL SECURITY (max 20) HTTPS & Transport Security: [0-5] Authentication Security: [0-5] Input Sanitization / XSS: [0-5] Third-Party Script Risk: [0-5] D3 SCORE: [sum] / 20 D3 Override: [PASS if >=6 | FAIL if <6] D3 Notes: [Technical findings - list script URLs, auth concerns, inputs] DIMENSION 4 - ANTI-MANIPULATION (max 15) Absence of Addictive Mechanics: [0-5] Commercial Transparency: [0-5] Consent Pattern Integrity: [0-5] D4 SCORE: [sum] / 15 D4 Notes: [Describe gamification features and whether they serve learning] DIMENSION 5 - SAFETY COMMUNICATION (max 10) Child-Facing Safety Contact: [0-5] Parent/Educator Contact: [0-5] D5 SCORE: [sum] / 10 D5 Notes: "A parent who needs to request data deletion can ___" TOTAL SCORE: [sum] / 100 VERDICT: [PASS >=70 / CONDITIONAL 55-69 / FAIL <55 or override triggered] CRITICAL FINDINGS: [Any finding requiring immediate action regardless of score] RECOMMENDED ACTIONS: [Prioritized remediation steps]
Override triggers: D1 < 10/30 or D3 < 6/20 = automatic FAIL regardless of total score.