The IAPP recently mapped the wave of national rules targeting AI companion chatbots that interact with minors. Italy, California, the UK and Brazil have all moved this year, and the EU is finalizing high-risk guidance under the AI Act. The pattern is consistent: when a SaaS exposes conversational AI to anyone under 18, the legal surface multiplies. This article is the operational checklist for the privacy policy and ToS sections your product needs before the next audit.
What counts as an "AI companion" for these rules
Not every chatbot triggers the new rules. The threshold most regulators use combines two factors:
- The system maintains persistent memory of the user across sessions
- The interaction style mimics a relationship (friend, tutor, therapist, advisor)
A support bot answering FAQs is out of scope. A buddy bot that remembers a child's preferences and engages in extended conversations is in scope, regardless of how you market it.
The 5 disclosure blocks your policy needs
1. Explicit age gate and parental consent flow
If under-18 users can reach your AI feature, you need a verifiable age check at sign-up and a parental consent path for under-13 (under-16 in some EU states). Your privacy policy must describe both.
2. Categorical statement of memory scope
State exactly what the AI remembers across sessions and for how long. Vague language fails. Specific language passes: "Conversation history is retained for 90 days, then deleted unless the user opts to extend."
3. Data not used to train shared models
If you fine-tune on user conversations, declare it and offer opt-out. If you do not, declare that explicitly too. Both reassure parents.
4. Crisis handoff protocol
Some jurisdictions now require AI companions for minors to detect signals of self-harm and surface human resources. Document your detection approach and partner organizations.
5. Limits clause: what the AI is not
Make it explicit that the AI is not a therapist, medical advisor, or legal counsel. Parents read this and it lowers your liability footprint.
| Region | Trigger | Key obligation |
|---|---|---|
| EU (AI Act) | High-risk classification | Conformity assessment + transparency |
| Italy | Under-14 user without parental link | Pre-launch impact assessment |
| California | Companion chatbot for under-18 | Algorithmic accountability disclosure |
| UK (Online Safety) | Service "likely to be accessed by children" | Age-appropriate design code |
| Brazil (Digital ECA) | Profiling of minors | Privacy-by-default + DPIA |
The most common mistake is treating the under-13 carve-out as a checkbox. Regulators in 2026 ask for proof that you actively prevent the feature from reaching that age group, not just that you forbid it in the ToS. Architecture matters more than wording.
What changes in the ToS (not just the privacy policy)
- Acceptable use clause that prohibits role-play scenarios involving illegal activity
- Reservation of right to refuse service to suspected minors who bypassed the age gate
- Clear takedown procedure for parents to request immediate deletion
- Contact channel (not just email) for child safety incidents
The audit angle
If your product is consumer-facing and you raise institutional money in 2026 or later, due diligence will ask for these specific artifacts. Founders who have the disclosures published and a DPIA documented close enterprise deals six to eight weeks faster than those who promise to add them later.
The IAPP analysis closes with a useful framing: AI companion regulation is not about the AI, it is about the relationship. Once your product crosses the line into relationship-style interaction with a minor, the legal posture changes regardless of how harmless the conversation is.
Conclusion
If your SaaS has any conversational AI feature that under-18 users can reach, the five disclosure blocks above are the minimum 2026 standard. Adding them in advance is cheaper than retrofitting after a regulatory inquiry. The wording can be simple; what matters is that the architecture matches the claims.
If you want a starting template that already includes age gating language, memory scope statements and crisis handoff sections per jurisdiction, try Termerly free and generate the AI companion variant of your privacy policy in one pass.
