Five anatomical elements of a functioning cognitive-sovereignty framework, mapped against six existing legal instruments.
| Mechanism \ Law | KOSA (US) | GDPR (EU) | UK AADC | CA AADC | EU AI Act | DSA (EU) | Australian Model |
|---|---|---|---|---|---|---|---|
| M1 Design Standards with Enforcement Teeth | ◐ Partial | × Gap | ◐ Partial | ◐ Partial | ◐ Partial | ◐ Partial | ◐ Partial |
| M2 Age-Differentiated Protections with Meaningful Verification | × Gap | ◐ Partial | ◐ Partial | ◐ Partial | × Gap | ◐ Partial | ✓ Covered |
| M3 Algorithmic Transparency with Independent Audit | ◐ Partial | × Gap | × Gap | ◐ Partial | × Gap | ◐ Partial | ◐ Partial |
| M4 Liability Attachment to Design Decisions | ◐ Partial | × Gap | ◐ Partial | ◐ Partial | × Gap | ◐ Partial | ◐ Partial |
| M5 Enforcement Velocity Matched to Platform Scale | × Gap | ◐ Partial | × Gap | × Gap | ◐ Partial | ✓ Covered | ✓ Covered |
Specific PROHIBITED design features (e.g. variable-ratio reinforcement for minors, infinite scroll without session limits, school-hours push notifications) — objectively assessable, not a self-controlled risk-assessment process. Source: what-cognitive-sovereignty-law-requires §V Element 1
| Law | Grade | Provision | Confidence | Reading |
|---|---|---|---|---|
| KOSA (US) | ◐ Partial | §103(a)(1)(C) Safeguards for Minors; §102 Duty of care | high | Names specific features (infinite scroll, autoplay, rewards, notifications) but only requires platforms to ‘limit by default’, not prohibit; §102 is a ‘reasonable care’ standard — the self-controlled, not-objectively-assessable form the mechanism rejects. (Not enacted.) |
| GDPR (EU) | × Gap | Art 25 (Data protection by design and by default) | high | Art 25 governs data-processing design (minimisation, by-default safeguards), not engagement architecture; nothing minor-specific or objectively assessable. |
| UK AADC | ◐ Partial | Standards 5/7/13 (detrimental use, default settings, nudge techniques); DPA 2018 s.123 | high | Names design features (high-privacy defaults, no privacy-weakening nudges) but is a principles-based statutory code framed as data-protection design, not an objectively-scored prohibited-features schedule. |
| CA AADC | ◐ Partial | Cal. Civ. Code §1798.99.31(b)(7) (dark patterns); (b)(1)-(4) (detrimental/data-use constraints) | high | Prescribes design constraints, but the core prohibitions (dark patterns; detrimental use) remain ENJOINED on vagueness grounds (9th Cir., Mar 2026); only default-settings is in force — design teeth blocked. |
| EU AI Act | ◐ Partial | Art 5(1)(a)/(b) (prohibited manipulative / vulnerability-exploiting practices) | high | Bans subliminal/manipulative techniques and exploitation of age-based vulnerabilities, but only where they materially distort behaviour and cause ‘significant harm’ — targets manipulation/harm, not engagement-maximising design per se, and is not minor-specific. |
| DSA (EU) | ◐ Partial | Art 25 (interface design / dark patterns) + Art 28(1) (minors) + Art 35(1) (VLOP risk mitigation) | high | Art 25 is a general anti-manipulation standard (not minor-specific), Art 28(1) requires only ‘appropriate and proportionate measures’, and Art 35 lists ‘reasonable, proportionate and effective’ mitigations (VLOP-only) — not the prescriptive, objectively-assessable prohibited-feature list the mechanism demands. |
| Australian Model | ◐ Partial | OSA 2021 Part 4 (Basic Online Safety Expectations) + industry codes/standards ss.140–145 | high | BOSE expects ‘reasonable steps’ incl. safety-by-design but is principles-based, not objectively-assessable prohibited features; the binding industry standards target content removal, not design. |
Different rules by age group calibrated to developmental neuroscience; an adult-access threshold of ≥16; the platform bears a verification burden beyond self-attestation. Source: what-cognitive-sovereignty-law-requires §V Element 2; the-treaty-framework § Binding Age Floor
| Law | Grade | Provision | Confidence | Reading |
|---|---|---|---|---|
| KOSA (US) | × Gap | §107 Age-verification STUDY (study only); §101(6)/§112(b) knowledge standard | medium | Cowork ruling: gap upheld. M2 is conjunctive (‘…with Meaningful Verification’) and the verification prong is the mechanism’s defining innovation — S.1748 expressly commissions only a feasibility study (§107) and liability turns on ‘knowledge fairly implied’, imposing no verification burden and no ≥16 access gate. A differentiation-anchored ‘partial’ would inflate KOSA; the weak <13 vs <17 parental-tools split is noted but does not meet the mechanism. (The companion KIDS Act package would add an age-verification mandate — re-check if enacted.) |
| GDPR (EU) | ◐ Partial | Art 8 (child’s consent: age 16, derogable to 13) | high | Sets a ≥16 default (most states derogated to 13) but verification is only ‘reasonable efforts… taking into consideration available technology’ and is scoped to consent for data processing — not a platform-wide meaningful-verification burden. |
| UK AADC | ◐ Partial | Standard 3 (age-appropriate application / age assurance); 5 age brackets | high | Explicit developmental brackets (0-5/6-9/10-12/13-15/16-17) and an age-assurance duty, but verification is risk-calibrated and permits self-declaration (or applying the code to all) — no mandated meaningful-verification floor. |
| CA AADC | ◐ Partial | Cal. Civ. Code §1798.99.31(a)(5) (age estimation) | high | Age-estimation injunction was VACATED and REMANDED (9th Cir., Mar 2026) — contested, not settled; and substantively weak — the statute lets platforms apply child protections to ALL users INSTEAD of estimating age, so it is not meaningful verification. |
| EU AI Act | × Gap | (none; Art 5(1)(b) names ‘age’ only as a vulnerability factor) | high | No age-calibrated regime and no verification mandate; ‘age’ appears only as one vulnerability vector in the Art 5(1)(b) harm prohibition. |
| DSA (EU) | ◐ Partial | Art 28(2)-(3) (protection of minors) | high | Art 28(2) bars profiling-based ads when the provider is ‘aware with reasonable certainty’ the user is a minor — but Art 28(3) expressly states this does NOT oblige providers to process additional data to verify age, so the meaningful-verification prong fails on the face of the text. |
| Australian Model | ✓ Covered | Social Media Minimum Age Act 2024 s.63C (under-16 account prohibition); in force 10 Dec 2025; max penalty A$49.5m | high | Binding, in-force, platform-borne age restriction with a real civil penalty — the strongest cell in the matrix. Limitation: ‘reasonable steps’ mandates no specific verification method, so verification rigour is delegated/unprescribed. |
Mandatory disclosure of ranking-system parameters to INDEPENDENT auditors; pre-registration of parameters plus post-deployment audit. Source: what-cognitive-sovereignty-law-requires §V Element 3
| Law | Grade | Provision | Confidence | Reading |
|---|---|---|---|---|
| KOSA (US) | ◐ Partial | §105 Transparency — annual independent third-party audit | high | §105 requires a yearly public report based on an ‘independent, third-party audit’ that must consider personalised-recommendation systems, with compelled platform access — a real independent systems audit. Falls short on: no pre-registration, function-level (not ranking-parameter-level) disclosure, and scope capped at >10M-MAU platforms. (Not enacted.) |
| GDPR (EU) | × Gap | Art 22 (automated individual decision-making) | high | Art 22 reaches only decisions based ‘solely’ on automated processing with legal/similarly-significant effects; it grants contest/human-intervention rights, not ranking-parameter disclosure to independent auditors (that is DSA territory). |
| UK AADC | × Gap | (none — Standard 4 transparency is user-facing privacy-notice only) | high | No provision requires recommender/ranking disclosure to independent auditors or pre-registration; profiling (Std 12) is a default-off control, not an audit. |
| CA AADC | ◐ Partial | Cal. Civ. Code §1798.99.31(a)(1)-(2) (Data Protection Impact Assessment) | high | The only transparency analog is the DPIA, which is (a) ENJOINED (affirmed in NetChoice I, undisturbed in 2026) and (b) a mismatch — an internal self-assessment disclosed to the AG on request, not independent ranking-parameter audit. |
| EU AI Act | × Gap | Art 50 / Art 74 (transparency; market-surveillance docs) | high | Art 50 transparency is user-facing labelling; high-risk technical documentation/source-code access (Art 74) goes to market surveillance, not independent auditors, and recommender systems are not generally high-risk — ranking-parameter audit is the DSA’s domain (see DSA column), not the AI Act’s. |
| DSA (EU) | ◐ Partial | Art 37 (independent audit) + Art 40 (vetted-researcher data access) + Art 27 (recommender transparency) | high | The matrix’s strongest M3 cell: Art 37 imposes binding, ≥annual INDEPENDENT audits of VLOPs (strict auditor-independence rules) and Art 40 compels vetted-researcher data access. Held to ‘partial’ on the SAME bar as KOSA: no pre-registration concept, and Art 27 discloses ranking parameters to USERS (in T&Cs), not ranking-parameter-level disclosure to the auditors; VLOP-only scope. |
| Australian Model | ◐ Partial | OSA 2021 s.56(2) transparency/reporting notices + BOSE recommender expectation | high | s.56(2) notices can compel reporting on recommender/algorithm practices, but this is self-reporting to the eSafety Commissioner — no binding ranking-parameter disclosure to, or audit by, independent auditors. |
Liability that attaches to harmful DESIGN decisions (not content hosting); for US law, reform so Section 230 immunity does not shield design decisions. Source: what-cognitive-sovereignty-law-requires §V Element 4
| Law | Grade | Provision | Confidence | Reading |
|---|---|---|---|---|
| KOSA (US) | ◐ Partial | §102 Duty of care (liability on ‘creation and implementation of any design feature’); §112(a)(4) §230 rule of construction | high | Liability attaches to design features rather than content hosting (FTC/state-AG enforced; no private right), but §112(a)(4) expressly does not alter Section 230 — it routes around 230 by the design/content distinction (contested post-Moody) rather than reforming the immunity. (Not enacted.) |
| GDPR (EU) | × Gap | Art 82 (right to compensation) / Art 83 (fines) | high | Liability attaches to infringements of the Regulation / unlawful processing, not to harmful design decisions per se; no design-liability hook. |
| UK AADC | ◐ Partial | Standards 5/12, enforced via DPA 2018 / UK GDPR penalty notices | high | Harmful-design duties exist and the ICO can fine via the DPA, but liability attaches to UK-GDPR data-processing breaches the code informs, not directly to design decisions; the code is admissible evidence, not a standalone liability statute. |
| CA AADC | ◐ Partial | Cal. Civ. Code §1798.99.35 (AG enforcement; $2,500 negligent / $7,500 intentional per affected child) | high | §35 enforcement is in force, but the central design prohibitions it would attach to (dark patterns; detrimental use) are ENJOINED — so penalties presently attach only to in-force items (default settings, notices), not the design conduct the mechanism targets. |
| EU AI Act | × Gap | Art 99 (administrative fines) | high | A public regulatory-penalty regime (up to 7% / €35m for Art 5 breaches), not a private liability cause of action attaching to design; the companion AI Liability Directive that would have done so was withdrawn by the Commission (Oct 2025). |
| DSA (EU) | ◐ Partial | Art 74 (penalties up to 6% of worldwide turnover) + Art 54 (compensation) | high | Attaches regulatory fines up to 6% of worldwide turnover for design/systemic-risk breaches (Art 74); Art 54 grants a compensation right but ‘in accordance with Union and national law’ — deferring to national law rather than creating a harmonised private cause of action tied to design decisions. Regulatory-primary, private-derivative. |
| Australian Model | ◐ Partial | Social Media Minimum Age Act 2024 s.63C penalties; OSA 2021 BOSE / removal-notice civil penalties | medium | Penalties attach to age-assurance failures and content-removal / BOSE non-compliance — access and takedown duties, not design decisions; the Act imposes no design duty for liability to attach to. |
Fast enforcement — interim/emergency design-modification orders (preliminary-injunction analogues) — rather than multi-year administrative processes. Source: what-cognitive-sovereignty-law-requires §V Element 5
| Law | Grade | Provision | Confidence | Reading |
|---|---|---|---|---|
| KOSA (US) | × Gap | §109 Enforcement (FTC UDAP + state-AG) | high | Enforcement is ordinary civil litigation to enjoin violations; no emergency/interim design-modification order, no preliminary-injunction analogue, no scale-matched velocity — exactly the multi-year process the mechanism contrasts against. (Not enacted.) |
| GDPR (EU) | ◐ Partial | Art 66 (urgency procedure) + Art 58(2)(f) (processing ban) | medium | Art 66 allows provisional measures (capped 3 months) and a 2-week Board fast-track, and Art 58(2)(f) permits a processing ban — but the one-stop-shop lead-authority model (Art 56) plus documented Irish-DPC multi-year timelines make routine velocity structurally slow. |
| UK AADC | × Gap | (none — DPA 2018 enforcement: assessment/enforcement/penalty notices) | medium | Enforcement runs through ordinary DPA processes on standard timelines; no interim/fast-track order tied to platform scale. |
| CA AADC | × Gap | Cal. Civ. Code §1798.99.35 (standard AG civil action; 90-day notice-and-cure) | high | No interim/expedited mechanism; the mandatory 90-day cure period (itself enjoined on remand) SLOWS rather than accelerates enforcement. |
| EU AI Act | ◐ Partial | Art 79 (national risk procedure) + Art 74 (market-surveillance powers) | medium | Real interim/recall powers exist (corrective action within 15 working days; provisional restrict/withdraw/recall; 30-day objection window for Art 5 breaches) — but it is a product-safety enforcement track, not platform-scale-calibrated injunctive orders, and most obligations phase in only by Aug 2026/2027. |
| DSA (EU) | ✓ Covered | Art 70 (interim measures) + Commission direct enforcement of VLOPs | high | The Commission directly enforces VLOPs/VLOSEs (bypassing GDPR’s slow one-stop-shop), and Art 70 empowers interim measures by decision on a prima facie infringement where urgency arises from ‘risk of serious damage’ to recipients — genuine scale-matched enforcement velocity the other EU instruments lack. |
| Australian Model | ✓ Covered | OSA 2021 ss.66/88/109 (removal notices, 24-hour compliance; blocking notices; Federal Court injunctions) | high | 24-hour removal-notice velocity across the cyber-abuse / image-based-abuse / Class-1 schemes plus injunctive relief (X Corp 2024 Federal Court precedent) — binding and scale-applicable, though it targets content not design. |
NOT ENACTED as of June 2026 — passed the Senate 91-3 in the 118th Congress (2024) but the House never floor-voted; reintroduced as S.1748 (2025), pending. House companion H.R.6484 diverges on the ‘knowledge’ standard; the bill progressed through a House Energy & Commerce subcommittee in March 2026; a 40-state-AG letter backs S.1748. All grades are of S.1748 as introduced and are capped at ‘partial’ because no provision is yet binding.
Source-checked via: primary text (congress.gov BILLS-119s1748is) + corpus the-kids-online-safety-act-record
In force since 25 May 2018. A data-protection (lawful-basis + data-subject-rights) regime — NOT a design code or youth-safety law; several mechanisms land as gap or data-adjacent partial by design.
Source-checked via: primary text (gdpr-info.eu Articles) + corpus the-gdpr-and-what-it-actually-changed
In force since Sept 2021 (12-month transition from Sept 2020). A statutory CODE issued by the ICO — not directly enforceable as law itself; ICO/courts ‘must take it into account’ and it is enforced indirectly via UK GDPR / DPA penalty notices (up to £17.5m or 4% turnover).
Source-checked via: primary text (ICO code; DPA 2018) — web
Enacted 2022; NEVER ENFORCED — enjoined since 2023 (NetChoice v. Bonta). Per the 9th Circuit (Mar 12 2026, No. 25-2366), the design-prohibition provisions (dark patterns (b)(7); data-use (b)(1)-(4)) and the DPIA + notice-and-cure provisions remain ENJOINED; the entire-statute and age-estimation injunctions were vacated and remanded (age estimation contested on remand). Posture is partial-and-contested; NO cell is ‘covered.’
Source-checked via: primary text (Cal. Civ. Code) + 9th Cir. opinion 25-2366 — web
A horizontal RISK-TIER PRODUCT-SAFETY regime for AI systems — NOT a youth-safety or design-code law. Phased application (Art 5 prohibitions live since 2 Feb 2025; most high-risk obligations Aug 2026/2027). Several mechanisms are genuine gaps here whose coverage belongs to other EU instruments — recommender transparency/audit → the DSA column (added per Cowork review); private design liability → the AI Liability Directive, which the Commission WITHDREW Oct 2025.
Source-checked via: primary text (Reg 2024/1689 Articles) — web
In force — general/intermediary obligations economy-wide since 17 Feb 2024; VLOP/VLOSE (≥45M EU users) obligations + designations from 2023, Commission-DIRECT-enforced. The EU's platform-GOVERNANCE regime — it actually governs recommender/interface design and systemic risk, the coverage the AI Act (product-safety) and GDPR (data-protection) gap on. Added per the Cowork legal review (DMA deliberately excluded — competition law, a different axis).
Source-checked via: primary text (Reg (EU) 2022/2065 Articles; EUR-Lex CELEX 32022R2065) — web
OSA 2021 in force since Jan 2022; the under-16 social-media account ban (Amendment Act 2024, s.63C) received Royal Assent 10 Dec 2024 and COMMENCED 10 Dec 2025 (in force, early-enforcement phase as of mid-2026; max penalty A$49.5m).
Source-checked via: primary text (legislation.gov.au) + corpus the-australian-model
Methodology. The five mechanisms are inventoried from the Institute's own corpus (What Cognitive Sovereignty Law Requires, §V; The Treaty Framework) — none invented here. Each cell was graded against primary statutory text under per-law claim-integrity review; the cited provision and the verification source are shown for every cell so a reader can check it. “Gap” is a normal and common value — most instruments were not built to govern engagement design. Source of truth: data/csra-crosswalk.json. Built 2026-06-03 (D-098).