AI Companion Minors: Laws, Audit, Parental Tools, Reporting

This is the only guide on bestgirlfriend.ai with no affiliate button, and that is deliberate. There is no Try button below this paragraph, no promoted platform, no offer. The line that disqualifies an app on minor protection cannot be conditioned on commission, and the page that documents that line cannot quietly hand readers a list of apps whose status under it we have not separately checked. The buttons at the bottom of this page route only to reporting hotlines (NCMEC, the IWF, and InHope), because if the AI companion minors topic is what brought you here, that is the next step.

I have edited adult companion apps for the better part of a year now, and the most common message that lands in our inbox from parents isn't "is this safe for me." It's my teenager downloaded one of these last week, what do I do. That question deserves more than a paragraph. This page answers the broader version of it with statutes, with platform-level audit criteria a parent or a journalist can actually verify, with parental tools that work in 2026, and with the reporting routes that exist when something has already gone wrong.

Is AI-generated CSAM illegal in 2026?

Last reviewed: May 2026

The international convergence on this point is unusually clean. Statutes drafted in the early 2000s (back when the policy worry was hand-drawn or computer-rendered imagery) already used language broad enough to reach AI-generated content as the tech emerged. The US PROTECT Act of 2003 (Pub. L. 108-21) explicitly covers depictions "indistinguishable from" minors regardless of how they were produced. The UK CJA 2009 reaches "prohibited images" defined by visual characteristics, not provenance. The EU CSA Directive's May 2024 amendment closes any residual ambiguity by adding "realistic images" produced by any means including artificial intelligence.

Criminal exposure is uniform across the whole spectrum of conduct: production, possession, distribution, receipt, and in most jurisdictions also access, viewing, or solicitation. Penalties scale with conduct, but the floors are heavy in every market we cover. In the United States, a mandatory minimum of five years for receipt or distribution under § 2252A. In the UK, ten years' imprisonment for the most serious Schedule 13 offences. In Germany, up to ten years under §184b of the Strafgesetzbuch.

The clean answer is good news for editorial work and good news for journalism. There is no need to write "in most jurisdictions" or hedge the line by country. The line is the same line, drawn early, reaffirmed since, and the AI variant is in scope.

What is 18 USC § 1466A?

Section 1466A was the congressional response to the Supreme Court's [Source: Ashcroft v. Free Speech Coalition · verified 2026-05-26] ruling in 2002, which struck down the broader 1996 Child Pornography Prevention Act on overbreadth grounds. Where the 1996 Act reached any image that "appears to be" of a minor, § 1466A reaches obscene visual depictions and depictions "indistinguishable from" an actual minor, a constitutional formulation that has survived every facial challenge since. The operative subsection text is at uscode.house.gov, and the definitional cross-reference in § 2256 makes the AI coverage explicit.

The statute has been used in AI-specific prosecutions, and that matters for how seriously to take it. In 2024, the US Department of Justice charged a defendant in Wisconsin with producing thousands of AI-generated sexual images of minors using Stable Diffusion fine-tunes, the first widely-reported § 1466A case to turn squarely on AI generation. The DOJ's press release on the indictment is the authoritative public summary. Similar cases have followed in the UK under CJA 2009 §62 and in Spain under the 2024 amendment to Article 189 of the Spanish Criminal Code.

I have seen the argument online that AI generation is somehow a workaround because "no real child was involved." It isn't. The statutes reach the depiction, not the production method, and they have been read that way by the courts that matter. The defendant in Wisconsin is now in a federal proceeding facing the same statutory floor as if he had distributed photographic material.

Last reviewed: May 2026

Why does bestgirlfriend.ai exclude AI companion platforms with minor-aged personas?

The exclusion is broader than the literal scope of any single statute, and that breadth is intentional. The criminal line is bright but narrow; our editorial line sits further back because the cost of being wrong is asymmetric. A platform that lets a user generate an image of a sexualised minor (even once, even through a prompt-engineering workaround) exposes that user to felony liability and exposes our readers to harm we cannot remediate. So we don't link to the platform, don't name it in headlines that might draw search traffic to it, and don't list its competitors as alternatives without a separate audit of those competitors.

The exclusion also covers proxy markers, because the statutes themselves cover proxy markers. UK case law on the Protection of Children Act 1978 and CJA 2009 §62 has repeatedly held that apparent age governs, not stated age, and that contextual signals (uniform, setting, body proportions, marketing language) are admissible to establish apparent age. US prosecutors apply the same logic under § 1466A. A platform's "all characters are 18+" disclaimer does not survive contact with a character library where every persona wears a school uniform and is described as "shy first-year student."

Most reviewers in the AI companion space don't say this part out loud. They focus on which app generates the prettiest images, which has the longest conversation memory, which has the lowest monthly price. We score those things too. But our seven-criterion audit runs first, and any platform that fails it never enters the catalog in the first place. You will not see a comparison table on this site that secretly contains a platform that failed minor protection. That is the line.

What does a clean AI companion platform look like for minor protection?

Cleanliness is observable, which is the whole point of building the audit around it. The platform's character-creation flow refuses minor ages at input. The image-generation pipeline blocks prompts containing minor-aged terms and screens outputs with a classifier before display. The character library (visible to any visitor without an account) contains zero personas whose copy or visual presentation reads as under 18. The trust-and-safety page is published, dated, and includes a direct contact route. The reporting channel is one click away from the chat interface, not buried in a footer or routed through a generic support form.

We run this audit on every platform before it can be listed. Each audit takes between 30 and 90 minutes depending on catalog size and policy clarity. Platforms that pass once are re-audited every six months and immediately upon any public change to their character library, trust-and-safety policy, or generation pipeline. When something changes mid-cycle (a new feature, a redesigned creator flow, a deleted policy page) the re-audit happens that week, not at the scheduled date.

The audit is binary on purpose. There is no partial credit. A platform either meets every criterion or it doesn't list. The asymmetry of error matters more than the asymmetry of effort.

What is minor-presenting content?

The vocabulary matters because the law uses it precisely. Law enforcement, hotlines, and academic researchers use "child sexual abuse material" (CSAM) for the canonical photographic and equivalent material involving real children, and "minor-presenting" or "apparent-minor" content for material that depicts what reads as a minor regardless of how it was produced. The two categories carry the same criminal weight in most of our markets; the distinction is descriptive, not legal. The IWF, NCMEC, and InHope all classify and remediate both categories under unified workflows.

The shift to AI generation has not introduced a category gap. It has pushed volume (IWF reports a year-on-year increase in AI-generated material in its 2023 and 2024 reports) and it has complicated the hash-matching infrastructure platforms rely on to scale moderation. New AI-generated material has no historical hash to match against, so detection has shifted from hash-matching alone to layered classification using prompt-input filters, output classifiers, and behavioural signals.

When a reader asks "but how can it be illegal if no real child was harmed," the honest answer is that the law decided this question two decades ago and the answer has not changed. The depiction is the harm. Read Free Speech Coalition v. Reno (1999) and the subsequent congressional response in the PROTECT Act for the constitutional reasoning.

How do platforms moderate AI-generated images for minor protection?

Defence-in-depth is the consensus among trust-and-safety teams in this category. The Tech Coalition (whose members include Google, Microsoft, Meta, Discord, and the major image-model providers) published a 2024 framework document recommending a minimum of three independent moderation layers per platform handling user-generated AI imagery. Microsoft's PhotoDNA is the canonical hash-matching service, free for non-commercial deployment and widely used by hotlines and platforms. The Thorn Safer suite extends classification to AI-generated content with classifiers trained on synthetic CSAM patterns.

Platforms that deploy only one layer fail our audit. Reliance on user reports alone fails our audit. A policy page that promises moderation without naming the technical mechanism fails our audit. The audit is technical because the failure modes are technical, a model fine-tuned on inappropriate data will generate inappropriate output regardless of how clear the platform's terms of service are.

When I read a trust-and-safety page that says "we have robust safety measures in place" and stops there, that is a fail. When the page says "we run PhotoDNA hash-matching on all generated images, output classifiers trained on the Thorn Safer pipeline, and prompt filters maintained against an updated terminology block list reviewed quarterly," that is a candidate for the catalog. Specificity is the trust signal.

What does the GUARD Act and other 2024-2026 federal activity require?

The 2024-2026 stretch saw the federal floor stabilise around three operational pillars. First, mandatory CyberTipline reporting under 18 USC § 2258A for any US-jurisdiction "electronic communication service provider" that encounters apparent CSAM. AI companion platforms with US users fall squarely inside this duty. Second, the FTC's amended Negative Option Rule (click-to-cancel, October 2024) governs subscription cancellation across the whole adult tech sector, a parent who discovers their teen has subscribed to an app must be able to cancel in the same number of steps it took to sign up. Third, the Garcia v. Character Tech 2024 wrongful-death proceeding (Florida) seeded a settlement framework that platforms now use as a de-facto operational template for handling minor protection complaints, mandatory reporting routes, and the editorial labelling of AI-generated character output.

The pending federal AI labelling work (the AI Bill of Rights successor framework, the executive-order-mandated NIST guidance, the pending federal AI Disclosure Act) does not yet carry criminal teeth, but it is shaping platform behaviour in advance. The compliant platforms in our catalog disclose AI-generated character output explicitly; the platforms that don't disclose are not in our catalog. The disclosure question intersects with minor protection because non-disclosure invites confusion about whether what the user sees was produced by a real human in real time (which would bring its own statutory analysis) or by an AI image model. Both routes are bounded by § 1466A for minor-presenting output; disclosure clarifies which compliance machinery activates.

What are the EU rules on AI-generated CSAM?

The EU framework operates at three layers. The criminal layer is the CSA Directive 2011/93/EU, transposed by every member state into domestic criminal law and amended in May 2024 to expressly cover "realistic images" of children produced by AI. The platform-duty layer is the Digital Services Act (Regulation 2022/2065), whose Article 28 obliges providers accessible to minors to deploy proportionate protection measures, with the European Commission's July 2025 guidelines on the protection of minors translating that duty into specifics. The systemic layer is the EU AI Act (Regulation 2024/1689), whose Article 5 prohibits AI systems whose intended use is the production of CSAM and whose Article 50 imposes labelling obligations on synthetic media generally.

Member-state implementation varies in detail but converges in substance. German §184b StGB penalises the dissemination, acquisition, and possession of child pornography including computer-generated and wirklichkeitsnahe (realistic) images. France's Penal Code Article 227-23 reaches représentations of minors regardless of medium. Italy, Spain, the Netherlands, and Sweden have parallel provisions, all updated between 2022 and 2025 to remove any AI-specific ambiguity.

Last reviewed: May 2026

What is the UK CJA 2009 §62?

The UK regime is layered. The Protection of Children Act 1978 (PCA 1978) covers indecent photographs and pseudo-photographs of children, the latter category, added by the Criminal Justice and Public Order Act 1994, was drafted to reach computer-manipulated photographic-style imagery. The Coroners and Justice Act 2009 §62 adds a parallel offence for non-photographic prohibited images of a child, covering drawings, cartoons, manga, and CGI not caught by the PCA 1978 because they are not photographic in style. AI-generated content is reached by both regimes depending on its visual register: photorealistic AI output sits under the PCA 1978; stylised or cartoon AI output sits under CJA 2009 §62.

The Online Safety Act 2023 (OSA) layers a platform-duty regime on top: any service in scope must use accredited technology to detect and remove CSAM, and Ofcom's Codes of Practice for illegal-content duties (March 2025) operationalise the duty for AI-image platforms specifically. Penalties under OSA reach £18 million or 10 percent of global qualifying revenue, plus business-disruption measures up to and including ISP-level blocking. The UK is among the most active enforcement environments globally for this category.

What can parents do to block AI companion access?

The honest version of this conversation is that no single parental tool is reliable on its own. Teenagers route around device-level controls by switching to a browser; they route around browser controls by switching to a friend's account; they route around DNS filters by using mobile data instead of home Wi-Fi. The four-layer stack works because each layer catches what the previous one missed.

Layer 1, device-level controls. On Apple devices, Screen Time blocks adult content categories, hides apps, blocks unknown-developer installs, and surfaces purchase requests for parental approval. On Android, Google Family Link does the same. On Windows, Microsoft Family Safety covers the equivalent. Configure the strictest setting that matches the child's age, accept the friction that comes with managed accounts, and review the weekly activity report. The setup takes under thirty minutes per device.

Layer 2, DNS filtering. Setting the household router or per-device DNS to a family-filtered resolver blocks the entire category at the network level. Cloudflare for Families at 1.1.1.3 (malware + adult content) is free and zero-config. OpenDNS Family Shield at 208.67.222.123 works equivalently. NextDNS costs ~$2/month per household and offers fine-grained category controls plus reporting. DNS filtering catches the request before the device's browser even loads the page.

Layer 3, browser safe search. Lock Google SafeSearch and Bing SafeSearch Strict at the account level (not per-browser, which is bypassable). On a managed Google account through Family Link, SafeSearch is on by default and cannot be disabled by the child.

Layer 4 (purchase notifications. Enable app-store purchase notifications and credit-card statement alerts. AI companion subscriptions show up as recurring charges; spotting them in the first month is much easier than untangling them at month six. The FTC's amended Negative Option Rule (October 2024) requires platforms to make cancellation as easy as signup) use that right if the charge appears.

What does not work on its own: passive trust, after-the-fact conversations, browser-level controls that the child can disable, ad-hoc app blocks. The four-layer combination is what holds.

How do I report AI-generated CSAM in 2026?

The reporting workflow is built to be low-friction on purpose. NCMEC's CyberTipline accepts reports from any country and any reporter, a US resident, a non-US resident, an automated platform reporter, or a journalist. The IWF report form is similarly open. InHope's directory at inhope.org/find-a-hotline routes reporters to the nearest national hotline; in countries without a hotline, NCMEC and IWF will accept the report and forward to local law enforcement under their established memoranda of understanding. Reports are anonymous by default and the reporter's identity is only escalated where the reporter consents or where law-enforcement subpoena attaches under domestic process.

What you should not do: do not save the material as evidence. The act of saving is itself a possession offence in most of our markets. Do not redistribute the material to "show" anyone, including journalists or researchers. Do not engage with the source. Close the page, copy the URL, file the report. The hotline analysts work with URLs and timestamps, not with copies.

The triage time is short. The IWF cites a median takedown of two minutes once a report is verified. NCMEC routes to law enforcement within hours. InHope hotlines vary by country but the better-resourced ones (Germany, Netherlands, Canada) operate on similar timeframes. The report you file at noon may be acted on before dinner.

What is NCMEC?

NCMEC is a private 501(c)(3) non-profit established in 1984 under federal authorisation, headquartered in Alexandria, Virginia. The CyberTipline is its statutory reporting mechanism under 18 USC § 2258A, which obligates US-jurisdiction electronic communication service providers to report apparent CSAM to NCMEC. Reports flow from major platforms (Meta, Google, Microsoft, Apple, X, Discord, Snap, Reddit) and from individuals via the public-facing form at report.cybertip.org. NCMEC analysts triage, classify, and refer to law enforcement; the bureau of operations runs 24/7. The 2023 CyberTipline Report documents 36.2 million reports received and 105 million files for analysis in that year alone.

What is the IWF?

The IWF is a charity headquartered in Cambridge, UK, established in 1996. Its annual report is the canonical industry data source for CSAM volume and trend analysis. The IWF was the first hotline globally to publish dedicated guidance on AI-generated CSAM (October 2023, updated 2024), documenting the rapid migration of perpetrator activity onto open-source image-generation tools. The IWF URL list is the single most widely-deployed CSAM block-list in the world: distributed to UK ISPs by default and to a long list of international ISPs and platforms under licence.

What is InHope?

InHope is headquartered in Amsterdam and was founded in 1999. The network's value is in cross-jurisdictional coordination: a report filed with one national hotline can be classified, hashed, and referred to law enforcement in any other member jurisdiction within hours. The ICCAM platform is the technical backbone, allowing analysts to share classified material under controlled conditions without re-distributing the material itself. InHope members include the IWF (UK), Meldpunt Kinderporno (Netherlands), eco (Germany), Point de Contact (France), and 47 others.

Are 'schoolgirl' / 'teen' / 'barely legal' marketing terms allowed?

The legal logic is settled. UK appellate decisions on the Protection of Children Act 1978 have admitted defendant-supplied marketing language and platform-supplied descriptive copy as evidence of apparent age. US prosecutors under § 1466A apply the same approach. A platform that markets "barely legal" AI personas cannot subsequently rely on a back-end policy stating that all characters are 18+, the marketing is the representation, and the representation is what governs.

The editorial logic is also clear. A platform that chooses to deploy youth-coded marketing in a category where the regulatory and reputational risk of misclassification is severe is signalling either that its compliance posture is weak or that it is prepared to accept that risk for the conversion uplift. Either signal is disqualifying.

When I see a platform deploying these terms in its marketing, I do not need to run the rest of the audit. Criterion 2 fails at the marketing layer, and a fail on any single criterion is a fail on the whole list.

What is the audit checklist bestgirlfriend.ai applies to platforms?

The checklist below maps each criterion to its observable test, the source we consult, and the failure mode we have seen in real audits. The checklist is binary: pass or fail. There is no partial credit, and there is no commercial weighting.

Last reviewed: May 2026. The audit is performed manually by the editorial team and re-performed every six months on every listed platform plus immediately on any public change to character library, trust-and-safety policy, or generation pipeline.

What happens if a platform fails the audit?

The asymmetry is intentional. Listing a platform that subsequently fails minor protection harms our readers, harms our editorial credibility, and exposes both to unrecoverable reputational damage. Excluding a platform that subsequently remediates costs us a placement we never owed it. Between those two errors, the second is the one we choose to bear.

The internal failure log is not published. The reasoning is that publishing a curated list of platforms that fail minor-protection criteria would itself function as a search-traffic vector toward those platforms, readers searching for a name would find us linking to it with negative context and could still navigate to it from there. The list exists, it informs every subsequent audit, and it is shared with the trust-and-safety teams of platforms we do list when they ask comparative questions. The list is not marketing material.

This is the part of the editorial work that affiliate-driven competitors in our space won't do. The math is straightforward: a platform that fails our audit might pay $0.20 per signup. Listing it would be a non-trivial revenue line. Not listing it costs us that line. We don't list it. The decision is annual, not transactional.

Reach the right hotline

The buttons below route exclusively to reporting hotlines, they are not affiliate links, do not generate commission, and will never be replaced by commercial offers on this page.

How this page connects to the broader safety stack

The AI companion minors question sits at the centre of a four-page safety stack. The stack is built so that the absolute red line on this page reinforces and is reinforced by the parallel pages on age-verification access controls and CSAM statute interpretation. A platform must pass the audit on this page; readers must pass the age gate documented on age verification; the underlying statutes are dissected in plain English on AI CSAM laws explained; and the country-by-country and state-by-state legality picture is mapped on is an AI girlfriend illegal? state-by-state. The four pages are designed to be read together by readers, regulators, and the trust-and-safety teams that cite our editorial.

What this page does not cover

This page is not legal advice. Consult a qualified attorney in your jurisdiction.

This page covers the editorial red line on AI-generated minor-presenting content. It does not address:

• Age-verification access controls, see age verification for the four-layer model and US-state, UK, and EU statute map.
• General AI companion safety, see are AI companions safe? for the wider risk taxonomy including emotional dependency, data privacy, and dangerous-pattern flagging.
• CSAM statute mechanics in plain English, see AI CSAM laws explained for § 1466A, § 2256, the PROTECT Act, and international equivalents broken down for non-lawyers.
• State-by-state legality, see is an AI girlfriend illegal? state-by-state for the US legality map.
• Editorial process, see editorial process for how reviews are written, fact-checked, and updated.

Frequently asked questions

Last reviewed: May 2026

Sources

1. United States, 18 USC § 1466A, Obscene visual representations of the sexual abuse of children. uscode.house.gov
2. United States, 18 USC § 2258A, Reporting requirements of providers. uscode.house.gov
3. United States, PROTECT Act of 2003 (Public Law 108-21). congress.gov
4. United States, US Department of Justice press release on the 2024 AI-CSAM Wisconsin indictment. justice.gov
5. Ashcroft v. Free Speech Coalition, 535 U.S. 234 (2002). en.wikipedia.org
6. European Union, Child Sexual Abuse Directive 2011/93/EU and May 2024 amendment. en.wikipedia.org
7. European Union, Digital Services Act Article 28, Regulation (EU) 2022/2065. en.wikipedia.org
8. European Union, AI Act, Regulation (EU) 2024/1689. en.wikipedia.org
9. Federal Republic of Germany, Strafgesetzbuch §184b. gesetze-im-internet.de
10. United Kingdom, Coroners and Justice Act 2009 §62. en.wikipedia.org
11. United Kingdom, Protection of Children Act 1978. en.wikipedia.org
12. United Kingdom, Online Safety Act 2023. en.wikipedia.org
13. Canada, Criminal Code §163.1, Child Pornography. laws-lois.justice.gc.ca
14. Australia, Criminal Code Act 1995 §273.5. legislation.gov.au
15. National Center for Missing & Exploited Children, 2023 CyberTipline Report. missingkids.org
16. Internet Watch Foundation, Annual Report 2023. iwf.org.uk
17. InHope, About and Member Hotline Directory. inhope.org
18. Tech Coalition, Generative AI Trust and Safety Framework (2024). technologycoalition.org
19. Microsoft, PhotoDNA, image-hash service for known CSAM. microsoft.com/photodna
20. Thorn, Safer, AI-aware CSAM classification suite. safer.io
21. Apple, Screen Time parental controls. support.apple.com
22. Google, Family Link parental supervision. families.google.com
23. Microsoft, Family Safety. microsoft.com
24. Cloudflare, 1.1.1.1 for Families DNS filtering. blog.cloudflare.com
25. European Commission, Guidelines on the protection of minors under Article 28 DSA (July 2025). en.wikipedia.org

Cite this page

If you reference this editorial in academic, regulatory, or journalistic work, please cite as:

Joly, Alexandra (2026). AI Companion Minor Protection: Laws, Audit, Parental Tools, Reporting. bestgirlfriend.ai. https://bestgirlfriend.ai/safety/ai-companion-minors

Related pages

• Are AI companions safe?, overall safety stance and risk taxonomy.
• AI CSAM laws explained, § 1466A, § 2256, and international equivalents in plain English.
• Is an AI girlfriend illegal? State-by-state, legality map across the US.
• Age verification policy, the four-layer access-control model.
• Methodology, our published scoring framework and how minor protection sits in it.
• Editorial process, how reviews are written, fact-checked, and updated.

Per-jurisdiction notice

---

By Alexandra Joly's editorial bio, editorial lead · Last reviewed May 2026