Providers will, therefore, need to look beyond traditional considerations about the amount of violence or prohibited imagery in their content. German law now contains a catalogue of “precautionary measures” from which platform providers must pick and choose to create an appropriate overall safety net protecting their young users. These measures can include:

• Providing easy-to-use flagging tools to allow players to report inappropriate content and communication.

• Allowing users to flag their own content as mature.

• Implementing parental control mechanisms that allow filtering of self-rated user content, and otherwise limit minors’ use and communication through the platform.

• Providing easy-to-understand terms and conditions, and information on third-party resources that can help deal with unwanted or harmful interactions (such as harassment).

• Using “safety by default” presets in privacy and communication settings.

The last two points, in particular, are evidence of another broad trend: legislators and regulators are increasingly using general legal principles to bolster youth protection. Regulators and consumer groups in Germany have targeted advertisements for in-game purchases based on laws implementing the Unfair Commercial Practices Directive, and the UK’s privacy regulator, the Information Commissioner's Office (ICO), has put in place a code of principles on designing services for children.

The ICO Age Appropriate Design Code became fully applicable on 2 September 2021, after a 12-month transition period. While it is not a formal law, it carries significantly more weight than guidance. The UK regulator must take the code into account when considering compliance with UK data protection laws and has said that it will monitor conformance via proactive audits and investigation of complaints, with substantial fines to boot. Not surprisingly, the code also requires easy-to-understand information and particularly privacy-friendly default settings for communication features.

However, the requirements are not limited to typical privacy measures. Among other things, providers are expected to take a risk-based approach to verify the age of their users and make their services “behave” accordingly, down to quite detailed guidance on in-game messaging or driving engagement.

Lawmakers in the German federal states are now considering regulations to impose additional obligations on providers of operating systems as well to provide a standardised age-information interface to communicate a user’s age. This would enable metaverses to sort their users into age cohorts without each provider operating within it having to verify age themselves. This legislative project raises numerous questions – technical and constitutional – but providers would be well advised to pay attention to these developments.

Finally, the updated EU Audiovisual Media Services Directive (AVMSD) includes transparency and age-gate requirements: some remarkably similar to Germany’s long-standing media youth-protection rules. While traditional games providers may not be in the scope of this directive, national implementing legislation may not differentiate between different media services. Furthermore, where the metaverse contains films and TV series, they are likely to be subject to these rules.