Personal responsibility will always play an important role in technology use and addiction prevention. However, responsibility cannot rest solely on the individual holding the device. Throughout this series, a consistent pattern has emerged: many platforms now provide screen-time dashboards, reminders, parental controls, teen settings, and digital wellbeing tools. While these measures can be valuable, they are often introduced only after addiction risks have already been embedded within product design.
The next stage of digital policy must therefore move beyond addiction management and toward addiction prevention.
No single global law currently states that platforms must not design addictive products. Yet existing international, regional, and national frameworks already provide many of the necessary foundations. Privacy law establishes design-by-default principles. Child-rights frameworks emphasise the best interests, development, and wellbeing of children. Consumer protection frameworks address manipulation and dark patterns. AI governance frameworks promote human agency, transparency, and accountability. Online safety frameworks introduce risk assessment, prevention, and corporate responsibility.
The challenge is that these principles have not yet been fully integrated into a coherent regulatory duty to prevent addictive design.
This article proposes eight policy provisions that would help close that gap: mandatory addiction-risk assessments before deployment; prevention-by-design obligations; stronger restrictions on manipulative dark patterns; regulation of recommendation systems as addiction-risk technologies; wellbeing metrics and Well-being Impact Assessments; stronger default protections for children and teenagers; independent addiction-risk audits; accessible transparency reporting; limits on the monetisation of compulsive engagement; and effective enforcement mechanisms.
Together, these measures would shift the focus of regulation from responding to harm after it occurs to reducing the likelihood of harm in the first place.
Mandatory Addiction Risk Assessments
The first policy provision should require platforms to carry out addiction risk assessments before launching or significantly changing products, algorithms, recommender systems, notification systems, gaming mechanics or monetisation models.
The EU Digital Services Act already gives us useful language. It requires very large online platforms and search engines to “identify, analyse and assess” systemic risks that come from the “design or functioning” of their services, including algorithmic systems. It also includes risks to fundamental rights, including children’s rights and consumer protection. (EU Digital Services Act, Article 34)
This is important because it recognises that harm can come from design itself, not only from what individual users do.
However, the gap is that addiction risk is not always expressly named as a mandatory category. A platform can assess illegal content, data protection, disinformation or safety, but still avoid directly asking whether its own product design encourages compulsive use.
Policy should therefore require platforms to assess whether features such as infinite scroll, autoplay, streaks, reward loops, push notifications, algorithmic rabbit holes, personalised re-engagement and frictionless spending make stopping harder.
Prevention by Design
The second policy provision should require platforms to build prevention into the product from the beginning.
The GDPR already gives a strong model through data protection by design and by default. Article 25 requires controllers to implement “technical and organisational measures” designed to integrate safeguards into processing and protect data subjects’ rights. It also requires that, by default, only personal data necessary for a specific purpose is processed. (GDPR, Article 25)
If privacy can be protected by design and by default, then user agency and wellbeing can also be protected by design and by default.
Australia’s eSafety Commissioner gives an even clearer prevention model through Safety by Design. The framework says user safety and rights should be placed at the centre of product design and development. It also says safeguards should not be retrofitted after harm occurs, but should anticipate, detect and eliminate online harms before they occur. Its three principles are service provider responsibility, user empowerment and autonomy, and transparency and accountability.
This is very useful for addiction-prevention policy.
It means platforms should not add a screen-time tool after designing an endless feed. They should ask at the design stage whether the feed itself creates unhealthy patterns.
The gap in current policy is that safety-by-design and privacy-by-design are still not always translated into attention-by-design or wellbeing-by-design.
Stronger Rules Against Dark Patterns and Manipulative Nudges
The third policy provision should prohibit manipulative design patterns that push users toward compulsive engagement.
The Organisation for Economic Co-operation and Development (OECD) describes dark commercial patterns as digital practices that steer, deceive, coerce or manipulate consumers into choices that are often not in their best interests. It also recognises that these practices can exploit biases to extract money, personal data or increased attention, and may cause financial, privacy and psychological harm.
Dark patterns are not only about tricking someone into buying something. They can also be about extracting attention, increasing return visits, making cancellation difficult, or creating emotional pressure to stay.
Current dark-pattern policy often focuses on privacy consent, subscriptions, purchases and data collection. That is important, but incomplete.
Addiction-prevention policy should also address designs used to make users feel guilty, anxious, pressured or trapped when they choose to pause, reduce use or leave.
Regulation of Recommendation Systems
The fourth policy provision should regulate recommendation systems as addiction-risk systems.
Recommendation systems shape what people see, how long they stay, what mood they remain in, and whether they are pulled into repetitive loops.
The Digital Services Act already requires platforms that use recommender systems to explain, in “plain and intelligible language,” the main parameters used and the options users have to modify or influence them. (EU Digital Services Act, Article 27)
UNICEF’s Policy Guidance on AI for Children is especially relevant where recommendation systems affect children. It requires recommendation systems to treat minors as a distinct stakeholder class, pivoting algorithms from engagement-driven, addictive design toward fostering child development. Platforms must replace commercial optimization with proactive guardrails, restricting data profiling and eliminating harmful content pathways for young users.
The gap is that recommender transparency alone is not enough. A platform can explain why it recommends content while still designing the system to maximise watch time.
Addiction-prevention policy should require platforms to question whether their recommendation system makes it harder for the user to stop.
Wellbeing Metrics, Well Being Impact Assessments (WIAs)
The fifth policy provision should require major digital platforms to measure and report wellbeing-related indicators alongside traditional engagement metrics.
Platforms already collect extensive data on user behaviour, including time spent, clicks, views, notification opens, return visits, purchases, retention rates, and watch time. However, these metrics alone do not reveal whether users are genuinely benefiting from their experience. High engagement may reflect positive outcomes such as learning, social connection, or meaningful participation, but it can also result from anxiety, boredom, loneliness, distress, or compulsive use.
The European Union’s Digital Services Act has introduced systemic risk assessment and mitigation obligations for large platforms, addiction prevention requires a more targeted focus on user wellbeing. To address this gap, governments should standardise Well-being Impact Assessments (WIAs), similar to Environmental Impact Assessments and Data Protection Impact Assessments, and require them before the deployment of new algorithmic models or platform features.
These assessments should include pre-market auditing to evaluate potential effects on users’ sleep, attention, and social comparison behaviours; mandatory disclosure of optimisation metrics to regulators to ensure that platforms prioritise user wellbeing rather than maximising time spent; and independent red teaming by external psychologists and user-experience experts to identify addictive design patterns before public release.
Together, these measures would help distinguish healthy engagement from compulsive engagement and ensure that digital services are evaluated not only by how effectively they capture attention, but also by how they contribute to users’ wellbeing.
Default Protections for Children and Teenagers
The sixth policy provision should require stronger default protections for children and teenagers.
The UN Committee on the Rights of the Child’s General Comment No. 25 provides a strong foundation. It explains how children’s rights apply in the digital environment and requires States to respect, protect and fulfil children’s rights online. (UN Committee on the Rights of the Child, General Comment No. 25)
The African Union Child Online Safety and Empowerment Policy is especially important for African policy development. It establishes principles such as children’s right to safety, privacy and online participation, with prime importance attached to the best interests of the child. It is intended to support member states in developing child online safety and empowerment strategies.
The AU policy also expressly recognises that children’s rights must be protected online and offline, and that the policy should support member states in ensuring ICT providers respect children’s rights while prioritising the best interests of the child.
The ITU Child Online Protection Guidelines also provide useful global guidance. They were developed as recommendations for children, parents, educators, industry and policymakers to create a safe and empowering online environment for children and young people. (ITU Child Online Protection Guidelines) The ITU industry guidelines call for integrating child rights considerations into corporate policies and management processes, creating safer and age-appropriate online environments, and educating children, carers and educators on responsible use of ICTs. (ITU Child Online Protection Guidelines for Industry)
The gap is that many child online safety frameworks still focus heavily on content, contact, conduct, privacy and exploitation. These are critical, but addiction risk also deserves explicit treatment.
Children should not be expected to self-regulate inside systems designed for adult-level attention capture.
Independent Audits for Addiction Risk
The seventh policy provision should require independent audits for addiction risk.
Self-regulation is not enough. Platforms should not be left to mark their own homework.
The Digital Services Act already provides an accountability model for large platforms through systemic risk assessment and mitigation. (EU Digital Services Act, Articles 34 and 35) Academic analysis of DSA audits also shows the importance of evidence-based, context-sensitive audit methods for systemic risks.
Australia’s Safety by Design framework also supports accountability by placing safety into organisational culture, leadership and design processes, not just end-user tools.
The gap is that addiction-risk audits are not yet a standard requirement across major platforms and product categories.
An addiction-risk audit should test what users actually experience. The purpose of the audit should not be public relations. It should lead to redesign.
Transparency Duties That Ordinary People Can Understand
The eighth policy provision should require platforms to publish clear and accessible reports on addiction-risk prevention.
Transparency should not be limited to technical documents only regulators and lawyers can understand.
The DSA already requires recommender-system information to be provided in “plain and intelligible language.” (EU Digital Services Act, Article 27) That same standard should apply to addiction-risk reporting.
Platforms should explain:
- Which addiction risks they assessed
- What addictive design features they identified
- What changes they made
- How they protect children and vulnerable users
- How users can reset recommendations
- How late-night use is handled
- How often users bypass limits
- Whether users can easily pause, mute, delete or leave
- Whether wellbeing indicators improved or worsened
The gap is that transparency often focuses on content moderation, data protection or advertising. Addiction-prevention policy should require transparency on attention architecture: how platforms design for time, return, reward, interruption and exit.
Effective Enforcement and Remedies
The ninth policy provision is enforcement.
Policy without enforcement becomes public relations. Regulators should have power to require design changes, stronger defaults, removal of manipulative features, independent audits, public reporting and penalties for repeated non-compliance.
The UN Guiding Principles on Business and Human Rights provide a broader accountability foundation. They establish that businesses have a responsibility to respect human rights and should conduct human rights due diligence to identify, prevent, mitigate and account for how they address adverse impacts. (UN Guiding Principles on Business and Human Rights)
For technology addiction, this means platforms should not wait for harm to become visible. If their design foreseeably affects children’s wellbeing, mental health, sleep, autonomy, family life or development, then addiction risk should be part of corporate responsibility and due diligence.
The challenge is that many jurisdictions still lack clear legal standards on addictive design. Some debates remain trapped between banning platforms entirely and leaving everything to parental control. A better approach is to regulate design choices directly.
The Policy Gap
Existing frameworks provide valuable building blocks for regulating digital platforms.
The GDPR establishes protections through privacy-by-design and default settings; the Digital Services Act (DSA) mandates systemic risk assessment, recommender transparency, and platform accountability; Australia’s Safety by Design framework emphasizes prevention, user empowerment, and accountability; the UN Guiding Principles outline corporate due diligence; the UNCRC General Comment No. 25 articulates children’s rights in digital environments; and the African Union Child Online Safety and Empowerment Policy offers a regional framework for protecting and empowering children online.
Global guidance is further supported by the ITU Guidelines for child online protection, the OECD’s language on manipulation, dark patterns, and attention extraction, and ethical, child-centred AI guidance from UNESCO and UNICEF.
Yet despite this robust foundation, a critical gap remains: these frameworks rarely address addictive design explicitly. While they cover safety, privacy, wellbeing, transparency, child protection, consumer manipulation, and corporate responsibility, they do not consistently translate these principles into concrete obligations regarding infinite scroll, autoplay, streak pressure, reward loops, manipulative notifications, addictive recommender systems, attention extraction, or deliberately difficult exit design.
Conclusion
Technology addiction policy must move beyond screen-time advice. It must address the systems that shape behaviour: design, algorithms, notifications, defaults, metrics, monetisation and accountability.
The strongest policy approach would require platforms to assess addiction risk before harm occurs, design for prevention, remove manipulative dark patterns, make recommendation systems safer, measure wellbeing, protect children by default, limit monetisation of compulsion, submit to independent audits, report publicly and face consequences when design choices undermine user agency.
A healthier digital future should not depend only on users resisting platforms designed to overpower them.
It should require platforms to stop building addiction risk into the product in the first place.