Reference · the working vocabulary

The words behind the child-safety rules.

29 terms — the statutes, the mechanisms, the policy principles, and the compliance vocabulary — defined plainly and linked to the laws they touch. When a statute says “verifiable parental consent” or “duty of care,” this is where it gets pinned down.

Read these honestly

A few terms here name our work. Here's the line.

Most entries are neutral compliance vocabulary. Two — “OCSS” and “Rule Category” — describe the open standard Phosra builds on. OCSS is an individual IETF Internet-Draft (Draft 4, pre-release), not a ratified standards-body publication. Phosra is its reference implementer and one network on it — like Yubico for FIDO2. We don't own the standard, and nothing here is a compliance determination or a safe harbor.

The canonical spec, rule registry, and conformance suite live at openchildsafety.com — not here.

The glossary · 29 terms

Defined plainly, grouped by what they do.

Four lanes — legislation, technology, policy, and compliance. Open a lane and follow any term's linked statutes straight to its full mapping in the registry. Every definition is alphabetised within its lane.

LegislationThe statutes and bills that set the obligations — federal, state, and international.7

AADC (Age Appropriate Design Code)

The UK Age Appropriate Design Code, also known as the Children's Code, is a set of 15 standards that online services likely to be accessed by children must follow. It requires platforms to provide high privacy settings by default, minimize data collection, and switch off geolocation tracking for child users. California's version (AB 2273) applies similar principles to US platforms.

COPPA (Children's Online Privacy Protection Act)

A US federal law enacted in 1998 that imposes requirements on operators of websites and online services directed at children under 13. COPPA requires verifiable parental consent before collecting, using, or disclosing personal information from children. It also mandates clear privacy policies and gives parents control over their children's data.

COPPA 2.0

Proposed legislation that would update the original COPPA by raising the age threshold to 17, banning targeted advertising to minors, and expanding the types of personal information protected. COPPA 2.0 aims to address how children's online experiences have evolved since the original law was passed in 1998, covering social media, gaming, and AI-powered services.

COPPA Safe Harbor

An FTC-approved self-regulatory program that allows industry groups to create guidelines for COPPA compliance. Companies that participate in an approved Safe Harbor program are subject to the program's oversight rather than direct FTC enforcement. Safe Harbor programs must provide substantially similar protections to COPPA and include monitoring, disciplinary, and reporting mechanisms.

DSA (Digital Services Act)

The European Union's Digital Services Act is a comprehensive regulation governing digital platforms operating in the EU. It requires platforms to assess and mitigate systemic risks to minors, ban targeted advertising to children based on profiling, provide transparent recommendation systems, and conduct independent audits. Very large online platforms face the strictest obligations.

FTC COPPA Rule

The Federal Trade Commission's regulation implementing COPPA, which defines how operators must comply with the statute. The rule specifies acceptable methods of verifiable parental consent, data retention limits, and confidentiality requirements. The FTC updated the rule in 2024 to strengthen protections around push notifications, targeted advertising, and educational technology data practices.

KOSA (Kids Online Safety Act)

A US federal bill that would impose a duty of care on covered platforms to act in the best interests of minors. KOSA requires platforms to enable the strongest privacy and safety settings by default for users under 17, provide parental tools, and conduct annual independent audits. It addresses harms including promotion of self-harm, cyberbullying, and exploitation.

TechnologyThe mechanisms platforms reach for — age assurance, filtering, moderation, design.9

Addictive Design

Interface patterns and features intentionally designed to maximize user engagement and time spent on a platform, often at the expense of user wellbeing. Examples include infinite scroll, autoplay, streak mechanics, and variable-ratio reinforcement (like pull-to-refresh). Several child safety laws now specifically target addictive design features when applied to minor users.

Age Assurance

An umbrella term encompassing all methods used to determine or estimate a user's age, including age verification, age estimation, and self-declaration. Age assurance measures may range from simple date-of-birth entry to document-based verification or AI-powered facial analysis. Regulators increasingly require some form of age assurance for platforms accessible to children.

Age Estimation

Technology that estimates a user's age range without requiring them to provide identity documents. Common methods include facial age analysis using AI, behavioral analysis, and device-level signals. Age estimation provides a privacy-preserving alternative to document-based age verification, though it is less precise and typically determines an age range rather than exact age.

Age Gating

A mechanism that restricts access to content, features, or entire platforms based on a user's age. Age gates can be implemented through self-declaration (entering a date of birth), parental consent flows, or technical verification methods. While simple age gates like date-of-birth fields are easy to bypass, more robust implementations combine multiple signals for higher confidence.

Age Verification

The process of confirming a user's exact age or that they meet a minimum age threshold, typically using identity documents, credit card checks, or government ID databases. Age verification provides higher confidence than age estimation but raises privacy concerns about data collection. Several US states and international jurisdictions now mandate age verification for certain online platforms.

Algorithmic Amplification

The use of recommendation algorithms to promote and increase the visibility of content to users, often prioritizing engagement metrics over user wellbeing. When applied to minor users, algorithmic amplification can surface harmful content including self-harm material, eating disorder content, and extremism. Multiple child safety laws now require platforms to disable or limit algorithmic amplification for minors.

Content Filtering

Automated systems that screen, block, or restrict access to content deemed inappropriate for certain audiences. Content filtering for child safety may operate at the platform level (blocking harmful search results), device level (parental control apps), or network level (ISP-based filters). Modern filtering systems use AI classification models alongside keyword and hash-matching approaches.

Content Moderation

The practice of monitoring and reviewing user-generated content to enforce platform policies and legal requirements. Content moderation combines automated detection systems with human review to identify and act on harmful material such as child sexual abuse material (CSAM), cyberbullying, and age-inappropriate content. Platforms must balance effective moderation with free expression concerns.

Dark Patterns

User interface designs that manipulate users into making choices they would not otherwise make, such as sharing more personal data, disabling privacy settings, or continuing to use a service. In the context of child safety, dark patterns include making privacy controls difficult to find, using confusing language in consent flows, and employing emotional manipulation to prevent account deletion. The EU DSA and California AADC specifically prohibit dark patterns targeting minors.

PolicyThe principles the laws encode — minimization, duty of care, privacy by design.8

Data Minimization

The principle that organizations should collect only the minimum amount of personal data necessary for a specific, stated purpose. For child safety, data minimization means platforms should not collect children's data beyond what is needed to provide the core service. This principle is embedded in COPPA, GDPR Article 8, the UK AADC, and numerous state-level children's privacy laws.

Data Protection Impact Assessment (DPIA)

A formal process for evaluating the potential privacy risks of a data processing activity before it is implemented. Under the UK AADC and GDPR, platforms must conduct DPIAs when launching new services or features that process children's data. The assessment must identify risks, evaluate their severity, and document mitigation measures. DPIAs are a key compliance tool for demonstrating accountability.

Digital Wellbeing

A holistic framework for ensuring that technology use supports rather than harms a person's mental health, social development, and physical health. For children, digital wellbeing encompasses screen time management, protection from harmful content, age-appropriate design, and prevention of addictive engagement patterns. Multiple child safety laws now reference digital wellbeing as a core objective.

Duty of Care

A legal obligation requiring platforms to take reasonable steps to prevent foreseeable harm to their users, particularly children. In the child safety context, duty of care means platforms must proactively identify risks to minors and implement safeguards rather than merely reacting to reported harms. KOSA, the UK Online Safety Act, and Australia's Online Safety Act all impose forms of duty of care on covered platforms.

Privacy by Design

An approach to system engineering that embeds privacy protections into the design and architecture of products from the outset, rather than adding them as an afterthought. For child-directed services, privacy by design means building age-appropriate defaults, minimizing data collection, and ensuring safety controls are integral to the user experience. The UK AADC explicitly requires privacy by design for services accessed by children.

Screen Time

The amount of time a user spends actively engaged with a digital device or platform. In child safety policy, screen time management refers to tools and regulations that help parents and children monitor and limit device or app usage. Several laws now require platforms to provide screen time dashboards, usage alerts, and time-limit features for minor users.

ComplianceHow you prove it — audits, transparency, and the OCSS rule vocabulary that ties it together.5

Algorithmic Audit

An independent assessment of a platform's algorithms to evaluate their impact on users, particularly minors. Algorithmic audits examine recommendation systems, content ranking, and personalization engines to identify potential harms such as amplification of harmful content or discriminatory outcomes. KOSA, the EU DSA, and the EU AI Act all include provisions requiring algorithmic audits for platforms serving minors.

Compliance Audit

A systematic review of an organization's adherence to regulatory requirements, industry standards, or internal policies. In child safety, compliance audits verify that platforms correctly implement age verification, parental consent, data handling, and content moderation requirements. Audits may be conducted internally or by independent third parties, and several laws mandate annual compliance audits for covered platforms.

OCSS (Open Child Safety Specification)

An open specification — currently OCSS · Draft 4 · pre-release, an individual IETF Internet-Draft — that maps platform safety policies to 115 standardized rule categories (69 anchored / 54 provisional) derived from global child safety legislation. OCSS is the open protocol; Phosra implements it. The specification provides a unified compliance language that translates legal requirements from COPPA, KOSA, the EU DSA, and other laws into actionable technical specifications. Platforms can use OCSS to audit their compliance posture across all applicable jurisdictions simultaneously.

Rule Category

A standardized classification within the Open Child Safety Specification (OCSS) that represents a specific type of child safety requirement. There are 123 rule categories (69 anchored / 54 provisional) covering areas such as age verification, parental consent, content moderation, data handling, and algorithmic transparency. Each rule category maps to one or more provisions across multiple laws, enabling cross-jurisdictional compliance tracking.

Transparency Report

A public disclosure document in which platforms report data about their content moderation activities, government requests for user data, policy enforcement actions, and algorithmic impact assessments. Multiple child safety laws now mandate transparency reports specifically addressing how platforms protect minor users. These reports typically must be published on a regular schedule and include standardized metrics.

Each green tag links to that statute's full provision mapping in the compliance registry; the grey tags jump to related terms on this page.

From vocabulary to enforcement

A definition is the start. The mapping is the point.

Knowing what “duty of care” means is step one. Seeing which OCSS rule categories a statute decomposes into — and how a conformant router carries them across every surface — is where the registry takes over.