Phosra Spec / Capability

OCSS v1.0 — Draft

Consent

Verifiable parental consent and access boundaries.

Read the rule listBack to all capabilities

What Consent does

One parental authority gate for every consent flow in child-safety law.

Every child-safety law that asks for verifiable parental consent — COPPA’s foundational requirement, KOSA’s “access notification” duty, Utah’s App Store Accountability Act, Texas SCOPE — turns out to be the same primitive in different uniforms. So does every screen-time limit, every purchase approval, every contact-control gate. Each platform builds its own consent flow and its own approval queue.

Consent is the consent step before every parental authority decision. A platform calls Consent once with the request; Consent returns Allow / Block / Pending Parent — backed by a verified parent attestation chain. The same primitive handles consent for account creation, time downtime windows, IAP approval, social-contact requests, school-mode toggles, and the Tech-Exit migration mode.

Parents stop being asked the same question twelve times across twelve apps. Regulators get a single audit-able consent record per child. Platforms inherit a verified-parent signal they can trust without standing up their own KYC stack.

How partners plug in

Consent is a socket. Consent requests flow in. Verified decisions flow out.

These are the upstream consent providers and family-management surfaces Consent federates — either shipping today, in conversation with a partner, or pending an upstream API.

Powered byConsent
Stytch / Privo / VerifyMy — verifiable parental consent providers (in conversation)Design partner candidate
Powered byConsent
Apple Family Sharing + Google Family Link — read-only consent + downtime mappingsMappings shipped
Powered byConsent
Civil-society age-band recommendation registry (in conversation)Mappings shipped

Standards & laws

What Consent does for each statute.

  • COPPA / COPPA 2.0 — mediates verifiable parental consent before any data collection from a minor.
  • KOSA — handles the parental-notification and time-restriction duties for covered platforms.
  • NY SAFE for Kids — gates addictive-feed exposure pending parent attestation.
  • CA AB 1709 (age-16 social media floor) — runs the parent-override consent flow.
  • UT App Store Accountability Act + TX SB 2420 — performs the at-install consent check.
  • EU GDPR-Kids (Art. 8) — verifies the parent’s age-of-consent override per member state.

Conformance

Adopter Tier 1 certification.

To ship Consent-conformance for an Adopter Tier 1 certification, your implementation must pass the Consent suite. Test count is [draft] coming Q3 2026. The suite covers parent-attestation chain verification, decision tracing across consent surfaces, audit-record emission, and federated-provider interop.

We are co-authoring the suite with our design partners. If you want a seat at the table while the bar is being set, reach out.

Rule list

The 14 rules Consent ships

Every rule below is implemented by this capability. Pulled directly from the rule registry.

  • Daily Time LimitEnforces maximum daily screen time across platforms with configurable per-app or global limits.
  • Scheduled HoursRestricts platform access to specified time windows (e.g., after school, before bedtime).
  • Time Per-App LimitCaps daily usage on a per-app or per-category basis once the budget is exhausted for the day.
  • Time DowntimeEnforces device downtime windows (e.g., overnight, school-night) across every connected app and surface.
  • Phone-Free School HoursRestricts non-educational apps during configured school-hour windows on minor devices.
  • Purchase ApprovalRoutes every in-app purchase through a parent-approval flow before the transaction completes.
  • Purchase Spending CapCaps cumulative in-app purchase spending at the configured monthly or per-transaction limit.
  • Social ContactsLimits the contacts list of a minor account to verified, parent-approved peers.
  • Social MultiplayerLimits multiplayer matchmaking to known contacts; blocks open-lobby pairing with strangers.
  • Stranger Outreach FrictionAdds verification friction (CAPTCHA, slow-mode, age-gate) to any adult initiating a first message to a minor.
  • Privacy Account CreationEnforces privacy-default settings (private profile, no DMs from non-contacts) on new minor accounts.
  • Parental Consent GateBlocks account creation and data collection until verifiable parental consent (VPC) is collected and signed.
  • Notification CurfewSuppresses non-essential push notifications during configurable quiet hours (e.g., overnight).
  • Dumbphone Migration ModeStrips a smartphone to call-and-text-only operation as a hard wind-down step before a full device migration.
Read § →

Implementing Consent? Talk to us.

Talk to a Partner EngineerRead the CharterTalk to us