Phosra Spec / Capability

PCSS v1.0 — Draft

Phosra Custody

Data minimization, retention, and deletion rights.

Read the rule listBack to all capabilities

What Custody does

One data-rights enforcement layer for every minor-data regime.

Every child-safety regime — COPPA 2.0, GDPR-K, India DPDPA, UK AADC, Connecticut SB 3, Maryland Kids Code — has different rules for what minor data can be collected, how long it can be retained, who it can be sold to, and when it must be deleted. Each is enforced by a different regulator, on a different timeline.

Custody is the data-rights enforcement layer. It blocks targeted ads to minor accounts, caps geolocation precision, strips third-party trackers at the router and DNS layer, processes deletion requests across every connected platform, and produces the Data Protection Impact Assessment evidence pack on demand. Every retention timer is policy-driven, every opt-out signal is honored.

A platform can answer “is this minor’s data being handled lawfully across every jurisdiction” without writing one statute-specific code path. A parent can issue a single deletion request that propagates everywhere their child has an account.

How partners plug in

Custody is a socket. Opt-out signals flow in. Deletion + audit flows out.

These are the upstream consent strings, hash-sharing networks, and opt-out signals Custody honors and propagates — either shipping today, in conversation with a partner, or pending an upstream pilot.

Powered byPhosra Custody
IAB GPC (Global Privacy Control) — universal opt-out signal honored across the stackMappings shipped
Powered byPhosra Custody
NCMEC / industry CSAM hash sharing — minor-data minimization at ingressPending pilot
Powered byPhosra Custody
USA Privacy String + GPP — multi-state consent string interopMappings shipped

Standards & laws

What Custody does for each statute.

  • COPPA 2.0 — enforces FTC’s expanded retention + deletion rules for under-17 users.
  • EU GDPR-Kids + UK AADC — applies the strictest member-state defaults, per-account.
  • India DPDPA — implements the “data fiduciary” duties for minor accounts.
  • California CCPA / CPRA (minor opt-out) — honors opt-out-of-sale across the network.
  • Connecticut SB 3 + Maryland Kids Code — enforces the no-targeted-ads + no-precise-location rules.
  • NY S8102 (data broker liability) — produces the per-minor data-flow audit pack.
  • EU Data Act + DSA Art. 28 — implements the minor-data-portability right.

Conformance

Adopter Tier 1 certification.

To ship Custody-conformance for an Adopter Tier 1 certification, your implementation must pass the Custody suite. Test count is [draft] coming Q3 2026. The suite covers opt-out signal propagation, retention-timer correctness, deletion-request fan-out, and DPIA evidence-pack generation.

We are co-authoring the suite with our design partners. If you want a seat at the table while the bar is being set, reach out.

Rule list

The 13 rules Custody ships

Every rule below is implemented by this capability. Pulled directly from the rule registry.

  • Privacy Location
  • Privacy Profile Visibility
  • Data Sharing ControlControls what personal data can be shared with third parties and platform partners.
  • Data Minimization Enforce
  • Third Party Tracker Block
  • Geolocation Precision Cap
  • Targeted Ad BlockBlocks behavioral advertising, ad profiling, and retargeting for minor users across connected platforms.
  • Data Deletion RequestTriggers data deletion workflows on connected platforms and enables full profile removal via API.
  • Geolocation Opt-InEnsures location tracking is disabled by default, requiring explicit parental authorization to enable.
  • Ai Training Data Opt Out
  • Image RightsProtects minors' image rights by controlling photo sharing and facial recognition usage.
  • Student Privacy School Mode
  • Commercial Data Ban

Implementing Phosra Custody? Talk to us.

Become an AdopterRead the CharterTalk to us
production·294717f·main·