COPPA Safe Harbor Documentation

Executive Summary

⚠️ IMPORTANT CLARIFICATION: Provii is an AGE VERIFICATION SERVICE (not a service FOR children)

COPPA Applicability to Provii: ❌ NOT APPLICABLE

Provii is NOT subject to COPPA because:

1. Service excludes children by design: Age verification REJECTS users below 18+/21+ thresholds (depending on configuration)
2. Zero knowledge architecture: NO personal data is ever collected from anyone, including children who attempt to use age-restricted services
3. No child users: Provii proves users are ABOVE minimum age - children below threshold are rejected and no data is collected
4. B2B infrastructure: Provii provides verification services to businesses (relying parties), not directly to consumers

Date of Birth Processing:

• ✅ During credential issuance, date of birth is transmitted once to the issuer API for Pedersen commitment computation, then immediately discarded. never stored, logged, or retained. During verification, no date of birth is transmitted.
• ✅ Zero knowledge proofs reveal ONLY “user is above threshold” (binary result)
• ✅ Even for users who are rejected (below threshold), NO PII is collected or stored
• ✅ Issuer handles identity proofing and DOB validation, NOT Provii

This Document’s Purpose:

This document explains how Provii enables COPPA compliance for clients (websites, apps, games) that DO serve children. While Provii itself is NOT subject to COPPA, services using Provii for age verification CAN use our zero knowledge architecture to:

• Prevent under-13 access (age-gating)
• Verify parental age for consent (prove parent is 18+ without collecting parent’s DOB)
• Reduce children’s PII collection for age verification purposes (designed to make collection structurally unnecessary)

Key Value Proposition: Traditional COPPA compliance requires collecting, securing, and managing children’s PII with parental consent. Provii’s zero knowledge architecture is designed to eliminate PII collection for age verification purposes, reducing regulatory risk for services that use Provii.

Why This Matters

• No PII Database. No honeypot of children’s data to secure or breach
• Reduced Breach Notification Risk. A breach is not expected to expose age-verification PII because none is collected
• Simplified Compliance. No complex parental consent workflows for PII collection
• Privacy by Default. Users prove age without revealing date of birth

Table of Contents

1. Introduction
2. COPPA Requirements Analysis
3. Use Cases for COPPA Compliance
4. Privacy-Enhancing Benefits
5. Integration Guide for Developers
6. Compliance Matrix
7. Safe Harbor Program Readiness
8. Technical Implementation
9. Recommendations
10. Conclusion

Introduction

About COPPA

The Children’s Online Privacy Protection Act (COPPA) is a United States federal law enacted in 1998 and enforced by the Federal Trade Commission (FTC). COPPA applies to:

1. Operators of commercial websites or online services directed to children under 13 years of age
2. Operators with actual knowledge that they are collecting personal information from children under 13
3. General audience services that knowingly collect PII from children under 13

COPPA Requirements (16 CFR Part 312):

1. Privacy Policy: Post a clear and privacy policy describing information practices
2. Notice: Provide direct notice to parents about data collection practices
3. Parental Consent: Obtain verifiable parental consent before collecting PII from children under 13
4. Parental Rights: Give parents the choice to consent to collection/use but not disclosure to third parties
5. Access: Provide parents access to their child’s personal information
6. Deletion: Give parents the ability to prevent further use or collection and delete child’s information
7. Confidentiality: Maintain confidentiality, security, and integrity of children’s PII
8. Retention: Retain PII only as long as necessary to fulfill the purpose for which it was collected
9. Data Minimization: Condition participation in activities on disclosure of only necessary information

Penalties: FTC can impose civil penalties up to $50,120 per violation.

Reference: 16 CFR Part 312 - Children’s Online Privacy Protection Rule

Safe Harbor Programs

The COPPA Rule includes a Safe Harbor provision (16 CFR § 312.11) that allows industry groups or others to submit self-regulatory guidelines for FTC approval. Approved Safe Harbor programs provide:

• Alternative compliance mechanisms with equivalent or greater protection
• Independent assessment and monitoring of members
• Accountability mechanisms for non-compliance
• Potentially streamlined FTC oversight

Approved Safe Harbor Programs (as of 2025):

• CARU (Children’s Advertising Review Unit) - Safe Harbor Program
• kidSAFE Seal Program
• TRUSTe Children’s Privacy Certification
• PRIVO - Privacy Verification and Certification Program

Provii’s Relationship to Safe Harbor: Provii is a technology provider that can be used by services participating in Safe Harbor programs or seeking direct COPPA compliance. Provii itself is not a Safe Harbor program but enables compliance.

Provii’s Role in COPPA Compliance

⚠️ CRITICAL CLARIFICATION: Provii is NOT subject to COPPA - this section describes how clients can use Provii for their COPPA compliance needs.

Provii provides zero knowledge age verification that enables OTHER services (that ARE subject to COPPA) to:

1. Prevent under-13 access through privacy-preserving age verification (prove user is 13+)
2. Verify parental age without collecting parent’s date of birth (prove parent is 18+)
3. Gate content to age-appropriate audiences without PII collection
4. Simplify compliance by reducing the need to collect, store, and secure children’s PII for age verification purposes

What Provii Does:

• Proves a user is above an age threshold (e.g., 13+, 18+, 21+) using zero knowledge cryptography
• Provides cryptographic proof of age without revealing actual date of birth
• Enables age-gating and parental verification without PII collection
• Primary use case. Age verification for ADULT content (18+/21+), rejecting children

What Provii Does NOT Do:

• ❌ Collect names, addresses, email addresses, or other traditional PII from ANYONE
• ❌ Store dates of birth on servers (DOB is transmitted once during issuance for cryptographic commitment computation, then immediately discarded. never stored or logged)
• ❌ Provide identity verification (issuer’s responsibility, not Provii’s)
• ❌ Collect data from children under 13 (or ANY age - zero knowledge architecture)
• ❌ Provide services TO children (age verification EXCLUDES children from adult content)

Architectural Privacy Properties: Provii’s zero knowledge architecture is designed to make collecting children’s PII structurally infeasible rather than just prohibited by policy.

Why Provii is NOT Subject to COPPA:

1. No child users: Age verification for adult content REJECTS children
2. No PII collection: Zero knowledge architecture collects NO personal data from anyone
3. B2B service: Provii provides verification infrastructure to businesses, not services directly to consumers

Evidence:

• /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 38-95)
• Zero knowledge proof system documented in /trust/core/provii-crypto.mdx

COPPA Requirements Analysis

1. Privacy Policy Requirement

COPPA Requirement (16 CFR § 312.4): Post a clear and online privacy policy that describes information practices with respect to children’s personal information.

How Provii Enables Compliance:

For Services Using Provii:

• Simplified Privacy Policy. Can state “We do not collect personal information from children under 13” if using Provii for age-gating
• No PII Disclosure. No need to describe collection, use, or sharing of children’s PII because none is collected
• Provii Data Processing. Can reference Provii’s age verification (no PII shared with Provii either)

Example Privacy Policy Language:

Age Verification: We use Provii's privacy-preserving age verification to confirm users
are 13 years or older. This verification process does not collect, transmit, or store
your date of birth or any other personally identifiable information. Only a cryptographic
proof that you meet the age requirement is validated.

Provii’s Own Privacy Practices:

• Minimal PII Collection. Provii servers never collect names, addresses, or contact information from users of any age. Date of birth is transmitted once during credential issuance for Pedersen commitment computation, then immediately discarded. never stored or logged.
• IP Address Only. IP addresses retained for 90 days for anti-abuse (hashed in logs)
• Published Privacy Policy. Available at https://maelstrom.au/trust

Evidence:

• /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 183-217)
• /trust/security/data-retention.mdx - Published retention policy

Status: ✅ Compliant - Provii’s zero-PII architecture simplifies privacy policy requirements for clients

2. Direct Notice to Parents

COPPA Requirement (16 CFR § 312.4(b)): Provide direct notice to parents that describes the operator’s information practices before collecting PII from children.

How Provii Enables Compliance:

Option 1: Age-Gating to Prevent Under-13 Access

• Implementation. Use Provii to verify user is 13+ before allowing registration
• Result. No children under 13 access the service → COPPA does not apply
• Privacy Benefit. No PII collected from user to prove they are 13+

Option 2: Parental Age Verification (If Allowing Under-13 Access)

• Implementation. User claims to be under 13 → System requires parent to verify they are 18+
• Parental Verification. Parent proves age via Provii (zero knowledge, no DOB revealed)
• Result. Confirmed that an adult (18+) has provided consent
• Privacy Benefit. No need to collect parent’s DOB, email, or other PII for verification

Traditional Approach (Without Provii):

1. Collect child's DOB → Store in database → Security risk
2. Collect parent's email → Send verification link → Email must be validated
3. Collect parent's credit card → Process transaction → Payment data security
4. All PII must be secured, accessed upon request, deletable

With Provii:

1. User proves age 13+ → No PII collected → No database entry
   OR
2. Parent proves age 18+ → No PII collected → Consent recorded without PII

Evidence:

• Age verification flow: /trust/compliance/evidence/age-verification/flow-evidence.md
• Zero knowledge architecture: /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 486-584)

Status: ✅ Enabled - Provii provides privacy-preserving alternatives to traditional parental notice and verification

3. Verifiable Parental Consent

COPPA Requirement (16 CFR § 312.5): Obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13.

COPPA-Approved Consent Methods (16 CFR § 312.5(b)):

1. Credit card, debit card, or other online payment system with transaction verification
2. Video conference or similar technology with participant verification
3. Government-issued ID verification (driver’s licence, passport)
4. Knowledge-based authentication questions
5. Face-to-face meeting with ID verification
6. Email plus confirmation (limited to internal use only)

How Provii Enables Compliance:

Provii provides a privacy-preserving verification method that can supplement or replace traditional consent mechanisms:

Parental Age Verification Flow:

1. Child Registration Attempt: User indicates they are under 13
2. Parental Consent Required: System notifies that parent must verify age and provide consent
3. Parent Age Verification: Parent uses Provii to prove they are 18+ (adult)

• Parent scans QR code with Provii Wallet
• Wallet generates zero knowledge proof: “I am 18 or older”
• No DOB revealed to service or Provii servers

4. Consent Recorded: System records that an adult (18+) provided consent on specific date/time
5. Optional: Combine with email confirmation (dual factor: age proof + email control)

Privacy Benefits Over Traditional Methods:

Dual-Factor Verification (Recommended):

• Factor 1. Provii age verification (proves parent is 18+)
• Factor 2. Email confirmation (proves email control)
• Result. Verifiable parental consent without collecting parent’s DOB or government ID

Evidence:

• Challenge generation: /trust/compliance/evidence/age-verification/flow-evidence.md (Lines 142-194)
• Zero knowledge proof generation: /trust/compliance/evidence/age-verification/flow-evidence.md (Lines 196-241)
• Proof verification: /trust/compliance/evidence/age-verification/flow-evidence.md (Lines 243-310)

Status: ✅ Enabled - Provii provides privacy-preserving parental age verification that can be combined with email confirmation for COPPA-compliant consent

4. Parental Rights: Choice, Access, and Deletion

COPPA Requirement (16 CFR § 312.6): Parents must be able to:

• Review personal information collected from their child
• Direct the operator to delete the child’s personal information
• Refuse to permit further collection or use of the child’s information

How Provii Enables Compliance:

Scenario 1: Age-Gating (No Under-13 Users)

• Implementation. Use Provii to verify all users are 13+
• Result. No children’s PII collected → No access/deletion rights needed
• Parent Request. “Please delete my child’s data” → Response: “We do not collect personal information from users; only age verification proofs are used, which contain no PII”

Scenario 2: Allowing Under-13 Access with Parental Consent

• Traditional PII. Service may collect child’s account information (username, email, etc.)
• Provii’s Role. Age verification and parental consent validation does NOT add additional PII
• Parent Access. Parent can access child’s account data (provided by service, not by Provii)
• Deletion. Service deletes child’s account data; Provii verification records contain no PII to delete

Provii Data Retention:

• Challenge Records. 5 minutes active TTL (automatically deleted via KV expiration)
• IP Addresses. Retained 90 days for anti-abuse only (hashed in logs)
• Zero knowledge Proofs. Contain no PII (mathematical proofs, not personal data)
• No User Database. Provii does not maintain user accounts or profiles

Right to Deletion - Automatic Compliance:

• No PII Stored. Nothing to delete
• IP Addresses. Auto-deleted after 90 days
• Verification History. Not linked to user identity (random challenge IDs)

Evidence:

• Data retention policy: /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md (Lines 45-85)
• Automated deletion: /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md (Lines 184-436)
• User rights implementation: /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 220-255)

Status: ✅ Simplified Compliance - Provii’s zero-PII architecture is designed to reduce data subject rights obligations (no age PII to access or delete)

5. Data Security

COPPA Requirement (16 CFR § 312.8): Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

How Provii Enables Compliance:

For Services Using Provii:

• Reduced Attack Surface. No children’s DOB in database → No DOB to breach
• Simplified Security. Fewer PII fields to encrypt, access-control, and audit
• Lower Risk Profile. A data breach of age verification records is not expected to reveal age-related PII

Provii’s Security Controls:

1. Encryption in Transit (UC-044)

• TLS 1.2+ enforcement on all API endpoints
• HSTS preload for transport security
• Evidence: /trust/compliance/evidence/security-controls/api-security-evidence.md (Lines 39-95)

2. Authentication & Authorisation (UC-045, UC-046)

• HMAC-SHA256 request signatures for API authentication
• RBAC with client ID verification (BOLA protection)
• Evidence: /trust/compliance/evidence/security-controls/api-security-evidence.md (Lines 97-200)

3. Rate Limiting & Abuse Prevention

• 100-600 requests/minute per client (prevents brute force)
• IP-based rate limiting (90-day retention, hashed logs)
• Challenge replay protection via nullifiers

4. Cryptographic Guarantees

• Zero knowledge proofs using Groth16 zkSNARK on BLS12-381 curve
• Pedersen commitments hide date of birth
• Cryptographic erasure via zeroize crate for secrets in memory
• Evidence: /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md (Lines 560-587)

5. Secure Development Practices

• Automated dependency scanning (Dependabot)
• SAST/DAST in CI/CD pipeline
• Code signing and artifact verification
• Evidence: /trust/compliance/evidence/development/devops-evidence.md

Key Architectural Security Properties:

• No PII to Breach. Date of birth is transmitted once during issuance to compute a cryptographic commitment but is never stored
• No Central Database. No honeypot of children’s data
• Minimal Data Retention. 90-day IP logs (hashed), challenge records (5 minutes TTL)
• Cryptographic Privacy. Zero knowledge proofs prevent information leakage

Evidence:

• security evidence: /trust/compliance/evidence/security-controls/api-security-evidence.md
• Cryptographic implementation: /trust/compliance/evidence/cryptography/crypto-implementation-evidence.md
• Infrastructure security: /trust/compliance/evidence/infrastructure/infrastructure-evidence.md

Status: ✅ Strong Security Posture - Provii implements defence-in-depth security controls; zero-PII architecture is designed to reduce children’s data breach risk

6. Data Retention and Deletion

COPPA Requirement (16 CFR § 312.10): Retain children’s personal information only as long as reasonably necessary to fulfill the purpose for which it was collected, and delete information using reasonable measures.

How Provii Enables Compliance:

Provii’s Data Retention Practices:

Automated Deletion Implementation:

1. Challenge TTL-Based Expiration:

• Maximum challenge lifetime: 5 minutes
• Cloudflare KV automatic expiration via expirationTtl
• Evidence: /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md (Lines 186-230)

2. Nonce TTL-Based Expiration:

• Nonce lifetime: 5 minutes
• KV TTL automatic cleanup
• Evidence: /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md (Lines 232-267)

3. Sandbox Cleanup Cron Worker:

• Runs daily at 3 AM UTC
• Retention: 1-7 days (sandbox environment only)
• Evidence: /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md (Lines 269-352)
• Docs interactive sandbox posture (synthetic-only):
• Sandbox accepts pre-defined fixture IDs only; raw date-of-birth strings are never accepted as input
• The issuance endpoint schema rejects any raw DOB string (birthdate, dob, date_of_birth and equivalents) at the handler boundary before any processing occurs
• Every sandbox-issued attestation is stamped environment: sandbox and synthetic: true so the credential cannot be repurposed
• The production provii-verifier refuses the shared sandbox issuer identity, enforcing a hard cryptographic boundary between the sandbox and any live COPPA-obligated relying party
• Fixture-input data has zero retention: the sandbox processes fixture IDs in memory only and does not persist them to KV, Workers Logs, or any other log surface
• Rationale: a public developer-onboarding surface must be incapable of handling a real child’s DOB even if a developer mistakenly submitted one; schema-level rejection enforces the COPPA zero-collection posture described elsewhere in this document

4. IP Address Auto-Expiry:

• Cloudflare Workers Logs shipped to Grafana Loki: 90-day Loki tenant retention
• Bulk-deleted at retention expiry; not individually erasable mid-window
• Used only for anti-abuse and diagnostics
• Evidence: /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md (Lines 388-436)

For Services Using Provii:

• Simplified Retention. No children’s DOB to retain or delete
• Verification Records. Can retain proof of age verification (no PII in proof)
• Consent Records. Can retain timestamp of parental consent (no parent DOB stored)

Evidence:

• Data retention policy: /trust/security/data-retention.mdx
• Automated deletion implementation: /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md
• Retention policy code: provii-verifier/src/storage/retention.rs

Status: ✅ Exceeds COPPA Requirements - Provii’s zero-PII architecture is designed to reduce retention obligations; minimal operational data auto-deleted via TTL

7. Data Minimization

COPPA Requirement (16 CFR § 312.7): Condition a child’s participation in a game, contest, or other activity on disclosure of only the information necessary for participation.

How Provii Enables Compliance:

Zero knowledge Data Minimization:

• Binary Age Verification. System learns ONLY “user is 13+” (yes/no), nothing more
• Ephemeral DOB Processing. Date of birth transmitted once during issuance for cryptographic commitment computation, then immediately discarded. never stored or logged. Not transmitted during verification.
• No Identity Verification. Provii does not verify name, address, or identity
• Minimal Proof Data. Zero knowledge proof reveals only age threshold result

Traditional Age Verification (What Provii Avoids):

❌ Collect: Full name
❌ Collect: Date of birth (month, day, year)
❌ Collect: Email address
❌ Store: All above in database
❌ Risk: Data breach exposes children's PII

With Provii:

✅ Collect: Zero-knowledge proof (cryptographic data, not PII)
✅ Learn: "User is 13+" (binary result only)
✅ Store: Proof verification timestamp (no PII)
✅ Risk: Data breach reveals no PII (none collected)

What Provii Is Architecturally Designed Not to Collect:

• Names, addresses, phone numbers, email addresses
• Dates of birth (transmitted once during issuance for cryptographic commitment computation, then immediately discarded. never stored, logged, or retained; not transmitted during verification)
• Government-issued ID numbers or documents
• Biometric data (facial recognition, fingerprints)
• Geolocation data (beyond IP for anti-abuse)
• Persistent device identifiers or tracking cookies

Evidence:

• Data minimization analysis: /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 32-96)
• What’s NOT collected: /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 586-649)
• Unified control matrix: /trust/compliance/requirements/unified-control-matrix.md (Lines 82-107)

Status: ✅ Architectural Data Minimization - Provii collects only mathematical proofs, not personal information; zero-PII by design

Use Cases for COPPA Compliance

Use Case 1: Gaming Platform (Age-Gating)

Scenario: Online multiplayer game wants to prevent users under 13 from registering to avoid COPPA obligations.

Challenge: Traditional age verification requires collecting date of birth, which becomes PII subject to COPPA if user is under 13.

Provii Solution:

1. User Registration Flow:

• User attempts to create account
• System displays: “Prove you are 13 or older to continue”
• User scans QR code with Provii Wallet

2. Zero knowledge Age Verification:

• Wallet generates proof: “I am 13 years or older”
• Proof transmitted to game platform via Provii API
• Platform verifies proof cryptographically

3. Account Creation:

• If proof valid: User is 13+ → Account created
• If proof invalid: User is under 13 → Registration denied
• No DOB stored. Platform knows user is 13+ but not exact age

4. COPPA Compliance Result:

• No users under 13 on platform → COPPA does not apply
• No children’s PII collected (including no DOB)
• Privacy policy can state: “We do not knowingly allow users under 13; age verification does not collect personal information”

Implementation Code (Pseudocode):

<!-- provii-agegate is CDN-only; there is no npm package -->
<script src="https://cdn.provii.app/sdk/provii-agegate/v0.1.1/agegate.browser.js"
        integrity="sha384-m36QUlTqbIeTJy8CpsTEBJS1b3aLlKIJ4WUfcyUQyaM7c5sTUsy4+CHq5Idh2Qor"
        crossorigin="anonymous"
        data-public-key="pk_live_..."
        data-environment="production">
</script>

The script tag triggers autoload mode. provii-agegate blocks the page with an overlay, displays a QR code and deep link, polls for verification, and redirects on success. The age threshold (13+) and proof direction are configured server-side on the Relying Party’s policy, not in client-side code. No backend integration is required for simple website verification.

Privacy Benefits:

• No date of birth in user database
• No risk of accidentally collecting under-13 PII
• Simplified privacy policy and data governance

Evidence: Integration guide at /trust/guides/for-verifiers.mdx

Use Case 2: Social Media Platform (Parental Consent)

Scenario: Social network allows users 13+ but wants to provide a “kids mode” for under-13 users with parental consent (similar to YouTube Kids, Instagram for Kids).

Challenge: Must obtain verifiable parental consent before collecting any PII from children under 13.

Provii Solution:

1. Child Registration Attempt:

• User indicates they are under 13
• System notifies: “Parental consent required”

2. Parental Age Verification:

• Parent receives notification (via email or SMS to parent’s existing contact)
• Parent scans QR code with Provii Wallet
• Parent proves they are 18+ (adult verification)
• No parent DOB collected or stored

3. Consent Recording:

• System records: “Adult (18+) provided consent on [date] for child account [ID]”
• Parent’s email (if provided) linked to consent for future access/deletion requests
• No parent DOB, full name, or government ID stored

4. Combined Verification (Dual Factor):

• Factor 1. Provii age verification (proves parent is 18+)
• Factor 2. Email confirmation (proves email control)
• Result. Verifiable parental consent under COPPA

5. Ongoing Compliance:

• Parent can access child’s account data (via email login)
• Parent can delete child’s account (via account settings)
• Service manages child’s PII (posts, photos, etc.) per COPPA requirements
• Provii’s role. Only verified parent age, no ongoing PII collection

Implementation Code (Pseudocode):

// Parental consent flow
async function requestParentalConsent(childUserId, parentEmail) {
  // Send email to parent
  await sendEmail(parentEmail, {
    subject: "Parental Consent Required",
    body: "Please verify your age to provide consent..."
  });

  // Create adult age verification challenge (18+)
  const challenge = await agegate.createChallenge({
    minAge: 18,
    origin: 'https://socialmedia.com/parental-consent',
    metadata: { childUserId, parentEmail }
  });

  // Parent scans QR code and proves age 18+
  const result = await agegate.waitForVerification(challenge.id);

  if (result.verified) {
    // Record parental consent (no parent DOB stored)
    await database.recordParentalConsent({
      childUserId,
      parentEmail,
      consentDate: new Date(),
      verificationId: challenge.id, // Reference to proof (no PII)
      parentAgeVerified: true // Boolean, not actual age
    });

    // Enable child account
    await enableChildAccount(childUserId);
  }
}

Privacy Benefits:

• Parent age verified without collecting parent’s DOB
• Dual-factor verification (age proof + email control) meets COPPA requirements
• No government ID or credit card required for parent verification
• Reduced PII exposure for parents

Evidence:

• Age verification flow: /trust/compliance/evidence/age-verification/flow-evidence.md
• Verifier integration guide: /trust/guides/for-verifiers.mdx

Use Case 3: Educational Technology Platform

Scenario: EdTech platform provides learning tools for K-12 students, including children under 13. Platform needs COPPA-compliant consent from schools and parents.

Challenge:

• Schools act as parents under COPPA (can provide consent on behalf of parents)
• Platform must verify that authorised school officials are providing consent
• Platform must still allow parents to access and delete their child’s data

Provii Solution:

1. School Administrator Verification:

• School IT administrator creates district account
• Administrator proves they are 18+ via Provii (adult verification)
• School domain verified (e.g., @schooldistrict.edu email)

2. Student Account Creation:

• School uploads student roster (names, emails, student IDs)
• No student DOB collected (not needed for learning platform)
• Provii not used for student verification (school acts as parent)

3. Parental Override Option:

• Parent can claim their child’s account
• Parent proves age 18+ via Provii
• Parent gains access to child’s data and settings

4. COPPA Compliance Result:

• School consent: School official age-verified (18+) → Can consent on behalf of parents
• Parental access: Parent age-verified (18+) → Can override school settings
• No collection of student or parent DOB for verification purposes

Implementation Benefits:

• School officials verified as adults without credential checks
• Parents verified as adults without government ID
• Platform can focus on educational data governance, not age verification PII

Note: This use case demonstrates Provii’s flexibility for institutional settings where “parental consent” is delegated to schools under COPPA’s exception for educational institutions.

Evidence:

• FERPA and educational context: Not directly covered, but Provii’s zero-PII architecture aligns with educational privacy principles
• Adult verification: Same cryptographic proof system as other use cases (threshold: 18+)

Use Case 4: E-Commerce (Age-Restricted Products)

Scenario: Online retailer sells age-restricted products (alcohol, tobacco, certain games) that require age verification at checkout.

Challenge:

• Must verify purchaser is 18+ or 21+ depending on product and jurisdiction
• Traditional methods collect DOB and store in customer profile
• If customer is under 18, their DOB becomes subject to COPPA-like protections

Provii Solution:

1. Checkout Age Verification:

• Customer adds age-restricted product to cart
• At checkout, system prompts: “Prove you are 21+ to purchase”
• Customer scans QR code with Provii Wallet

2. Zero knowledge Age Check:

• Wallet generates proof: “I am 21 years or older”
• Proof verified by e-commerce platform
• No DOB stored in customer profile

3. Purchase Completion:

• If verified: Order processed
• If failed: Age-restricted items removed from cart
• Verification result cached in session for future purchases (no PII)

4. Privacy Benefit:

• No DOB in customer database → No risk of collecting minor’s PII
• Simplified compliance with age-verification laws (state, federal)
• No data breach risk for age-related PII

Note: While COPPA specifically applies to children under 13, Provii’s zero-PII approach provides privacy benefits for all age groups, including minors 13-17 who may have enhanced privacy protections under state laws (e.g., CCPA, GDPR).

Evidence:

• E-commerce integration patterns: /trust/guides/for-verifiers.mdx (Lines 172-200)
• Age threshold configuration: Supports any age (13+, 18+, 21+, etc.)

Privacy-Enhancing Benefits

Traditional COPPA Compliance vs. With Provii

Traditional Approach (High Friction, High Risk)

Data Collection:

Child Registration:
├─ Collect: Full name, email, date of birth
├─ Store: All PII in database
├─ Risk: Data breach exposes children's PII
└─ Compliance: Must secure, provide access, allow deletion

Parental Consent:
├─ Collect: Parent's name, email, DOB or credit card
├─ Store: Parent PII linked to child account
├─ Risk: Data breach exposes parent and child PII
└─ Compliance: Must secure both parent and child data

Compliance Obligations:

• Maintain privacy policy describing all PII practices
• Implement parental access portal (show parent all child’s data)
• Implement deletion workflow (delete on parent request)
• Secure storage and encryption for all PII
• Data breach notification if child or parent PII exposed
• Staff training on COPPA requirements
• Annual COPPA compliance audits

Costs:

• Development: Parental consent UI, access portal, deletion workflow
• Infrastructure: Encrypted storage, access controls, audit logs
• Legal: Privacy counsel review, COPPA training, breach response planning
• Risk: FTC fines ($50,120 per violation), reputational damage from breaches

With Provii (Low Friction, Low Risk)

Data Collection:

Age-Gating (Prevent Under-13 Access):
├─ Collect: Zero-knowledge proof (not PII)
├─ Store: Verification timestamp (no PII)
├─ Risk: Data breach reveals no children's PII
└─ Compliance: Simplified (no children's PII collected)

Parental Age Verification:
├─ Collect: Zero-knowledge proof that parent is 18+
├─ Store: Consent timestamp + proof reference (no parent DOB)
├─ Risk: Breach reveals no parent DOB or identity
└─ Compliance: Reduced PII governance burden

Compliance Obligations:

• Privacy policy can state: “We do not collect children’s PII” (if age-gating)
• No parental access portal needed for age verification data (no PII to access)
• No deletion workflow for DOB (transmitted once during issuance for Pedersen commitment computation, processed ephemerally and immediately discarded; not stored or retained)
• Minimal data security obligations (no PII to secure)
• No data breach notification for age verification (no PII exposed)
• Simplified COPPA training (focus on service’s data, not age verification)

Costs:

• Development: Integrate Provii SDK (5 minutes to 2 hours depending on complexity)
• Infrastructure: API calls to Provii (minimal cost, no database for age PII)
• Legal: Reduced privacy counsel time (simplified privacy policy)
• Risk: Virtually zero COPPA risk for age verification component

Privacy Benefits Summary Table

Benefits for Services Using Provii

For Services Using Provii:

1. Faster Time to Market: No need to build complex parental consent infrastructure
2. Lower Development Costs: Integrate Provii SDK vs. building consent portals and access workflows
3. Reduced Legal Costs: Simplified privacy policy, fewer COPPA obligations to manage
4. Better User Experience: QR code scan vs. credit card entry or ID upload
5. Higher Conversion Rates: Less friction in registration/consent flows
6. Lower Security Costs: No children’s PII to encrypt, access-control, and monitor
7. Reduced Breach Risk: A data breach is not expected to expose children’s DOB (transmitted once during issuance for Pedersen commitment computation, processed ephemerally and immediately discarded; never stored)
8. Simplified Audits: Fewer PII data flows to audit and document
9. Future-Proof: Zero knowledge architecture aligns with emerging privacy regulations (GDPR, CCPA, VCDPA)

For Parents:

1. Privacy Protection: Parent’s DOB not revealed to every service their child uses
2. Convenience: Reusable credential (prove age once, use many times)
3. Security: No need to provide credit card or government ID to multiple services
4. Control: Parent controls credential in wallet, can revoke if needed

For Children (13+ using age-gated services):

1. Privacy: DOB not stored in dozens of service databases
2. Safety: Reduced PII exposure minimises identity theft risk
3. Simplicity: Prove age without creating accounts or remembering DOBs

Integration Guide for Developers

For Age-Gating (13+ Verification)

Objective: Verify user is 13 or older to prevent under-13 access (avoiding COPPA obligations).

Integration Steps:

1. Add the script tag (provii-agegate ships via CDN only, there is no npm package):

   <script src="https://cdn.provii.app/sdk/provii-agegate/v0.1.1/agegate.browser.js"
           integrity="sha384-m36QUlTqbIeTJy8CpsTEBJS1b3aLlKIJ4WUfcyUQyaM7c5sTUsy4+CHq5Idh2Qor"
           crossorigin="anonymous"
           data-public-key="pk_live_..."
           data-environment="production">
   </script>

   The age threshold (13+) and proof direction are configured server-side on the Relying Party’s policy. provii-agegate handles PKCE, QR codes, deep links, short codes, polling, and session management automatically in autoload mode.

2. Update Privacy Policy:

   ## Age Verification
   
   We use Provii's privacy-preserving age verification to confirm that users
   are 13 years or older. This verification process uses zero knowledge cryptography
   to prove age without collecting, transmitting, or storing your date of birth.
   Only a cryptographic proof that you meet the age requirement is validated.
   
   We do not knowingly collect personal information from children under 13. If you
   believe a child under 13 has created an account, please contact us immediately.

Evidence:

• JavaScript SDK documentation: /trust/core/provii-agegate.mdx (not fully shown but referenced)
• Integration guide: /trust/guides/for-verifiers.mdx

For Parental Age Verification (18+ Consent)

Objective: Verify parent is 18 or older to provide consent for child under 13.

Integration Steps:

1. Detect Under-13 Registration:

   // User indicates they are under 13
   if (userClaimsUnder13) {
     requestParentalConsent(userId, parentEmail);
   }

2. Create Parental Consent Challenge:

   async function requestParentalConsent(childUserId, parentEmail) {
     // Send notification email to parent
     await sendEmail(parentEmail, {
       subject: "Parental Consent Required",
       body: `Your child has requested to create an account. Please verify
              your age to provide consent.`,
       consentLink: `https://yoursite.com/parental-consent/${childUserId}`
     });
   
     // Create adult age verification challenge (18+)
     const challenge = await agegate.createChallenge({
       minAge: 18,
       origin: 'https://yoursite.com/parental-consent',
       metadata: {
         childUserId,
         parentEmail,
         purpose: 'parental_consent'
       }
     });
   
     // Store challenge for consent page
     await database.storeConsentChallenge(childUserId, challenge.id);
   }

3. Consent Page Workflow:

   // Parental consent page
   async function loadConsentPage(childUserId) {
     const challenge = await database.getConsentChallenge(childUserId);
   
     // Display QR code for parent to scan
     displayQRCode(challenge.qrCodeData);
   
     // Wait for parent age verification
     const result = await agegate.waitForVerification(challenge.id);
   
     if (result.verified) {
       // Parent proved they are 18+
       await recordParentalConsent(childUserId, parentEmail);
       enableChildAccount(childUserId);
     }
   }

4. Record Consent (No Parent DOB):

   async function recordParentalConsent(childUserId, parentEmail) {
     await database.consentRecords.create({
       childUserId,
       parentEmail,
       consentDate: new Date(),
       parentAgeVerified: true, // Boolean, not actual age
       verificationMethod: 'provii_zk_proof',
       // No parent DOB or full name stored
     });
   }

5. Dual-Factor Verification (Recommended):

   // Combine age verification with email confirmation
   async function requestParentalConsent(childUserId, parentEmail) {
     // Generate email confirmation token
     const emailToken = generateSecureToken();
   
     // Send email with both confirmation link and QR code
     await sendEmail(parentEmail, {
       subject: "Parental Consent Required",
       body: `
         Please complete these steps to provide consent:
         1. Click this link to confirm your email: ${confirmLink}/${emailToken}
         2. Scan the QR code to verify you are 18 or older
       `,
       qrCode: challenge.qrCodeData
     });
   
     // Require both email confirmation AND age verification
     const emailConfirmed = await waitForEmailConfirmation(emailToken);
     const ageVerified = await agegate.waitForVerification(challenge.id);
   
     if (emailConfirmed && ageVerified.verified) {
       // Dual-factor verification complete
       recordParentalConsent(childUserId, parentEmail);
     }
   }

Evidence:

• Challenge creation: /trust/compliance/evidence/age-verification/flow-evidence.md (Lines 142-194)
• Verification flow: /trust/compliance/evidence/age-verification/flow-evidence.md (Lines 243-310)

Privacy Policy Guidance

What to Include in Your Privacy Policy:

1. Age Verification Description:

   ## Age Verification
   
   [Your Service] uses Provii's privacy-preserving age verification technology to
   confirm that users meet minimum age requirements. This verification process:
   
   - Uses zero knowledge cryptography to prove age without revealing your date of birth
   - Does not collect, transmit, or store your actual date of birth
   - Generates a cryptographic proof that you meet the age requirement
   - Protects your privacy by revealing only whether you meet the threshold (yes/no)

2. COPPA Compliance Statement (If Age-Gating):

   ## Children's Privacy (COPPA Compliance)
   
   [Your Service] is not directed to children under 13 years of age, and we do not
   knowingly collect personal information from children under 13. We use age verification
   technology to prevent users under 13 from accessing our service. This verification
   does not require providing a date of birth or other personal information.
   
   If you believe a child under 13 has created an account on our service, please
   contact us immediately at [privacy email], and we will delete the account.

3. Parental Consent Statement (If Allowing Under-13):

   ## Parental Consent for Children Under 13
   
   If you are under 13 years old, we require verifiable parental consent before you
   can create an account. Our parental consent process:
   
   - Verifies that the consenting party is an adult (18 or older) using privacy-preserving
     age verification technology
   - Does not require parents to provide their date of birth or government-issued ID
   - Records consent along with email verification for dual-factor authentication
   
   Parents may access, review, and delete their child's information by contacting us
   at [privacy email] or through the account settings page.

4. Data We DON’T Collect (Transparency):

   ## What We Don't Collect During Age Verification
   
   Our age verification process does NOT collect:
   - Your date of birth
   - Your full name
   - Government-issued ID numbers
   - Biometric data
   - Credit card information (for age verification purposes)
   
   Age verification generates only a cryptographic proof, which contains no personally
   identifiable information.

5. Third-Party Service Provider (Provii):

   ## Third-Party Service Providers
   
   We use Provii (https://provii.app) for age verification services. During
   credential issuance, your date of birth is transmitted once to Provii's issuance
   server for cryptographic commitment computation. The date of birth is processed
   ephemerally and immediately discarded. it is never stored, logged, or retained.
   During age verification, no date of birth is transmitted; only a zero knowledge
   proof is presented. For more information about Provii's privacy practices, see
   https://docs.provii.app.

Evidence:

• Privacy policy examples: /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 183-217)
• Transparency requirements: /trust/compliance/requirements/unified-control-matrix.md (Lines 135-161)

Compliance Matrix

COPPA Requirements vs. Provii Implementation

Safe Harbor Criteria Assessment

FTC Safe Harbor Approval Criteria (16 CFR § 312.11):

1. Equivalent or Greater Protection: Safe Harbor guidelines must provide COPPA protections or greater
2. Effective Incentives: Mechanisms to ensure member compliance
3. Independent Assessment: Regular audits and monitoring
4. Accountability: Disciplinary action for non-compliance

Provii’s Readiness Assessment:

Conclusion: Provii is not positioned to be a Safe Harbor program itself but rather a privacy-enhancing technology that enables COPPA compliance for services that use it. Provii could potentially:

1. Join an existing Safe Harbor program as a technology provider (e.g., kidSAFE, PRIVO)
2. Be recognised as a COPPA-compliant verification method by existing Safe Harbor programs
3. Provide technology infrastructure for services participating in Safe Harbor programs

Recommendation: Pursue partnerships with existing COPPA Safe Harbor programs (kidSAFE, PRIVO, TRUSTe) to have Provii’s zero knowledge age verification recognised as a compliant consent mechanism.

Technical Implementation

How Zero knowledge Age Verification Works

1. Credential Issuance (One-Time Setup):

User Device (Wallet):
├─ User enters date of birth (DOB)
├─ Wallet generates randomness bits (r_bits)
├─ Wallet sends DOB + r_bits to Issuer API
│
Issuer (Trusted Identity Provider):
├─ Receives DOB transiently for Pedersen commitment computation
├─ Computes commitment, immediately discards DOB (never stored or logged)
├─ Signs commitment with RedJubjub signature
├─ Returns signed credential to wallet
│
User Device (Wallet):
├─ Receives signed credential
├─ Stores credential locally (encrypted)
└─ Result: Reusable age credential that proves DOB without revealing it

Privacy Properties:

• DOB is transmitted once during issuance for Pedersen commitment computation, then immediately discarded. never stored or logged
• After issuance, DOB is never transmitted again
• Credential stored locally under user control

Evidence:

• Issuance flow: /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 488-528)
• Cryptographic implementation: /trust/core/provii-crypto.mdx (Lines 82-150)

2. Age Verification (Each Time User Needs to Prove Age):

Service (Relying Party):
├─ Creates challenge: "Prove you are 13+ for https://mysite.com"
├─ Generates random nonce (replay protection)
└─ Displays QR code or deep link

User Device (Wallet):
├─ Scans QR code
├─ Reads challenge: threshold=13 years, origin=https://mysite.com
├─ Generates zero knowledge proof using Groth16 zkSNARK:
│   ├─ Private inputs: DOB, credential, signature, randomness
│   ├─ Public inputs: threshold (4748 days for 13 years), origin hash, issuer key, nullifier
│   └─ Proof: "I have a valid credential AND my DOB ≤ cutoff_days"
├─ Submits proof to Provii Verifier API
│
Provii Verifier API:
├─ Receives zero knowledge proof
├─ Verifies cryptographic proof (constant-time, ~10ms)
├─ Checks nullifier not previously used (replay protection)
├─ Returns: "VERIFIED" or "FAILED"
│
Service (Relying Party):
├─ Polls challenge status
├─ Receives: "User is 13+" (binary result, no DOB)
└─ Grants access

What the Service Learns:

• User met the age threshold (yes/no)
• Timestamp of verification
• Does NOT learn. Actual date of birth, exact age, identity

Privacy Properties:

• Zero knowledge: Proof reveals ONLY that threshold is met
• Unlinkability: Random challenge IDs prevent cross-site tracking
• Replay protection: Nullifiers prevent credential reuse
• Origin binding: Proof cryptographically tied to requesting site

Evidence:

• Verification flow: /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 530-584)
• Proof generation: /trust/compliance/evidence/age-verification/flow-evidence.md (Lines 196-241)
• Proof verification: /trust/compliance/evidence/age-verification/flow-evidence.md (Lines 243-310)

Cryptographic Primitives

Groth16 zkSNARK (Zero knowledge Succinct Non-Interactive Argument of Knowledge):

• Curve: BLS12-381 (high security, ~128-bit strength)
• Proof size: 192 bytes (constant, regardless of complexity)
• Verification time: ~10ms (constant time)
• Properties: Zero knowledge, succinct, sound, non-interactive

Pedersen Commitments:

• Curve: Jubjub (embedded in BLS12-381)
• Commitment size: 32 bytes
• Properties: Hiding (reveals nothing about DOB), binding (cannot change DOB after commitment)

RedJubjub Signatures:

• Signature size: 64 bytes
• Properties: Unforgeable, verifiable in zero knowledge circuit

Nullifiers:

• Derivation: Pedersen hash of commitment
• Size: 32 bytes
• Properties: One-way (cannot reverse to DOB), deterministic (same credential = same nullifier)

Evidence:

• Cryptographic architecture: /trust/core/provii-crypto.mdx (Lines 78-150)
• Age proof circuit: /trust/core/provii-crypto.mdx (Lines 82-104)

Security Guarantees

1. Privacy:

• DOB transmitted once during issuance for cryptographic commitment computation, then immediately discarded. never stored or logged; not transmitted during verification
• Zero knowledge proofs reveal only age threshold result
• No PII collected by Provii servers or service using Provii

2. Soundness:

• Computationally infeasible to generate valid proof for false statement (e.g., cannot prove “I’m 13+” if you’re 12 under the security assumptions of the scheme)
• Cryptographic security: ~128-bit (BLS12-381 curve)

3. Replay Protection:

• Nullifiers prevent credential reuse across verifications
• Challenge nonces prevent replay attacks
• Nonce store with 5-minute TTL

4. Origin Binding:

• Proof cryptographically bound to relying party challenge
• Cannot reuse proof generated for one site on another site

5. Unforgeability:

• Only credentials signed by trusted issuers accepted
• Issuer verification key checked in zero knowledge circuit
• RedJubjub signatures prevent credential forgery

Evidence:

• Security analysis: /trust/compliance/evidence/security-controls/api-security-evidence.md
• Nullifier handling: /trust/compliance/evidence/age-verification/flow-evidence.md (Lines 313-387)
• Challenge generation: /trust/compliance/evidence/age-verification/flow-evidence.md (Lines 142-194)

Recommendations

For Maelstrom AI (Product and Compliance Enhancements)

Priority 1: COPPA-Specific Documentation

1. Create COPPA Compliance Kit for Clients:

• Sample privacy policy language for age-gating
• Sample parental consent flow implementation
• COPPA compliance checklist using Provii
• FAQ: “How does Provii help with COPPA compliance?”
• Effort: Medium (2-3 days)
• Timeline: Planned H1 2026

2. Develop Parental Consent Reference Implementation:

• Open-source example: Next.js app with parental consent flow
• Demonstrates dual-factor verification (age proof + email)
• Includes consent recording and parental access portal
• Effort: High (1-2 weeks)
• Timeline: Planned H1 2026

3. Create Age-Appropriate Privacy Notices:

• Privacy notice for children (simple language)
• Privacy notice for parents (detailed explanation)
• Embed in wallet app and documentation
• Effort: Low (1-2 days)
• Timeline: Planned H1 2026

Priority 2: Safe Harbor Program Partnerships

4. Pursue kidSAFE or PRIVO Partnership:

• Contact kidSAFE Seal Program and PRIVO
• Explore having Provii recognised as compliant verification method
• Potentially join as technology provider member
• Effort: Medium (business development)
• Timeline: Planned H2 2026

5. Obtain Independent Security Audit:

• SOC 2 audit (may pursue post-revenue)
• ISO 27001 certification (ISMS aligned; certification being pursued when commercially justified)
• Publish audit results (transparency)
• Effort: High (external audit)
• Timeline: Planned H2 2026

Priority 3: Product Enhancements

6. Implement Consent Metadata in Challenges:

• Allow relying parties to include consent language in challenge
• Wallet displays consent terms to user before proof generation
• Proof includes consent acceptance in metadata
• Effort: Medium (1 week)
• Timeline: Planned H2 2026

7. Add Parental Dashboard Integration:

• API endpoints for parental access to child’s verification history
• Parent can see when and where child’s age was verified
• Parent can revoke consent (disable credential for specific relying party)
• Effort: High (2-3 weeks)
• Timeline: Planned H2 2026

8. Develop COPPA Compliance Monitoring Dashboard:

• For services using Provii: track age-gating effectiveness
• Alert if under-13 verification attempts detected
• Analytics: consent rates, verification success rates
• Effort: Medium (1-2 weeks)
• Timeline: Planned 2027

For Clients Using Provii

Priority 1: Immediate Actions

1. Update Privacy Policy:

• Add section describing Provii age verification
• Clarify what PII is NOT collected (date of birth)
• State COPPA compliance approach (age-gating or parental consent)
• Effort: Low (1-2 hours)

2. Implement Age-Gating:

• If service is not directed to children under 13, use Provii for 13+ verification
• Prevent under-13 registration → Avoid COPPA obligations entirely
• Effort: Low (integrate SDK, see Integration Guide above)

3. Design Parental Consent Flow (If Allowing Under-13):

• Dual-factor verification: Provii age proof (18+) + email confirmation
• Record consent with timestamp and email
• Provide parental access and deletion mechanisms
• Effort: Medium (2-5 days depending on complexity)

Priority 2: Best Practices

4. Combine Age Verification with Email Confirmation:

• Age proof alone proves parent is 18+ but not email ownership
• Email confirmation proves control of email address
• Dual-factor provides stronger consent verification
• Effort: Low (add email verification to existing flow)

5. Implement Parental Access Portal:

• Allow parents to view child’s account data
• Allow parents to delete child’s account
• Link parent access to email verified during consent
• Effort: Medium (depends on existing account infrastructure)

6. Periodic Re-Verification (Optional):

• Re-verify age annually or when child turns 13
• Allows child to “graduate” to full account (if previously under-13 with parental consent)
• Effort: Low (automate verification reminders)

Priority 3: Legal Review

7. Consult Privacy Counsel:

• Review COPPA compliance strategy with legal team
• Ensure privacy policy accurately describes practices
• Document COPPA compliance decisions
• Effort: Varies (external legal review)

8. Consider Safe Harbor Program Membership:

• If service is directed to children under 13, join kidSAFE, PRIVO, or TRUSTe
• Safe Harbor provides FTC-recognised compliance framework
• Provii’s age verification can be part of Safe Harbor compliance
• Effort: Medium (application process, annual fees)

Conclusion

Provii’s Role in COPPA Compliance

Provii provides a privacy-enhancing technology that is designed to change how services approach COPPA compliance. By reducing the need to collect children’s personally identifiable information for age verification, Provii is designed to enable:

For Age-Gating (Preventing Under-13 Access):

• Verify users are 13+ without collecting date of birth
• No children’s PII in database, so COPPA obligations are minimised
• Simplified privacy policy and data governance

For Parental Consent (Allowing Under-13 Access):

• Verify parents are 18+ without collecting parent’s date of birth
• Dual-factor verification (age proof + email) meets COPPA requirements
• Reduced PII exposure for both children and parents

Key Advantages Over Traditional COPPA Compliance

1. Privacy by Design: Zero knowledge architecture is designed to make collecting PII structurally infeasible, not just prohibited by policy
2. Reduced Risk: No PII database to breach, minimal FTC penalty exposure
3. Better User Experience: QR code scan vs. credit card entry or ID upload
4. Lower Costs: Reduced development, infrastructure, legal, and audit costs
5. Future-Proof: Aligns with global privacy trends (GDPR, CCPA, emerging regulations)

Provii as COPPA Compliance Enabler

Provii is not:

• A COPPA Safe Harbor program operator
• Subject to COPPA itself (does not collect children’s PII)
• A complete COPPA compliance solution (clients must still manage other PII they collect)

Provii is:

• A privacy-enhancing technology for age verification
• A way to reduce PII collection for age and parental consent verification
• A simplified compliance path for services using it
• A cryptographically grounded privacy solution (structural rather than purely policy-based)

Readiness Assessment

Final Recommendation

Provii is designed to enable COPPA compliance for clients through (noting the product is currently pre-launch with no production traffic):

1. Age-gating to prevent under-13 access (eliminating COPPA obligations)
2. Parental age verification for services allowing under-13 users (simplifying consent)

Next Steps:

1. For Maelstrom AI:

• Publish this COPPA compliance documentation
• Create client COPPA compliance kit (sample code, privacy policy language)
• Pursue kidSAFE or PRIVO partnership
• Develop parental consent reference implementation

2. For Clients:

• Review this document and assess COPPA compliance approach
• Integrate Provii for age-gating or parental age verification
• Update privacy policies to describe zero knowledge age verification
• Consult privacy counsel for full COPPA compliance strategy

3. For the Industry:

• Demonstrate that zero knowledge age verification is viable for COPPA compliance
• Set new standard for privacy-preserving parental consent
• Reduce children’s PII exposure across the internet

Provii’s zero knowledge architecture represents an approach shift in COPPA compliance: from managing children’s PII to reducing or avoiding its collection for age verification purposes.

Document Information

• Version. 1.1
• Date. 2026-02-13
• Last Updated. 2026-02-13
• Owner. Privacy Officer
• Classification. Public
• Next Review. 2026-11-21

Evidence Base

This document is grounded in extensive evidence from:

• 17+ existing compliance and evidence documents
• 6 backend service implementations
• Open-source cryptographic libraries (provii-crypto)
• Published ISMS policies and procedures
• COPPA regulations (16 CFR Part 312)

References

Primary Sources:

• 16 CFR Part 312 - Children’s Online Privacy Protection Rule
• FTC COPPA Safe Harbor guidance
• /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md
• /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md
• /trust/compliance/evidence/age-verification/flow-evidence.md

Supporting Documentation:

• /trust/compliance/requirements/unified-control-matrix.md
• /trust/compliance/evidence/security-controls/api-security-evidence.md
• /trust/core/provii-crypto.mdx
• /trust/guides/for-verifiers.mdx

For questions or feedback: Contact the Privacy Officer at privacy@maelstrom.au

END OF DOCUMENT