◆ Back to Dashboard
AESOP AI Academy · Internal Review · v1.5

COPPA Safety Remediation Plan

⚠ Auto Non-Compliant — D1 Override Triggered

Platform lacks fundamental COPPA requirements: age verification, parental consent mechanisms, and privacy notices for children under 13. D1 scored below the 8/20 override threshold. Firebase Analytics running without confirmed COPPA mode. No parent dashboard, no plain-language disclosure, no AI disclosure present.

28
/ 100
Dimension Scores — April 8, 2026 Baseline
D1
COPPA Core
2
/ 20
OVERRIDE
D2
Content Safety
8
/ 20
D3
Data Security
9
/ 20
D4
Transparency
3
/ 20
D5
Proactive Safety
6
/ 20
Remediation Items — Priority Ordered
P1 — CRITICAL

Age Gate & Parental Consent Mechanism

📐 D1 COPPA Core⏱ 4–8 hrs⚡ Removes D1 Override
Problem

No age screening at platform entry. Users under 13 can register without parental consent, directly violating COPPA §312.5.

Solution

Two-path entry gate on registration:

  • 13+: Standard registration with DOB confirmation.
  • Under 13: Collect parent/guardian email. Send verifiable parental consent (VPC) email via PHPMailer. Gate access until consent link is clicked.
  • Store consent record in Firestore with timestamp, parent email, child UID.
Implementation Steps
  • Add DOB field to Firebase Auth registration flow
  • Build consent-gate.html — parent email collection + consent email trigger
  • Build consent-confirm.php — writes Firestore record and redirects
  • Add Firestore rule: modules beyond Module 0 require consentVerified: true
Expected Score Impact
D1: +10–14 pts (override cleared)D5: +2–3 pts
P1 — CRITICAL

Privacy Notice for Children (COPPA-Compliant)

📐 D1 + D4⏱ 2–3 hrs⚡ Addresses D1 + D4 simultaneously
Problem

No privacy notice exists. COPPA §312.4 requires a clear, prominent notice before collecting any personal information from children. D4 scored 3/20 primarily due to this absence.

Solution

Plain-language privacy notice covering: what data is collected, how it is used, who it is shared with, parental rights (access, deletion, withdrawal of consent), contact: scott@aesopacademy.org

Implementation Steps
  • Build privacy.html — deploy to aesopacademy.org root
  • Link in footer of every page and in the consent gate email
  • Add inline "What we collect" summary to the registration modal
Expected Score Impact
D1: +3–4 ptsD4: +6–8 pts
P2 — HIGH

Firebase Analytics — Enable COPPA Mode

📐 D3 Data Security⏱ 1–2 hrs⚡ Firebase Console change
Problem

Firebase Analytics active without COPPA mode. By default it collects device identifiers and advertising IDs — non-compliant for platforms serving children under 13.

Solution

Enable child-directed treatment in Firebase Console (single toggle, no code change required).

Steps
Firebase Console → Analytics → Settings → Data Privacy → Enable "Child-directed treatment"
  • Verify in Firebase DebugView that advertising_id is null after enabling
  • Add note to privacy.html: "We use Firebase Analytics in child-directed mode."
Expected Score Impact
D3: +3–4 ptsD5: +1–2 pts
P2 — HIGH

AI Disclosure — Inform Users Content is AI-Generated

📐 D4 Transparency⏱ 1 hr⚡ UI/copy change only
Problem

No disclosure that LIBREX/AESOP story content, quiz items, and lab prompts are AI-generated. Emerging state laws (KOSA, CA AB 2355) and FTC guidance increasingly require AI disclosure in child-directed platforms.

Sample Copy (Module 0)
LIBREX is an AI-powered learning guide. The stories, questions, and examples in this course are created with AI to make learning more engaging. LIBREX doesn't remember you between sessions and doesn't store your conversations.
Expected Score Impact
D4: +4–5 pts
P3 — MEDIUM

Parent Dashboard — Data Access & Deletion Portal

📐 D1 + D4⏱ 4–6 hrs⚡ New page + Firebase Admin
Problem

COPPA §312.6 requires operators to give parents the ability to review, correct, and delete their child's personal information. No mechanism exists currently.

Minimum Viable Scope
  • Build parent-portal.html — parent email input → lookup consent record → show child display name + progress summary
  • "Delete my child's account" button → Firebase Admin SDK (PHP) deletes Auth user + Firestore records
  • Send confirmation email to parent on deletion
  • Link in privacy.html: "Parents: click here to access or delete your child's data"
Expected Score Impact
D1: +2–3 ptsD4: +3–4 pts
P3 — MEDIUM

Third-Party Integration Scope Audit (fal.ai + Firebase)

📐 D3 Data Security⏱ 2–3 hrs⚡ Documentation + config review
Problem

Two third-party data processors active: fal.ai (video generation — prompt data transmitted) and Firebase (auth, Firestore, Analytics). Data retention policies and COPPA agreements unconfirmed.

Solution
  • Firebase: Google is a COPPA Safe Harbor participant. Confirm Firebase Data Processing Terms accepted in GCP Console. Enable COPPA mode (see P2-A).
  • fal.ai: Review terms for data retention on prompt inputs. Strip PII from prompts before transmission if needed.
  • Document both in privacy.html under "Third-Party Services"
Expected Score Impact
D3: +3–4 pts
P4 — STANDARD

Data Retention Policy — Define & Publish

📐 D3 + D5⏱ 1 hr⚡ Policy doc + privacy.html section
Problem

No data retention policy defined. COPPA requires personal information collected from children be retained only as long as reasonably necessary, then deleted.

Retention Schedule
  • Account data: Active + 90 days after deletion request
  • Progress/quiz data: Deleted with account
  • Analytics data: 14 months (Firebase default); reduce to 2 months
  • Consent records: 3 years per FTC guidance

Add a "Data Retention" section to privacy.html. No system changes required.

Expected Score Impact
D3: +2 ptsD5: +1–2 pts
Implementation Sequencing
Phase 1 · Week 1 · Est. 6–11 hrs
Clear the Override (D1 + D4)
Age gate + parental consent · Privacy notice · AI disclosure in Module 0. Projects D1 override cleared, D4 from 3 to ~15.
Phase 2 · Week 1–2 · Est. 2–4 hrs
Firebase COPPA Mode + AI Disclosure
Enable child-directed treatment in Firebase Console · Add AI disclosure to Module 0 and privacy.html. Low effort, high compliance signal.
Phase 3 · Week 2–3 · Est. 6–9 hrs
Parent Portal + Third-Party Audit
Minimal parent data access/deletion portal · fal.ai + Firebase data processing review · Document in privacy.html.
Phase 4 · Week 3 · Est. 1 hr
Retention Policy + Re-Review
Publish data retention schedule in privacy.html · Re-run AESOP-Safety-AutoReview · Update dashboard with new R1 scores.
Projected Score After Full Remediation
DimensionCurrentProjectedDeltaPrimary Driver
D1 · COPPA Core2 / 2015–17 / 20+13–15Age gate + consent + privacy notice
D2 · Content Safety8 / 2011–13 / 20+3–5AI disclosure + distress pathway
D3 · Data Security9 / 2015–17 / 20+6–8Firebase COPPA mode + audit + retention
D4 · Transparency3 / 2014–16 / 20+11–13Privacy notice + AI disclosure + parent portal
D5 · Proactive Safety6 / 2011–13 / 20+5–7Consent system + COPPA mode + retention
TOTAL28 / 10066–76 / 100+38–48Conditional → Pass range