No age screening at platform entry. Users under 13 can register without parental consent, directly violating COPPA §312.5.
Two-path entry gate on registration:
consent-gate.html — parent email collection + consent email triggerconsent-confirm.php — writes Firestore record and redirectsconsentVerified: trueNo privacy notice exists. COPPA §312.4 requires a clear, prominent notice before collecting any personal information from children. D4 scored 3/20 primarily due to this absence.
Plain-language privacy notice covering: what data is collected, how it is used, who it is shared with, parental rights (access, deletion, withdrawal of consent), contact: scott@aesopacademy.org
privacy.html — deploy to aesopacademy.org rootFirebase Analytics active without COPPA mode. By default it collects device identifiers and advertising IDs — non-compliant for platforms serving children under 13.
Enable child-directed treatment in Firebase Console (single toggle, no code change required).
No disclosure that LIBREX/AESOP story content, quiz items, and lab prompts are AI-generated. Emerging state laws (KOSA, CA AB 2355) and FTC guidance increasingly require AI disclosure in child-directed platforms.
COPPA §312.6 requires operators to give parents the ability to review, correct, and delete their child's personal information. No mechanism exists currently.
parent-portal.html — parent email input → lookup consent record → show child display name + progress summaryTwo third-party data processors active: fal.ai (video generation — prompt data transmitted) and Firebase (auth, Firestore, Analytics). Data retention policies and COPPA agreements unconfirmed.
No data retention policy defined. COPPA requires personal information collected from children be retained only as long as reasonably necessary, then deleted.
Add a "Data Retention" section to privacy.html. No system changes required.
| Dimension | Current | Projected | Delta | Primary Driver |
|---|---|---|---|---|
| D1 · COPPA Core | 2 / 20 | 15–17 / 20 | +13–15 | Age gate + consent + privacy notice |
| D2 · Content Safety | 8 / 20 | 11–13 / 20 | +3–5 | AI disclosure + distress pathway |
| D3 · Data Security | 9 / 20 | 15–17 / 20 | +6–8 | Firebase COPPA mode + audit + retention |
| D4 · Transparency | 3 / 20 | 14–16 / 20 | +11–13 | Privacy notice + AI disclosure + parent portal |
| D5 · Proactive Safety | 6 / 20 | 11–13 / 20 | +5–7 | Consent system + COPPA mode + retention |
| TOTAL | 28 / 100 | 66–76 / 100 | +38–48 | Conditional → Pass range |