CurioQuest
wiki/decisions/ADR-004-no-photo-default-coppa.md
ADR-004 — No-photo default + parent-facing COPPA posture
Status: Accepted · Date: 2026-06-02
Context
The original model was photo-default — upload a child's photo to render the hero. Research flagged child privacy as a catastrophic-impact risk: the amended COPPA rule (in effect; ~$53K/violation [FACT]), biometric exposure from photos, and active parent AI-distrust around kids' content. Photo-default maximizes exactly this exposure.
Decision
- No photo by default — name + age + city generates an original character to represent the child.
- Photo upload is an opt-in exception behind explicit consent + a safety gate (screened before any job starts).
- COPPA-compliant by design: verifiable parental consent, user photos auto-delete after 30 days, no training on child data.
- Every generated image passes an automated safety + identity QC check before it ships.
Rationale
No-photo default removes the highest-severity privacy/liability surface while still delivering personalization (an original character from name/age/city). It also directly addresses parent AI-distrust by making the product visibly privacy-first. This is a research "what must be true" Go condition and an explicit CHANGE from the original photo-default (which was a KILL).
Source / evidence
- Project-Objective.md §4 (Pillar 1), §7, §11 (capability 4), §12
- Research_Synthesis.md §11 (risk register), §12 (condition 5), §18 —
[FACT]COPPA amended rule, ~$53K/violation - Requirements — safety gates