CurioQuest

wiki/decisions/ADR-004-no-photo-default-coppa.md

ADR-004 — No-photo default + parent-facing COPPA posture

Status: Accepted · Date: 2026-06-02

Context

The original model was photo-default — upload a child's photo to render the hero. Research flagged child privacy as a catastrophic-impact risk: the amended COPPA rule (in effect; ~$53K/violation [FACT]), biometric exposure from photos, and active parent AI-distrust around kids' content. Photo-default maximizes exactly this exposure.

Decision

  • No photo by default — name + age + city generates an original character to represent the child.
  • Photo upload is an opt-in exception behind explicit consent + a safety gate (screened before any job starts).
  • COPPA-compliant by design: verifiable parental consent, user photos auto-delete after 30 days, no training on child data.
  • Every generated image passes an automated safety + identity QC check before it ships.

Rationale

No-photo default removes the highest-severity privacy/liability surface while still delivering personalization (an original character from name/age/city). It also directly addresses parent AI-distrust by making the product visibly privacy-first. This is a research "what must be true" Go condition and an explicit CHANGE from the original photo-default (which was a KILL).

Source / evidence

  • Project-Objective.md §4 (Pillar 1), §7, §11 (capability 4), §12
  • Research_Synthesis.md §11 (risk register), §12 (condition 5), §18 — [FACT] COPPA amended rule, ~$53K/violation
  • Requirements — safety gates