When most consumer apps think about COPPA — the Children's Online Privacy Protection Act — they're asking: "What's the minimum we need to do to avoid liability?" Age gate at 13, add a line to the privacy policy, done. We decided from the very beginning to ask a different question: "If we're building a product that parents use to protect their children's digital lives, what does it mean to actually deserve that trust?"
That question turned COPPA from a compliance box into a design brief. Here's what that actually looked like in practice — and what it means for the families who use Sage Haven.
What COPPA Actually Requires (And What It Doesn't Say)
COPPA, enforced by the Federal Trade Commission, sets out specific requirements for operators of websites and apps directed at children under 13, or those with actual knowledge they're collecting data from users under 13. The core requirements: obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13; maintain a clear and comprehensive privacy policy; give parents the ability to review and delete their child's information; and not condition participation in the app on a child providing more information than is necessary.
What COPPA doesn't specify in detail: the quality of the parental consent mechanism, how you handle data that could indirectly identify a child, or what "necessary" data means for a given use case. Those gaps are where companies either step up or cut corners.
We want to be clear: we are not claiming to be "COPPA certified" — no such official certification exists from the FTC, though there are third-party COPPA safe harbor programs. What we can say is that we built Sage Haven with COPPA's requirements as a floor, not a ceiling.
The Data Minimization Decision
The first real design decision that COPPA-as-brief forced was data minimization. Every analytics tool, every feature idea, every third-party SDK we considered — we asked: does this require collecting data about or from children? And if so, do we actually need it?
The honest answer, more than once, was no. There are analytics products that would give us rich behavioral data about how children use their devices — and that data would be genuinely useful for product development. We don't use them. The child activity data that flows through Sage Haven's monitoring features is processed to generate the parent-facing reports, but it's not used to build profiles, it's not shared with ad networks, and it's not retained indefinitely.
This wasn't a painful sacrifice. It was a clarifying exercise. When you decide that children's behavioral data is not a resource to be monetized, a lot of ambiguous product decisions become much clearer.
Verifiable Parental Consent: Getting It Right Is Hard
COPPA's verifiable parental consent requirement is one of its most important provisions and also one of its most technically challenging. "Verifiable" means more than asking someone to check a box saying "I am over 13" or "I am the parent." The FTC's guidance describes several methods: credit card transactions (because minors generally don't have them), knowledge-based challenges, and government ID verification.
We spent significant time on this part of the onboarding flow, specifically because it's the mechanism that makes parental consent real rather than performative. The friction in verification isn't a UX failure — it's a feature. A process that's actually hard to fake by a 12-year-old pretending to be their parent is one that's doing its job.
What we discovered in designing this: the parents who find verification slightly annoying are also the ones who, after a moment's thought, appreciate that it's annoying for everyone — including anyone who shouldn't be setting up a monitoring account on a child's device.
The "Necessary Data" Conversation We Keep Having
One of COPPA's principles — that you shouldn't condition a child's participation on providing more data than necessary — sounds simple. In practice, it surfaces constantly in product decisions.
A feature request that came up early in development: detailed app usage breakdowns that would show parents not just total time in an app, but specific content consumed within it (what videos were watched on YouTube, what searches were run). This data would be genuinely useful for some parents. It would also mean logging a much more granular record of a child's activity than anything we'd determined was necessary for our core use case of helping parents set healthy boundaries.
We didn't build it. Not because it was technically infeasible, but because we weren't comfortable with the data retention implications for children who had no say in the surveillance. There's a meaningful difference between a parent knowing their child spent 90 minutes on YouTube Kids and a parent having a searchable log of every video their child watched. The former respects the child's developing autonomy; the latter treats them as a subject of comprehensive surveillance.
We're not saying detailed activity logging is always wrong. Other products make different tradeoffs, and some families genuinely want that level of visibility. We're saying that our specific answer to the "necessary data" question led us here, and we think it's the right call for what we're trying to build.
Transparent Privacy Language That Parents Can Actually Read
Privacy policies are, famously, unread. The average American privacy policy requires a college-level reading comprehension and takes over 10 minutes to read. We didn't want ours to be another document that parents theoretically agreed to without understanding.
Our privacy policy and our COPPA Notice (linked in the footer) are written in plain language. They describe in concrete terms what data we collect, what we do with it, what we don't do with it, and how parents can access, correct, or delete their child's information. The legal requirements are met — but the goal was that a parent who actually reads the page comes away with an accurate understanding of our practices.
If there's one thing we'd ask every parent using any app that touches their child's digital life: read the privacy policy. Specifically look for: what data is collected, whether it's shared with third parties, whether it's used for advertising, and what deletion rights you have. These aren't obscure questions — any app that can't answer them clearly is giving you information about how they think about children's data.
Why This Matters Beyond Compliance
Building with COPPA as a design brief rather than a compliance checklist meant that our data practices are explained by principle rather than just policy. When a parent asks us "why don't you have X feature?", we can explain the reasoning — not just "regulations don't require it" but "here's why we decided it wasn't appropriate given what we're collecting from children's devices."
That reasoning-first approach also shapes how we'll handle future product decisions. The digital privacy landscape for children is evolving quickly — the FTC proposed significant updates to the COPPA rule in recent years, and state-level laws like California's Age-Appropriate Design Code (AB 2273) are pushing the industry toward higher baseline standards for products used by minors. We want to be ahead of those requirements, not scrambling to catch up.
Trust, in the context of a product that parents use to protect their children, can't be manufactured by a marketing claim. It has to be built from the inside out — from the actual decisions made when the tradeoffs aren't easy and the regulatory minimum would have been simpler. That's the only kind of trust worth having.
