Regulatory · §07

Regulatory & privacy

Branchfeat/v2 Commit38549fa AudienceJonny, Liam, eng

UK Children's Code — the unbookable risk

SHOTid has no age gate, no DoB, no minor mode. The ICO's Age Appropriate Design Code does not care whether we intended to serve under-18s. It cares whether the service is likely to be accessed by them. A sport-themed, avatar-builder identity product launched around a fight night is not a borderline case — it is squarely in scope.

The Children's Code is 15 standards, statutory under the Data Protection Act 2018. Compliance is not optional for any "information society service likely to be accessed by children" in the UK market. The headline duties: best interests of the child (Std 1); DPIA required (Std 2); age-appropriate application (Std 3) — different protections by age band, cannot apply without knowing age; default to high privacy (Std 7); no nudge towards weaker settings (Std 13); transparency (Std 4).

SHOTid's design today violates Standard 7 directly: every locked identity goes into public_profiles readable by anon the moment lock-in fires. Standard 13: the founder cohort cap of 5,000 and the FOMO framing of registration are precisely the patterns the code targets.

Precedent — the ICO has fined for this £12.7m

April 2023: ICO fined TikTok £12.7 million for allowing ~1.4 million UK children under 13 to use the platform in 2020 despite its own rules. The penalty cited failures across Articles 5, 8, 12, 13 and the Children's Code (ICO press release). The model SHOTid currently ships — no age gate, no DoB, public profile exposure of locked identities — is structurally indistinguishable from the failure mode the ICO penalised.

"Likely to be accessed" is a low bar in scope

The ICO's published guidance ("Likely to be accessed by children") lists factors: nature of content, marketing tone, similar services that demonstrably attract minors, presence of features attractive to children (avatars, collectibles, ranks, cohort numbers). SHOTid hits every one. Defending a "not aimed at children" position in front of the ICO would be ridiculous given the avatar builder, the helmet rarity migration, and the partner roster.

Penalty exposure up to 4% global turnover

UK GDPR Art. 83(5) — up to £17.5m or 4% of global annual turnover, whichever is higher. For a pre-revenue product the cash exposure is theoretical; the operational exposure (ICO enforcement notice, mandated audit, time-bound remediation, reputational hit at the moment of launch) is not.

Fix	Effort	When
Self-asserted age gate at journey entry. Store assertion, IP and timestamp immutably (separate `age_assertions` table, never editable). Hard refusal for under-13.	1–2 days	Pre-launch, blocking
13–17 minor-mode flag on `profiles` — suppresses `public_profiles` exposure, suppresses federation share, suppresses founder/OG number display. Default deny for any new sharing capability.	3–5 days	Pre-launch, blocking
Privacy notice at registration, plain-English version for 13–17 band. Reviewed by external counsel before December.	1 week including counsel turn	Pre-launch, blocking
DPIA covering the registration journey, the credential issuance flow, and the federation share path. See §08.	2 weeks	Pre-launch, blocking

GDPR vs identity-lock — the unsolvable tension

The product principle is that identity is permanent. The enforce_identity_lock trigger encodes that principle at the database layer. GDPR Article 17 — the right to erasure — overrides this. There is no clever schema that wins the argument with a regulator. The question is whether the team has a written policy describing how it loses the argument gracefully.

Three flows must be reconciled before launch:

The locked profile row. Currently the only override path is bumping identity_lock_version, which is an admin escalation. Fine for "I want a different handle"; wrong for "I am exercising my Art. 17 right." Erasure should be a privacy-by-design path, not an admin escalation.
The issued credential. Once a W3C VC sits in a Sport Head's wallet, it is outside our control. We cannot recall it. The honest mechanism is a revocation registry — the VC keeps existing but reads as revoked when any verifier checks status. The W3C-recommended pattern is Bitstring Status List v1.0 (the successor to Status List 2021). Publish a bitmap; the credential carries an index pointer. Revoking = flipping one bit. No PII in the registry.
The convenience caches. profiles.email exists alongside auth.users.email. There is no lawful basis for storing the same personal data twice. Erasure must clear both.

Required RPC build before launch

A soft_erase_profile(p_id uuid) SECURITY DEFINER function: (a) overwrite every PII column on profiles with NULL or a tombstone constant; (b) keep sporthead_handle as a tombstone shell (preserves the "permanence" promise); (c) set erased_at; (d) revoke founder credential in Status List bitmap; (e) delete the auth.users row; (f) write an immutable audit entry. The only way to satisfy Art. 17 without abandoning the permanence model.

Legal basis for the handle tombstone contested

Art. 6(1)(f) legitimate interest — the permanence of an identity record is integral to the product's value — is the most defensible basis. The ICO may reject it for a non-mandatory consumer product. Counsel must put this in writing before December. Fallback: allow handle reuse after a cool-down (12 months minimum) and accept the cultural cost.

The trigger bypass is the wrong primitive refactor

identity_lock_version conflates "admin correction" with "user exercising a statutory right". Add a second bypass — e.g. SET LOCAL sporthead.privacy_action = 'erasure' the trigger respects — so the audit trail distinguishes. ICO investigations ask for evidence of which legal basis applied to each mutation.

COPPA — diaspora exposure

SHOTid is not marketed to US children. That does not exempt it. COPPA applies when an operator has actual knowledge that a user is under 13, or when the service is "directed to children" under the FTC's multi-factor test. Diaspora Sport Heads in any launch locale include US-resident families.

Verifiable parental consent required before any collection of personal information from a known under-13. Methods listed in 16 CFR § 312.5; the cheap ones (KBA, credit-card micro-charge) cost real money per signup. No realistic way to ship VPC for a December launch.
Actual-knowledge trigger: the moment a support ticket, federation flag, or self-disclosure tells SHOTid that a Sport Head is under 13, the data must be purged or VPC obtained. No "but they lied at signup" exception.
Penalty maximum — FTC adjusts the COPPA civil-penalty maximum for inflation annually. The current cap is in the low five figures per violation (see FTC COPPA page). Per-violation, not per-incident — a breach affecting 200 under-13s is 200 violations.
The amended COPPA Rule (2024–25) tightens third-party-disclosure rules and requires separate VPC for ad networks/analytics. Federation share counts as third-party disclosure under the strictest reading.

Realistic posture: hard age gate at signup, refuse under-13 entry globally (not just UK), maintain an actual-knowledge purge process, document the COPPA stance in the DPIA. Supporting 13–17 with VPC for the December cohort is not viable — defer until v2.

KYC / AML — the moment a credential touches money

The strategy doc references NFC patches, future Pepsi tournament drops, ticket gating. Today the credential is identity-only and the regulatory surface is narrow. The moment a SHOT-issued VC unlocks discounted entry, token-gated commerce, or proof-of-age for a regulated good, the surface multiplies and the legal entity issuing the credential (SHOT) inherits responsibilities it has not budgeted for.

Trigger	Jurisdiction	Regime	What it means
VC unlocks value transfer (cashback, credits redeemable as cash)	UK	FCA registration as e-money / payment institution	Capital adequacy, safeguarding, full KYC chain. Multi-month onboarding.
VC tied to a token or NFT	EU	MiCA (applicable Dec 2024 for asset-referenced/e-money tokens; CASP rules in force). Reg (EU) 2023/1114	Likely outside MiCA if VC is non-transferable, no monetary value — but the line is transferability + economic claim, not branding.
VC used for value in US	US	State-by-state money-transmitter licensing (~50 regimes), FinCEN MSB	Operationally infeasible for a small team. Mitigation: never let SHOT touch money rail.
VC as age-of-majority proof at ticketed event (alcohol)	UK	Licensing Act 2003, Gambling Commission if wager surface	Liability shifts to venue, but issuer named in any investigation if credential proves unreliable.
VC as identity in regulated wager	UK / US states	Gambling Commission / state gaming boards	Strong reason to keep VC strictly identity, not entitlement.

Mitigation pattern is structural: keep VC issuance identity-only. Ticketing partners run their own merchant of record, hold their own licences, take their own KYC. The credential proves "this Sport Head is who they say they are" and stops there. Anything beyond requires a non-trivial legal memo before integration ships. Bake into partner contract template now, before partner pressure makes it harder.

Data residency per federation

ADR-0006 establishes the dedicated Supabase project — EU-Ireland by default. That optimises for "no federation has a privileged data path", which is good for SHOT's neutrality story. It is the opposite of what federations will eventually demand.

Brazil — LGPD. Applies extraterritorially. Does not mandate localisation like Russia/China; ANPD has indicated localisation expectations for "high-risk" sector use cases. 100k+ Brazilian Sport Heads will get the ANPD's attention by year two.
Sierra Leone — Personal Data Protection Act 2022. Establishes a DPA, consent-based processing, GDPR-derived cross-border transfer regime. Does not mandate localisation; does require local representation if processing affects SL residents from outside. SLFA's expectations may outpace the statute around the December launch.
Nigeria — NDPA 2023. Similar GDPR-derived structure. NDPC more active than its statute suggests. Diaspora-heavy West African Sport Heads will cross-trigger UK + NDPA + LGPD on a single profile.
Italy — Garante. Most aggressive EU DPA. First to ban ChatGPT temporarily, first to challenge Meta's AI-training basis. An Italian-locale identity product without a clear DPIA is a poke at the Garante.

The architectural fork is now. Either commit to single-region with federation data lakes that materialise locally (cheap, conflicts with sovereignty rhetoric), or per-federation tenancy with regional Supabase projects (expensive, conflicts with ADR-0006's "no privileged data path"). Write ADR-0007 before more federations come online.

The `public_profiles` view as PII surface

Migration 03 grants SELECT on public_profiles to anon. The view returns handle, locale, country, avatar state, current sport, founder/OG flags and cohort numbers for every locked identity. The migration comment claims "no PII". That is wrong.

Under UK GDPR Art. 4(1), personal data is "any information relating to an identified or identifiable natural person." The ICO's standing position is that identifiability includes data that, alone or combined with other reasonably-available information, identifies an individual. public_profiles fails this on three vectors:

Avatar + sport + region is a quasi-identifier. A unique avatar state hash, plus "boxing in Sierra Leone", plus handle + founder number narrows the population to single digits.
Federation-published rosters are the side channel. SLFA already publishes member lists. Cross-referencing handle + sport + country gives full re-identification.
Founder number is a tiny set. 5,000 numbered identities is small enough that any side channel (tweet, press photo, wedding announcement) closes the gap.

The "public" framing is a product decision, not a legal one. Defaults must be private. Locked Sport Heads opt in explicitly to public_profiles exposure after lock-in, in plain language. For minors (§01) the option must not even be offered.

Concrete fix pre-launch

Add public_profile_consent_at TIMESTAMPTZ on profiles. Recreate the view with WHERE public_profile_consent_at IS NOT NULL. Move founder number out of the anon-readable surface — display it inside the Sport Head's own session only. Federation portals read via a per-federation scope (signed JWT against a SECURITY DEFINER RPC), not via anon.

The signin RPC as a notifiable breach in waiting

Migration 20260503000001_09_signin_rpc.sql exposes a SECURITY DEFINER function lookup_signin_email_by_handle, granted to anon, returning the auth email for any locked-in handle. The migration comment acknowledges the leak. That acknowledgement is not a defence — it is evidence.

By design, a caller with no credentials maps a public handle to the recovery email of the human behind it. Email is personal data under UK GDPR / DPA 2018. The mapping is disclosed to "any third party" the moment they call the RPC. Disclosure without lawful basis (Art. 6).
Notification obligation: the moment the team has reasonable grounds to believe attackers have harvested at scale, Art. 33 requires ICO notification within 72 hours; Art. 34 requires user notification "without undue delay" for high-risk breaches. A handle-to-email oracle hits both.
Cost of a notification event, independent of any fine: external counsel for the regulator submission, ICO incident manager assigned for months, mandatory remediation report, possible audit, brand damage at exactly the moment of launch. Six-figure all-in is conservative.
The fix is not "rate-limit at Supabase auth" as the migration comment suggests. The fix is to never return the email. Replace with a sign-in RPC that takes handle + PIN and returns a session token (or error). The OIDC issuer path in ADR-0006 already implies this; build that, then drop the migration.

DPIA — the document the team does not have

UK GDPR Art. 35 and the ICO's published DPIA guidance make a DPIA mandatory where processing is "likely to result in a high risk to the rights and freedoms of natural persons." The ICO's published list of operations always requiring a DPIA includes processing children's data for profiling/marketing, identity data on a large scale, and innovative use of new technologies. SHOTid hits all three.

The DPIA the team has not written needs to contain, at minimum:

Description of processing. Re-use the architecture data-flow map.
Necessity and proportionality. For each data point — country, locale, geo unit, PIN, email — justify why it is necessary. The duplicate profiles.email cache fails this test as written.
Risk register. Re-use the security-posture page's findings.
Mitigations. What's being done, when, by whom. Without dates this section is theatre.
Consultation. Children's representative consultation is expected for any service in the Code's scope.
Residual risk. If residual risk is high after mitigations, Art. 36 requires prior consultation with the ICO before processing begins. Lead time: 8–14 weeks. The December cohort cannot wait that out unless the DPIA starts in the next two weeks.

Verdict

Regulatory verdict · confidence 9/10

Cannot ship the December cohort as currently designed without material regulatory exposure

The Children's Code position alone — no age gate, no DoB, public-by-default profiles, no DPIA — is the same posture the ICO fined TikTok £12.7m for. Add the handle→email oracle in the signin RPC (a notifiable breach the moment anyone scrapes it) and the GDPR-vs-identity-lock tension (no Art. 17 path designed in), and the launch is a regulatory invitation rather than a launch.

The three must-do regulatory fixes before December: (1) hard age gate plus minor-mode plus default-private public_profiles, written into the schema before the cohort opens; (2) kill lookup_signin_email_by_handle and replace with a credential-checking RPC that never returns the email; (3) write the DPIA — two weeks of focused work, signed off by external counsel — and drive a soft-erase RPC plus W3C Bitstring Status List revocation for the founder credential.

Everything else here (KYC/AML, residency, COPPA hard cases) is a v2 conversation. The three fixes above are the difference between launching with a defensible posture and launching with a press release the ICO will read.