For Regulators · Policy & Enforcement Staff

Every rule traces to a statute.

Every OCSS rule category resolves to enacted law you can open and read — so conformance is observer-not-vote: evidence you weigh, never an approval we issue.

Browse the statute registry Request a policy briefing
phosra · statute → rule crosswalk
public API
CA AB 1043COPPAEU DSAUK AADCKOSAno statute yetruleparental_consent_gate
every category cites the law it traces to
11567 anchored / 48 provisionalOCSS rule categories
91live from the registrystatutes mapped & tracked
1JSON crosswalk, publicrule ↔ statute mapping API
§5.1evidence, not approvalthe conformance boundary, verbatim
The gap

Statutes pass. Platforms interpret. Children wait.

The lag between a child-safety law being signed and platforms actually enforcing it is measured in years — not because platforms are unwilling, but because every statute uses different language for the same protections. “Verifiable parental consent,” “algorithmic audit,” “age-appropriate design” each get re-implemented from scratch on every surface.

OCSS closes that gap by publishing the shared technical vocabulary, the cross-reference back to the statute that demands each protection, and the open conformance contract platforms can ship against on day one. The point of an open standard is that you don't have to trust any one vendor's reading of the law — the mapping is in the open, and it's testable.

What you can check, today

Built to be audited, not asserted.

The load-bearing claim is that every rule traces to a statute. Rather than assert it, here is the trace itself — a single enacted protection followed from the law that demands it, to the category that names it, to the action a platform takes and the receipt you can re-derive. Read top to bottom; nothing here asks for faith.

  1. 01 · The law

    An enacted statute, in its own words

    A real, registry-tracked law — say a state act requiring verifiable parental consent before collecting a minor's data. It lives in the public catalog with its status, jurisdiction, and citable provisions; it is the source, not our paraphrase of it.

    /compliance · one of 91 tracked statutes
  2. 02 · The signal

    The statute activates one stable category

    That obligation resolves to a category id with a fixed enforcement meaning — parental_consent_gate — the same token a platform, a router, and a bill draft can all reference. 67 of the 115 categories are anchored to enacted text like this; 48 are provisional and flagged as such. We say which is which.

    /api/compliance/map · the rule ↔ statute crosswalk, as JSON you can diff
  3. 03 · The enforcement

    The action runs, and leaves a replayable receipt

    The platform enforces the gate, and the decision carries the rule, the input, the output, and the statute citation that produced it. The result can be re-derived and verified against the open conformance suite — not reconstructed from screenshots, and not graded by us: conformance is observer-not-vote.

    Same object end to end: the text a legislature passes and the action a platform takes never drift into two translations.
public & filterablea continuously tracked registry
citable in bill textstable category ids, not prose
JSON, no loginmachine-readable crosswalk to diff
re-runnable suiteobserver-not-vote conformance
OCSS §5.1 · the conformance boundary

Conformance is evidence, not approval.

This is the single line a policy office cares about most, so we state it exactly as the spec does — no softening, no implied stamp. OCSS conformance does not confer regulatory approval and is not a COPPA safe harbor. It is something a regulator can weigh, alongside everything else, when evaluating an implementation.

Phosra is building toward OCSS Certified— a status earned from the standard and its conformance suite, never issued by Phosra. We don't self-certify, and we ship no “Phosra Certified” badge. OCSS itself is pre-release: an individual IETF Internet-Draft, Draft 4, not a ratified standard.

Verbatim · OCSS Trust Framework §5.1
“A conformance result is evidence that an implementation satisfies the tested requirements at the time of testing. It is not an approval, a certification by the steward, or a determination of legal compliance, and it confers no safe harbor under any statute.”

Read the full §5.1 at openchildsafety.com

Worked example · the crosswalk in practice

A bill, re-expressed against the taxonomy.

The clearest way to see the crosswalk is to watch a real bill route through it. Below, a state child-safety bill is mapped from its own statutory language to the stable rule categories that platforms already enforce — so the same obligation reads the same way on every surface.

PA SB 22 · standards-based rewrite

From bespoke statutory prose to citable categories

A worked example showing how a state bill can reference the 115-category taxonomy instead of platform-specific language. Each obligation in the bill resolves to a category id with an existing enforcement meaning — so the text a legislature passes and the action a platform takes are the same object, not two translations that drift apart in implementation.

Artifact 01

The compliance hub

A public, filterable index of all 91 tracked laws — citable in policy memos and committee briefings, each linking through to its full provision and rule-category mapping.

Open the hub
Artifact 02

Rule-category ↔ statute mapping

Machine-readable JSON of which categories each statute activates — the literal crosswalk, available at /api/compliance/map. Diff it across registry updates to see exactly what a new law adds.

Artifact 03

Per-law detail pages

Every tracked statute resolves to a detail page with its key provisions, status, jurisdiction, and the rule categories it triggers — at /compliance/[slug].

Artifact 04

The OCSS specification

The open spec the taxonomy and conformance contract live in — Draft 4, an individual IETF Internet-Draft. Hosted at the standard's home, not here, so it can outlive any single implementer.

Read the spec at openchildsafety.com
Why a regulator can rely on it

We don't own the standard. That's the point.

A standard one vendor controls is a standard a regulator should discount. So OCSS is governed to be un-capturable: verifiable steward succession, a ≥3-router federation, and a conformance suite whose own code rates a Phosra-only world RED. The canonical spec, the rule registry, and the conformance suite live at openchildsafety.com — not here.

That separation is what makes the evidence worth weighing: you're checking it against signed records and open tests, not against Phosra's word.

For policy offices & committee staff

Read the mapping. Then weigh the evidence.

A 30-minute walkthrough of the registry, the taxonomy, and the conformance contract — tailored to the bill or jurisdiction your office is evaluating. No sales pitch; we show you what's verifiable and what isn't yet.

Request a policy briefing Browse the registry

Verify the standard itself at openchildsafety.com — spec, rule registry, and conformance suite.