Composr Tutorial: Parental Controls and Child Safety
Written by Patrick Schmalstig
If your site will allow users to join / create accounts, chances are that you will have to abide by regional laws and regulations surrounding child safety online. This may mean different things depending on the region (e.g. getting parental consent, restricting site access, restricting data collection, or imposing curfews). Furthermore, since laws dictate that compliance must be based on the region of the user and not the site, it is not merely enough to satisfy the requirements in your own jurisdiction.Fortunately, Composr has an advanced parental controls system where you can configure different limitations depending on the user's age and/or region. This tutorial will cover the features currently available; additional features are planned for future implementation.
Important information on permissions

Introduction to the XML Configuration
Parental controls XML configuration
The XML configuration for parental controls can be accessed and edited under Admin Zone > Setup > Edit parental control settings. This page also supports revisions so you can see what changed over time and undo any changes you made.
When you save, validation will run on your XML. And any issues that are detected will be visible as messages at the top of the screen. This only happens after saving.
The parental_controls tag
The XML configuration is composed of a single parental_controls tag which can contain as many control tags as you like.The parental_controls tag supports the following attributes:
- require_dob
If set (to any value), then the date of birth field will be required on registration of a new account.
This is ignored if the field is disabled in site configuration (and you will get a notice about that when saving the XML configuration). - lock_dob
If set (to any value), then the date of birth field cannot be edited on a member's profile once set except by another member (e.g. a staff member).
This is ignored if the field is disabled in site configuration (and you will get a notice about that when saving the XML configuration).
If birthday points are defined in points configuration, then the field will be locked regardless whether or not this attribute is specified. - require_timezone
If set (to any value), then the time zone field will be required on registration of a new account.
This is ignored if the field is disabled in site configuration (and you will get a notice about that when saving the XML configuration). - lock_timezone
If set (to any value), then the time zone field cannot be edited on a member's profile once set except by another member (e.g. a staff member).
This is ignored if the field is disabled in site configuration (and you will get a notice about that when saving the XML configuration).
Not recommended unless laws require that you lock this down; members may move locations and need to change their time zone. - require_region
If set (to any value), then the region field will be required on registration of a new account.
This is ignored if the field is disabled in site configuration (and you will get a notice about that when saving the XML configuration). - lock_region
If set (to any value), then the region field cannot be edited on a member's profile once set except by another member (e.g. a staff member).
This is ignored if the field is disabled in site configuration (and you will get a notice about that when saving the XML configuration).
Not recommended unless laws require that you lock this down; members may move locations and need to change their region. - enforce_region
If set (to any value), then members will be required to update their region field in their member settings if the geo-location country of their IP address does not match their specified region.
Enforcement will be ignored when a member's region is not set, so you may also want to use require_region with this.
Not recommended unless you are legally obligated to enforce regional content; if members use a proxy or their IP address geo-location is not accurate, they might not be able to use your site.
Example:
Code (XML)
<parental_controls require_dob="1" lock_dob="1" require_timezone="1" require_region="1">
<!-- Controls would go in here -->
</parental_controls>
<!-- Controls would go in here -->
</parental_controls>
The control tag
The control tags within parental_controls define parental controls which should be used. You can define multiple control tags with the same name attribute that use different filters.Note that the parental controls system operates based on order of definition using regions. It will seek the defined controls (based on name depending on what we are checking for) from top to bottom until it finds one where the user's region applies to the defined regions, or the control has no regions defined.
As such, you should group your control tags with the same name together, and order them from most specific region filters to least specific ones. Control filters without any regions should be at the bottom of the group (as they are treated "default"). There is an example of this below.
All control tags support the following attributes; additional attributes specific to a control will be mentioned in their respective section of the tutorial:
- name (required)
The name of the control; this will determine the behaviour as explained in this tutorial. - age_threshold (required)
The age at which this control no-longer applies. For example, "16" means this applies to those under the age of 16. - regions
A comma-delimited list of country, or country-region ISO codes, for which this control should apply. Where a country code is defined without a specific region, it will apply to all regions in that country.
If this is not defined, the control will apply everywhere (unless a previous control by the same name had a defined region that matched the member).
Example:
Code (XML)
<!-- This control will match anyone in Florida, Indiana, the UK, or France -->
<control name="name_of_control" age_threshold="16" regions="US-FL,US-IN,GB,FR">
<control>
<!-- While this has a catch-all U.S. filter, it will not match anyone in Florida or Indiana because of the above control overriding it -->
<control name="name_of_control" age_threshold="14" regions="US">
<control>
<!-- Careful! This will never work because there is already a control above by the same name with a regions filter containing the UK -->
<control name="name_of_control" age_threshold="14" regions="GB">
<control>
<!-- Careful! This will also never work because there is already a catch-all for the U.S. above; this should be moved above the catch-all for it to work and match for people in California -->
<control name="name_of_control" age_threshold="17" regions="US-CA">
<control>
<!-- Since this has no regions specified and is at the bottom, it will match anyone in any region not defined by the above controls (e.g. everyone not in the U.S., the U.K., or France). Be careful though; at this point, any additional name_of_control controls defined below this one will never match. -->
<control name="name_of_control" age_threshold="13">
<control>
<!-- This is a different control, so it is okay to place it under the above one despite having regions filters; just make sure you follow the same rules for this control as well if you define more of them below -->
<control name="a_different_control" age_threshold="13" regions="US-FL,US-IN,GB,FR">
<control>
<control name="name_of_control" age_threshold="16" regions="US-FL,US-IN,GB,FR">
<control>
<!-- While this has a catch-all U.S. filter, it will not match anyone in Florida or Indiana because of the above control overriding it -->
<control name="name_of_control" age_threshold="14" regions="US">
<control>
<!-- Careful! This will never work because there is already a control above by the same name with a regions filter containing the UK -->
<control name="name_of_control" age_threshold="14" regions="GB">
<control>
<!-- Careful! This will also never work because there is already a catch-all for the U.S. above; this should be moved above the catch-all for it to work and match for people in California -->
<control name="name_of_control" age_threshold="17" regions="US-CA">
<control>
<!-- Since this has no regions specified and is at the bottom, it will match anyone in any region not defined by the above controls (e.g. everyone not in the U.S., the U.K., or France). Be careful though; at this point, any additional name_of_control controls defined below this one will never match. -->
<control name="name_of_control" age_threshold="13">
<control>
<!-- This is a different control, so it is okay to place it under the above one despite having regions filters; just make sure you follow the same rules for this control as well if you define more of them below -->
<control name="a_different_control" age_threshold="13" regions="US-FL,US-IN,GB,FR">
<control>
The parental_consent control
The parental consent member setting (note it will not be visible on your own settings)
Until you indicate on the member's account settings that they obtained parental consent (see the photo), or they reach an age in which the condition no-longer applies, they cannot log in to your site with their account (even if their account is validated). Note that you cannot edit your own parental consent setting even if you are staff; it must always be edited by a different person / staff with the privilege to access "Member access and privileges".
Additional tags can be provided within the control as follows:
- mail
The contents within this tag will also be included in the parental consent form mailed to the member if they need consent (along with the standard information). This supports Comcode. - privacy_policy
The contents within this tag will also be included in the automatic Privacy Policy generated by Composr. This supports Comcode. You do not need to include the age threshold or regions; those are supplied automatically. But you may want to specify the governing law behind this.
In this example, members under the age of 13 in the U.S. must get parental consent:
Code (XML)
<control name="parental_consent" age_threshold="13" regions="US">
<mail>Members in the U.S. under the age of 13 must get parental consent as per COPPA.</mail>
<privacy_policy>This is enforced by the Children's Online Privacy Protection Act (COPPA).</privacy_policy>
<control>
<mail>Members in the U.S. under the age of 13 must get parental consent as per COPPA.</mail>
<privacy_policy>This is enforced by the Children's Online Privacy Protection Act (COPPA).</privacy_policy>
<control>
The lockout control
The lockout control defines when members will be locked out of your site (unable to log in, but still can view it as a guest) until they reach a certain age. Some places may completely prohibit people under certain ages from using social media even with parental consent. Or, you might be running an adult-oriented site and want to restrict everyone under, e.g., 18 or 21. Use this control in those instances.Note that this does not respect the parental consent member setting; even if a member has parental consent marked on their account, if they are not old enough to use your site as defined by a lockout, then they cannot log in.
The system is intelligent enough to handle lockout controls versus parental consent controls; the lockout ones will always take priority regardless of order in the XML file.
If you use any lockout controls, it is highly recommended to restrict all content on your site you do not want underage people seeing from the Guests usergroup.
Additional tags can be provided within this control as follows:
- message
If defined, this message (Comcode supported) will show on the error screen when someone tries to log in who is locked out by this control. You should also include an e-mail address (using the email Comcode tag) for contact in case of errors.
If not defined, a default message including the minimum age and the staff address will be shown. - privacy_policy
The contents within this tag will also be included in the automatic Privacy Policy generated by Composr. This supports Comcode. You do not need to include the age threshold or regions; those are supplied automatically. But you may want to specify the governing law behind this control.
In this example, members under the age of 13 in the U.S. states of Utah and Indiana cannot use your site:
Code (XML)
<control name="lockout" age_threshold="13" regions="US-UT,US-IN">
<message>You must be 13 years or older to use this site due to the Random Act of Privacy Protection Peanuts and Party Plushies Act. Please contact [email protected] if this is an error.</message>
<privacy_policy>This is enforced by the Random Act of Privacy Protection Peanuts and Party Plushies Act.</privacy_policy>
<control>
<message>You must be 13 years or older to use this site due to the Random Act of Privacy Protection Peanuts and Party Plushies Act. Please contact [email protected] if this is an error.</message>
<privacy_policy>This is enforced by the Random Act of Privacy Protection Peanuts and Party Plushies Act.</privacy_policy>
<control>
Concepts
- Privacy policy
- A standard term applied to the document that lays out a website's privacy policy; some laws specifically refer to a privacy policy and require a separate document for it
- Parental controls
- Composr's generic term for the settings and configuration governing children's ability to access your website and the regulations thereof
See also
Feedback
Please rate this tutorial:
Have a suggestion? Report an issue on the tracker.