Every COPPA Compliance Audit check

COPPA §312.5 requires operators to obtain verifiable parental consent before collecting personal information from children under 13. Without a server-enforced age gate, your registration endpoint creates accounts and stores personal data — name, email, date of birth — for users who may be children, with no parental involvement. The FTC treats this as a per-se violation regardless of whether you intended to attract children. Civil penalties reached $170 million in FTC v. Google/YouTube and $5.7 million in FTC v. Musical.ly. A client-side-only age gate provides zero legal protection because it is trivially bypassed by altering the form submission.

Why this severity: Critical because any personal data stored before age verification makes the operator liable under COPPA §312.5 the moment a child completes registration — there is no cure once the data exists.

COPPA §312.5 and FTC Age Screen Guidance require that the age collection mechanism not encourage children to misrepresent their age. A checkbox labeled 'I am 13 or older' or a birth-year field pre-populated to make the user appear to be an adult are design patterns that coach children to lie. The FTC has cited dark-pattern age gates as evidence of bad faith during enforcement actions, because they transform a nominal compliance mechanism into a channel for knowing data collection from children. This shifts the operator from 'inadvertent' to 'intentional' COPPA violation — a distinction that affects penalty size.

Why this severity: High because a coaching age gate exposes children's data to collection while giving the operator a false appearance of compliance — a pattern regulators treat as deliberate rather than inadvertent.

COPPA §312.5 and §312.3 require that when a child is identified as under 13, no personal information is collected or stored unless verifiable parental consent is obtained. A client-side block that the server ignores is not a block — it is a UI illusion. If the account creation API processes a submission regardless of the submitted age, the operator is collecting personal information from an identified child without consent, which is a direct COPPA §312.5 violation. The FTC does not require intent; the data being stored is sufficient to establish the violation.

Why this severity: High because a server-side bypass means personal data from identified children is being stored in the database, making every such registration a discrete COPPA §312.5 violation with per-record penalty exposure.

COPPA §312.5 requires meaningful age verification — a gate that can be bypassed by opening a new incognito tab provides no protection. If age validation depends on a client-accessible cookie or localStorage value that the server trusts as proof of passing the gate, a child who gets blocked can clear browser storage and immediately re-register with a different birth date. The FTC expects age verification to be durable: the server must independently validate the submitted birth date on every account creation request and apply friction to repeated attempts.

Why this severity: Medium because the bypass requires deliberate action by the child rather than an automated exploit, but the attack is trivial for any motivated minor and renders the age gate legally meaningless.

COPPA §312.5 and §312.4 prohibit collecting any personal information from a child under 13 until verifiable parental consent is obtained. 'Verifiable' is the operative word: a checkbox on the child's own signup form is not consent from the parent — it is consent from the child, which COPPA explicitly does not recognize. Creating a user record and storing the child's email and date of birth before the parent has confirmed is a COPPA §312.5 violation from the moment the INSERT executes. The FTC has levied eight-figure fines (FTC v. Google/YouTube, 2019: $170M) specifically for collecting children's data before consent.

Why this severity: Critical because any personal data stored before parental consent is confirmed constitutes an active COPPA §312.5 violation — the legal exposure exists for every child record created without prior consent.

COPPA §312.5 requires 'verifiable' parental consent — a method that gives reasonable assurance the person consenting is actually the parent, not the child. The FTC's approved methods (email-plus, credit card transaction, signed form, KBA, government ID) each create an out-of-band verification step the child cannot complete. A checkbox on the child's own registration form gives zero assurance that any parent was involved. If a consent mechanism cannot reliably exclude the child from self-approving, it fails the 'verifiable' standard and the operator is treated as collecting data without consent.

Why this severity: High because using a non-approved consent method means parental consent is legally invalid — the operator has the same exposure as if no consent mechanism existed at all.

COPPA §312.6 grants parents the right to review the information collected from their child and to revoke consent at any time. Without a durable consent record, an operator cannot verify that consent was obtained, cannot respond to a parental review request with evidence, and cannot trace whether a specific child account was legitimately authorized. If the FTC investigates and the operator cannot produce records showing when consent was given, by whom, and via which method, the absence of records is treated as an absence of consent. The consent record is also the anchor for the parent's revocation rights — without it, revocation cannot be cleanly executed.

Why this severity: Medium because the absence of consent records does not itself expose child data, but it strips the operator's legal defense and makes parental review and revocation mechanically impossible to fulfill.

COPPA §312.6 and §312.5 give parents explicit statutory rights to review personal information collected from their child and to revoke consent — which triggers deletion of all data collected under that consent. These are not optional customer-service courtesies; they are legal obligations enforceable by the FTC. If a parent contacts your support team and there is no defined process, no identity verification step, and no mechanism to actually produce or delete the data, you are in violation of §312.6 regardless of whether you obtained consent correctly in the first place. GDPR Article 17 extends the deletion obligation to EU child data as well.

Why this severity: Medium because the violation is procedural rather than immediate data exposure, but the FTC treats absence of a functional parental access mechanism as non-compliance with §312.6 independent of other COPPA gaps.

COPPA §312.4 and §312.5 require that the direct notice to parents describe what personal information will be collected and how it will be used — vague notices like 'I agree to the Terms of Service' do not satisfy this requirement. The consent must be informed: a parent who clicks 'approve' without knowing that the app collects usage events linked to their child's account, or that the display name is visible to other users, has not meaningfully consented to those specific practices. Disclosures that don't match actual collection also violate GDPR Article 13 for EU children, compounding exposure. The FTC has cited inadequate disclosure in consent notices as an independent ground for enforcement.

Why this severity: Low because the consent mechanism may still exist, but inadequate disclosure degrades the legal quality of that consent and creates a separate §312.4 notice obligation violation.

COPPA §312.8 and §312.2, as interpreted by the FTC in its 2013 rule update and subsequent enforcement actions (FTC v. Google/YouTube, 2019), treat behavioral advertising to children as a per-se COPPA violation. Behavioral advertising requires tracking user activity over time to build interest profiles — that tracking data is 'personal information' under COPPA, and collecting it from children requires verifiable parental consent that effectively no behavioral ad network obtains. Running AdSense without `tfcd=1` on pages accessible to child users, or loading the Facebook Pixel on child sessions, creates direct COPPA exposure for every ad impression served. CCPA §1798.135 adds a separate California prohibition on selling minors' data.

Why this severity: Critical because behavioral ad networks collect personal information from children continuously across sessions by design — each page view from a child session without `tfcd=1` is an independent COPPA §312.8 data collection event.

COPPA §312.2 and §312.8 define 'personal information' to include persistent identifiers that track a child over time or across websites — explicitly including cookies and device IDs. Google Analytics' `_ga` cookie (2-year expiry), Hotjar's `_hjid` cookie, and Amplitude's persistent device ID all qualify. Loading any of these on child sessions without verifiable parental consent disclosing the cross-site tracking is a COPPA violation. The ePrivacy Directive Article 5(3) adds a parallel EU obligation to obtain consent before setting non-essential cookies on any user, including children.

Why this severity: High because third-party tracking SDKs assign persistent identifiers automatically on initialization — loading them on a child session creates COPPA-covered data collection without any further developer action.

COPPA §312.7 prohibits operators from conditioning child participation on disclosing more personal information than is reasonably necessary for the activity. Requiring a child to provide their full name, school affiliation, and grade level to use a feature that only needs a display name is an independent COPPA violation — separate from the consent and age-gate requirements. Over-collection also expands the blast radius of a data breach: every field collected from a child that wasn't necessary is a field that could be exposed and that regulators will cite. GDPR Article 5(1)(c) ('data minimisation') applies the same principle to EU child data.

Why this severity: Medium because over-collection creates independent §312.7 liability and unnecessarily expands the sensitive data footprint for children in every table and analytics system the data reaches.

COPPA §312.2 and §312.5 include precise and coarse geolocation — as well as IP-address-derived location used persistently — within the definition of 'personal information' requiring parental consent before collection from children under 13. GDPR Article 9 adds a special-category protection for location data tied to children in the EU. Calling `navigator.geolocation.getCurrentPosition()` during a child session, or running an IP-to-country lookup and storing the result on the child's user record, is unconsented personal information collection unless the parental consent notice disclosed geolocation collection specifically.

Why this severity: Low because geolocation is collected incidentally rather than as the primary data point, and the harm requires downstream misuse — but the §312.5 collection violation occurs regardless of whether the data is later weaponized.

COPPA §312.2, §312.4, and §312.5 classify making a child's personal information 'publicly available' to other users as a form of disclosure that requires parental consent. A child's display name on a public leaderboard, a public profile page, or direct messages readable by other users all fall within this definition. AI-built apps frequently expose child accounts to the same social feature set as adult accounts because the permission model was never explicitly scoped by account type. The result is that child display names, avatars, and posts become searchable and visible to arbitrary users — and each such exposure is an unconsented disclosure under §312.5.

Why this severity: Low because social feature access by itself is a disclosure violation rather than direct data exfiltration, but each public profile view or message exchange constitutes an independent unconsented COPPA disclosure.

COPPA §312.4 and §312.4(b) require operators whose websites or services are directed to children to post a clear and prominent link to a notice describing their information practices for children. A single sentence like 'We comply with COPPA' does not satisfy this requirement — the notice must specifically describe what is collected from children, how it is used, how parents can exercise their rights, and how consent was obtained. A generic adult privacy policy with no children's section is the most common COPPA documentation gap found in AI-built apps and is independently cited in FTC complaints alongside substantive violations.

Why this severity: Low because the documentation gap is a notice violation under §312.4 rather than an active data collection violation, but it eliminates any good-faith defense and is independently actionable by the FTC.

COPPA §312.4 and §312.4(c) require a direct notice to parents before collecting personal information from children — distinct from the privacy policy, this is a direct communication to the specific parent whose child is initiating signup. Sending the consent link to the child's email rather than a separately collected parent email address means the child is effectively approving their own account, which is not parental consent by any definition. The direct notice must also include the operator's full legal name and contact information, a description of data collected, use, third-party disclosure, and parental rights — omitting any of these is an independent §312.4 violation.

Why this severity: Info because the violation is a notice-delivery deficiency rather than a data collection failure, but an incomplete or misdirected direct notice invalidates the consent it was meant to establish.

COPPA §312.10 and §312.5 require operators to retain children's personal information 'only as long as reasonably necessary to fulfill the purpose for which it was collected,' then to delete it securely. Indefinite retention of child data is independently actionable — the FTC has cited absence of a documented retention schedule in enforcement actions even when consent and age-gate practices were otherwise adequate. GDPR Article 5(1)(e) imposes a parallel 'storage limitation' principle. When parental consent is revoked, all data collected under that consent must be deleted — an orphaned analytics event or usage log tied to a deleted child account is a retention violation.

Why this severity: Info because retention violations are prospective rather than immediate data exposure, but the FTC treats indefinite child data retention as a §312.10 violation independent of how the data was originally collected.

COPPA §312.8 and §312.2 hold operators responsible for third-party misuse of children's data when the operator 'discloses' that data to the third party. Sending a child's email address to SendGrid, a child's session data to Sentry, or a child's page views to Google Analytics constitutes disclosure — and the FTC treats operators as liable for what those third parties do with the data if there is no contractual obligation binding them to the same COPPA protections. GDPR Article 28 requires a Data Processing Agreement with any processor that handles EU personal data, including children's. Standard GDPR DPAs often lack COPPA-specific children's data provisions, creating a gap for US child data.

Why this severity: Info because the violation is contractual rather than technical — the data flows already exist, and the question is whether downstream handling is covered — but COPPA §312.8 makes the operator directly liable for third-party non-compliance.