COPPA §312.5 prohibits collecting personal information from children under 13 without verifiable parental consent. FTC fines for COPPA violations reach $50,120 per violation per day — and each user interaction that collects a persistent identifier counts as a separate violation. GDPR Art.8 (GDPR-K) sets the EU threshold at 16 in most member states. Apple permanently removes apps that violate Kids category policies; reinstatement is not guaranteed. Initialising Firebase Analytics or a behavioural ad SDK in a Kids category app without child-safe configuration is a textbook COPPA violation — it is not a configuration oversight, it is an illegal act at scale.
High because COPPA violations carry FTC civil penalties per violation per day and result in permanent App Store removal, not just rejection.
Disable all behavioural analytics and advertising in Kids apps — not just configure them in child-directed mode, but disable them entirely unless you have verified COPPA certification:
// Firebase: disable analytics for Kids apps
Analytics.setAnalyticsCollectionEnabled(false)
For any data collection, implement verifiable parental consent — not a 'are you a parent?' checkbox. Remove all social features that allow children to communicate with unknown users. Use only COPPA-certified advertising networks (Google Certified Publishing Partners, SuperAwesome, Kidoz). Consult legal counsel before launching a Kids category app — the compliance requirements are specific and the penalties are severe.
ID: app-store-privacy-data.children-sensitive.kids-category-coppa-gdpr
Severity: high
What to look for: Count all relevant instances and enumerate each. If the app is in a Kids category (detected in Stack Detection), apply heightened scrutiny. COPPA (US) and GDPR-K (EU) prohibit collecting personal information from children under 13 without verifiable parental consent. Check: (a) No analytics SDKs collecting persistent identifiers — look for Firebase Analytics, Amplitude, Mixpanel, Segment, or similar initialized without child-safe configuration. Firebase has a setAnalyticsCollectionEnabled(false) mode for Kids apps; if analytics is needed, use only child-safe SDKs (Google Analytics for Firebase with setConsent() properly configured). (b) No behavioral advertising — any ad SDK must be configured with tagForChildDirectedTreatment = true AND the ad network must be COPPA-certified. (c) No collection of name, email, location, or device identifiers from children — search for any data collection APIs (auth flows, profile creation, contact imports) that would operate without parental consent. (d) No social features — Kids apps may not have public chat, user-generated content visible to others, or social networking unless the social features are designed for and controlled by parents. (e) No in-app purchases without parental controls — look for IAP flows and whether they have parental gate requirements. Check if SKPaymentQueue (iOS) or BillingClient (Android) is used and whether there is a parental authorization step.
Pass criteria: Kids category app complies with COPPA/GDPR-K: no personal data collection without parental consent, no behavioral ads, analytics is child-safe or disabled, no unauthorized social features.
Fail criteria: Kids category app has behavioral ad SDK without child-directed treatment; collects name/email/location from children without parental consent gate; has public social features without parental controls.
Skip (N/A) when: App is not in a Kids category and no COPPA/GDPR-K signals detected.
Detail on fail: "App is in Kids category (detected via app.json ageRating: '4+') but Firebase Analytics initialized without setAnalyticsCollectionEnabled(false) — COPPA prohibits persistent identifier collection from children" or "Kids app has direct messaging feature with no parental consent or control mechanism — violates Apple Kids category policy"
Remediation: COPPA violations carry FTC fines up to $50,120 per violation per day. Apple will permanently remove apps that violate Kids category policies.
Review the configuration in src/ or app/ directory for implementation patterns.