No behavioral advertising targeting minors

Behavioural advertising targeting minors is prohibited under COPPA §312.2, GDPR Art.8, CCPA §1798.120(c), and the UK Children's Code. These are not soft guidelines — they are enforced with fines, app removal, and in the US, FTC consent decrees. Apps that serve interest-based ads to all users without age verification treat every minor as an adult for advertising purposes. The failure is structural: if the ad SDK does not have a 'user may be a minor' code path, and the app does not pass age data to the SDK, behavioural targeting of minors is happening by default for every minor who uses the app.

Add tagForUnderAgeOfConsent to ad requests for users under 16. In Swift:

GADMobileAds.sharedInstance().requestConfiguration.tagForUnderAgeOfConsent = .true

Implement age verification at account creation and pass the verified age to ad SDK configuration — do not rely on self-reported age from a client-side form alone. For apps where users below 13 may be present, serve contextual-only ads to all users, or use COPPA-certified networks exclusively. Behavioural targeting must be opt-in for all adults and off-by-default for any user who may be a minor.

• ID: no-behavioral-ads-minors
• Severity: high
• What to look for: Count all relevant instances and enumerate each. This check applies beyond Kids category apps — any app where minors are likely users. Look for: (a) Age gate presence — if the app has content for mixed audiences, is there an age gate before ad-supported content? (b) Ad SDK targeting configuration — look for interest-based targeting enabled for all users without age filtering. In AdMob, check GADRequest customization: request.keywords, requestConfiguration.tagForUnderAgeOfConsent. (c) Meta Audience Network — check for setIsChildDirected(false) or no child-directed setting at all in apps where minors may be users. (d) Retargeting pixels — look for Facebook pixel, Google tag, or Snap pixel JavaScript in any WebView content that targets minors. (e) Push notification marketing — look for promotional push campaigns (not just transactional) sent without age awareness. For apps that have age-verification at sign-up: verify that the age gate is checked server-side before delivering targeted ads, not just client-side. Flag any ad SDK that does not have a path for "user may be a minor" configuration.
• Pass criteria: Ad SDKs are configured to disable behavioral targeting for users who may be minors. Age gating is server-side validated before targeted ads are served. Kids category apps have no behavioral ads at all.
• Fail criteria: Behavioral ad SDKs active for all users with no age verification or minor-appropriate configuration; Kids category app has interest-based advertising enabled.
• Skip (N/A) when: App has no advertising SDKs and no behavioral tracking.
• Detail on fail: "AdMob initialized with interest-based targeting but app has no age gate — minors may receive behavioral ads" or "tagForUnderAgeOfConsent not set on GADRequest — all users treated as adults for ad targeting"
• Remediation: COPPA, GDPR-K, and the UK's Children's Code all prohibit behavioral advertising targeting minors.
  1. Add tagForUnderAgeOfConsent to all ad requests for users under 16:

     GADMobileAds.sharedInstance().requestConfiguration.tagForUnderAgeOfConsent = .true
     

  2. Implement age verification at account creation and pass age metadata to ad SDK configuration
  3. For apps where users below 13 may be present, serve contextual-only ads (no behavioral targeting) to all users, or use COPPA-certified networks only