Parental controls or consent flow for mixed-audience apps

ab-000488 · app-store-privacy-data.children-sensitive.parental-controls-mixed-audiences

Severity: infoactive

Why it matters

Mixed-audience apps — educational apps, family apps, messaging platforms rated E for Everyone — carry COPPA and GDPR Art.8 obligations for their minor users even when the app is not in the Kids category. Without parental controls, a child's account is functionally identical to an adult's: they can access the same data collection, make the same purchases, and interact with the same social features. Parental control mechanisms are also a market differentiator: parents choose apps that give them oversight, and their absence is a reason to avoid an app for family use.

Severity rationale

Info because the absence of parental controls is a risk signal and market gap rather than an active violation — the hard compliance requirements are covered by the COPPA/GDPR-K check.

Remediation

For family or educational apps, add a parental PIN to gate settings, purchases, and content category changes. Integrate Screen Time API (iOS) or Digital Wellbeing API (Android) for usage limits:

import FamilyControls
import DeviceActivity
// Request Family Controls authorisation
AuthorizationCenter.shared.requestAuthorization(for: .individual) { result in
  // Handle result
}

Consider implementing a distinct 'child profile' vs. 'parent account' model — store isChildProfile: boolean server-side and use it to gate data collection, social features, and purchasing flows. Apple's 'Sign in with Apple' family sharing features can bootstrap this for iOS-first apps.

Detection

ID: parental-controls-mixed-audiences
Severity: info
What to look for: Count all relevant instances and enumerate each. For apps that are not Kids category but may have minor users (educational apps, family apps, messaging apps with no age restriction, games rated E for Everyone), look for parental control features or consent mechanisms: a "Family Sharing" or "Parental Controls" section in settings; a parental PIN or passcode gate for settings changes or purchases; "Managed Apple ID" or "Google Family Link" integration; a parentalConsentGiven or guardianApproved field in the user model; a separate "parent account" vs. "child account" distinction. Also look for any Apple Screen Time or Android Digital Wellbeing integration APIs. This is informational — note presence or absence without failing.
Pass criteria: App has parental control mechanisms appropriate for a mixed-age audience; or no mixed-audience signals detected.
Fail criteria: Not applicable — this is an info check. Result is pass, info (recorded as pass with detail), or skip.
Skip (N/A) when: App is clearly adult-only (age rating 17+, strong content restrictions, no family features); or app is in the Kids category (covered by the COPPA check instead).
Detail on fail: Not applicable — info check. Use detail: "Educational app with no age restriction has no parental controls or consent mechanisms — consider adding Screen Time API integration or a guardian consent flow for users under 13" or "Family app with child profiles has no parental PIN — children can access settings and purchase flows without guardian oversight"
Remediation: Adding parental controls differentiates your app and reduces regulatory risk.
1. Integrate Screen Time API (iOS) or Digital Wellbeing API (Android) for usage limits
2. Add a parental PIN to gate settings, purchases, and content category changes
3. Consider implementing Apple's "Sign in with Apple" family sharing features for family apps
Review the configuration in src/ or app/ directory for implementation patterns.

External references

coppa · §312.5 — Parental consent required for collection from children under 13 in mixed-audience apps
gdpr · Art.8 — Conditions applicable to child's consent in relation to information society services
ccpa · §1798.120(c) — Minors under 16 require opt-in consent for sale of personal information

Taxons

privacy-consent regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from app-store-privacy-data·automated

Why it matters

Remediation

For family or educational apps, add a parental PIN to gate settings, purchases, and content category changes. Integrate Screen Time API (iOS) or Digital Wellbeing API (Android) for usage limits:

import FamilyControls
import DeviceActivity
// Request Family Controls authorisation
AuthorizationCenter.shared.requestAuthorization(for: .individual) { result in
  // Handle result
}

Detection

ID: parental-controls-mixed-audiences
Severity: info
What to look for: Count all relevant instances and enumerate each. For apps that are not Kids category but may have minor users (educational apps, family apps, messaging apps with no age restriction, games rated E for Everyone), look for parental control features or consent mechanisms: a "Family Sharing" or "Parental Controls" section in settings; a parental PIN or passcode gate for settings changes or purchases; "Managed Apple ID" or "Google Family Link" integration; a parentalConsentGiven or guardianApproved field in the user model; a separate "parent account" vs. "child account" distinction. Also look for any Apple Screen Time or Android Digital Wellbeing integration APIs. This is informational — note presence or absence without failing.
Pass criteria: App has parental control mechanisms appropriate for a mixed-age audience; or no mixed-audience signals detected.
Fail criteria: Not applicable — this is an info check. Result is pass, info (recorded as pass with detail), or skip.
Skip (N/A) when: App is clearly adult-only (age rating 17+, strong content restrictions, no family features); or app is in the Kids category (covered by the COPPA check instead).
Detail on fail: Not applicable — info check. Use detail: "Educational app with no age restriction has no parental controls or consent mechanisms — consider adding Screen Time API integration or a guardian consent flow for users under 13" or "Family app with child profiles has no parental PIN — children can access settings and purchase flows without guardian oversight"
Remediation: Adding parental controls differentiates your app and reduces regulatory risk.
1. Integrate Screen Time API (iOS) or Digital Wellbeing API (Android) for usage limits
2. Add a parental PIN to gate settings, purchases, and content category changes
3. Consider implementing Apple's "Sign in with Apple" family sharing features for family apps
Review the configuration in src/ or app/ directory for implementation patterns.

External references

coppa · §312.5 — Parental consent required for collection from children under 13 in mixed-audience apps

gdpr · Art.8 — Conditions applicable to child's consent in relation to information society services

ccpa · §1798.120(c) — Minors under 16 require opt-in consent for sale of personal information