COPPA §312.5 and FTC Age Screen Guidance require that the age collection mechanism not encourage children to misrepresent their age. A checkbox labeled 'I am 13 or older' or a birth-year field pre-populated to make the user appear to be an adult are design patterns that coach children to lie. The FTC has cited dark-pattern age gates as evidence of bad faith during enforcement actions, because they transform a nominal compliance mechanism into a channel for knowing data collection from children. This shifts the operator from 'inadvertent' to 'intentional' COPPA violation — a distinction that affects penalty size.
High because a coaching age gate exposes children's data to collection while giving the operator a false appearance of compliance — a pattern regulators treat as deliberate rather than inadvertent.
Replace any instructional copy adjacent to the age input and remove pre-populated year defaults. The neutral form below shows no cutoff age before the user submits.
// NeutralAgeGate.tsx
export function NeutralAgeGate() {
return (
<form>
{/* Do NOT place 'You must be 13 or older' here */}
<label htmlFor="dob">Date of birth</label>
<input
id="dob"
type="date"
// No defaultValue
max={new Date().toISOString().split('T')[0]}
required
aria-describedby="dob-hint"
/>
<p id="dob-hint">Required to personalize your experience.</p>
<button type="submit">Continue</button>
</form>
)
}
If legal counsel requires a minimum-age disclosure, place it in your Terms of Service or Privacy Policy link — not adjacent to the date input.
ID: coppa-compliance.age-determination.age-gate-neutral
Severity: high
What to look for: Count all relevant instances and enumerate each. Before evaluating, extract and quote any relevant configuration or UI text found. Inspect the age gate UI — the component, the copy, and any default or pre-populated values. Does the design implicitly tell children what answer is "correct"? Common COPPA violations from AI-built apps: pre-populating the birth year field with a year that makes the user appear to be 18+, displaying messaging like "You must be 13 or older to continue" immediately above the age input (telegraphing the required answer), using a simple checkbox labeled "I am 13 or older" with no date-of-birth verification (trivially lied about), placing the age input at the bottom of a form that already collected other data (implying the user should already be signed up). Look for whether the form presents the date-of-birth field neutrally — just "Date of birth" — without adjacent copy that reveals the cutoff age.
Pass criteria: The age gate presents a date-of-birth field (or equivalent) without adjacent copy that reveals the required age threshold. No default values pre-populated in the year field. The design does not create an obvious "correct answer" that a child could easily enter to proceed. If a threshold message is necessary (for accessibility or legal disclosure), it appears after submission, not before input. A partial or placeholder implementation does not count as pass. Report the count even on pass.
Fail criteria: The age gate is a checkbox labeled "I am 13 or older" with no date-of-birth verification. The birth year field is pre-populated with a year that makes the user appear to be of legal age. Copy adjacent to the age input clearly states the minimum age threshold, coaching users on what to enter. The form collects all other signup data before asking for age, signaling that the expected path is to have already decided to sign up.
Skip (N/A) when: No age gate exists (in which case the age-gate-present check already fails — mark this check as skip because there is nothing to evaluate for neutrality).
Detail on fail: Specify the design issue. Example: "Age gate is a single checkbox: 'I confirm I am 13 years of age or older.' No date-of-birth collection. Trivially bypassed by checking the box." or "Birth year dropdown pre-populated to current year minus 18, guiding users to enter a date that makes them appear to be an adult." or "Form presents email and password fields first, then asks 'Are you 13 or older?' at the bottom — implying the account is already being created.".
Remediation: Redesign the age gate to be neutral:
// BEFORE — age gate that coaches users to lie
// <p>You must be at least 13 years old to use this service.</p>
// <input type="date" defaultValue="2006-01-01" /> // pre-filled to make user appear 19
// AFTER — neutral age gate
export function NeutralAgeGate() {
return (
<form>
{/* No disclosure of minimum age before input */}
<label htmlFor="dob">Date of birth</label>
<input
id="dob"
type="date"
// No defaultValue — blank field
max={new Date().toISOString().split('T')[0]}
required
aria-describedby="dob-hint"
/>
<p id="dob-hint">Required to personalize your experience.</p>
<button type="submit">Continue</button>
</form>
)
}
If you are required by legal counsel to disclose the minimum age, place the disclosure in the Terms of Service or Privacy Policy link — not adjacent to the age input field itself. Do not pre-populate any year or date value.
Cross-reference: For related patterns and deeper analysis, see the corresponding checks in other AuditBuffet audits covering this domain.