COPPA §312.8 and §312.2, as interpreted by the FTC in its 2013 rule update and subsequent enforcement actions (FTC v. Google/YouTube, 2019), treat behavioral advertising to children as a per-se COPPA violation. Behavioral advertising requires tracking user activity over time to build interest profiles — that tracking data is 'personal information' under COPPA, and collecting it from children requires verifiable parental consent that effectively no behavioral ad network obtains. Running AdSense without tfcd=1 on pages accessible to child users, or loading the Facebook Pixel on child sessions, creates direct COPPA exposure for every ad impression served. CCPA §1798.135 adds a separate California prohibition on selling minors' data.
Critical because behavioral ad networks collect personal information from children continuously across sessions by design — each page view from a child session without `tfcd=1` is an independent COPPA §312.8 data collection event.
Suppress behavioral ad networks for child sessions entirely, or configure child-directed flags in every ad call that remains active in child contexts.
// app/components/AdSlot.tsx
export async function AdSlot({ userId }: { userId: string }) {
const user = await db.user.findUnique({
where: { id: userId }, select: { accountType: true }
})
// No ads of any kind for child accounts
if (user?.accountType === 'child') return null
return <GoogleAdSense />
}
// For Google Ad Manager on child-accessible pages:
googletag.pubads().setPrivacySettings({ childDirectedTreatment: true })
For Facebook Pixel, TikTok Pixel, and similar behavioral tracking tags: there is no safe child-directed mode. Remove them from any layout or page component that renders for child sessions — partial suppression is not sufficient.
ID: coppa-compliance.child-data.no-behavioral-ads
Severity: critical
What to look for: Count all relevant instances and enumerate each. COPPA (as amended and interpreted by the FTC) prohibits behavioral advertising — ads targeted based on tracked behavior, interests, or inferred characteristics — directed at children under 13 without verifiable parental consent, and in practice the FTC treats behavioral advertising to children as a per-se COPPA violation. Identify all advertising networks and ad configurations in the codebase. Check for: Google AdSense or DFP/GAM with the child-directed setting (tfcd=1) missing, behavioral targeting configuration (interest_categories, audience lists, remarketing), ad networks known for behavioral targeting (DoubleClick, AppNexus, Criteo, The Trade Desk integrations). If ads are served in a context where children may be viewing them, look for whether the ad call includes coppa=1 or tfcd=1 parameters that restrict the ad server to contextual-only ads. Look at whether ad code is completely suppressed for child accounts versus adult accounts.
Pass criteria: No behavioral or interest-based advertising is served to child users (users under 13 or in contexts where children may be present). If ads are served in child contexts, ad calls include tfcd=1 (tag for child-directed) or coppa=1 parameters that restrict ad serving to non-behavioral, contextual-only ads. Child account sessions do not load behavioral tracking pixels (Facebook Pixel, TikTok Pixel, etc.) that feed interest-based ad targeting.
Fail criteria: Behavioral ad networks operate without any child-directed restriction. Ad calls to Google AdSense, DFP, or other networks lack tfcd=1 or coppa=1 parameters on pages accessible to child users. Remarketing or audience-list tracking pixels fire on sessions belonging to child users.
Skip (N/A) when: The application serves no advertising of any kind.
Detail on fail: Specify the ad network and the missing configuration. Example: "Google AdSense integrated on all pages. No tfcd=1 or coppa=1 parameter set in ad calls. Child user sessions load AdSense without any child-directed restriction, enabling behavioral ad targeting." or "Facebook Pixel fires on all page views including those from child user sessions, feeding Meta's behavioral advertising system.".
Remediation: Disable behavioral ads for child accounts and set child-directed flags in ad network configurations:
// Determine if the current user session is a child account
// app/lib/session.ts
export async function isChildSession(userId: string): Promise<boolean> {
const user = await db.user.findUnique({
where: { id: userId },
select: { accountType: true }
})
return user?.accountType === 'child'
}
// In your page or layout component, suppress or restrict ads for children
// app/components/AdSlot.tsx
export async function AdSlot({ userId }: { userId: string }) {
const isChild = await isChildSession(userId)
if (isChild) {
// Option 1: No ads at all for child users
return null
// Option 2: Contextual-only ads (non-behavioral)
// return <GoogleAdSense tfcd={1} npa={1} />
}
return <GoogleAdSense /> // Full ad experience for adult users
}
For Google Ad Manager / AdSense, add tfcd=1 (tag for child-directed treatment) to all ad requests in child contexts:
// Google Publisher Tag — child-directed setting
googletag.pubads().setPrivacySettings({ childDirectedTreatment: true })
// Google AdSense — child-directed content
// <ins data-ad-client="ca-pub-xxx" data-tag-for-child-directed-treatment="1"></ins>
Remove or suppress behavioral tracking pixels (Facebook Pixel, TikTok Pixel) entirely for child user sessions — there is no safe "child-directed mode" for most of these.