No behavioral or interest-based advertising targeting children

COPPA §312.8 and §312.2, as interpreted by the FTC in its 2013 rule update and subsequent enforcement actions (FTC v. Google/YouTube, 2019), treat behavioral advertising to children as a per-se COPPA violation. Behavioral advertising requires tracking user activity over time to build interest profiles — that tracking data is 'personal information' under COPPA, and collecting it from children requires verifiable parental consent that effectively no behavioral ad network obtains. Running AdSense without tfcd=1 on pages accessible to child users, or loading the Facebook Pixel on child sessions, creates direct COPPA exposure for every ad impression served. CCPA §1798.135 adds a separate California prohibition on selling minors' data.

Suppress behavioral ad networks for child sessions entirely, or configure child-directed flags in every ad call that remains active in child contexts.

// app/components/AdSlot.tsx
export async function AdSlot({ userId }: { userId: string }) {
  const user = await db.user.findUnique({
    where: { id: userId }, select: { accountType: true }
  })

  // No ads of any kind for child accounts
  if (user?.accountType === 'child') return null

  return <GoogleAdSense />
}

// For Google Ad Manager on child-accessible pages:
googletag.pubads().setPrivacySettings({ childDirectedTreatment: true })

For Facebook Pixel, TikTok Pixel, and similar behavioral tracking tags: there is no safe child-directed mode. Remove them from any layout or page component that renders for child sessions — partial suppression is not sufficient.

• ID: no-behavioral-ads

• Severity: critical

• What to look for: Count all relevant instances and enumerate each. COPPA (as amended and interpreted by the FTC) prohibits behavioral advertising — ads targeted based on tracked behavior, interests, or inferred characteristics — directed at children under 13 without verifiable parental consent, and in practice the FTC treats behavioral advertising to children as a per-se COPPA violation. Identify all advertising networks and ad configurations in the codebase. Check for: Google AdSense or DFP/GAM with the child-directed setting (tfcd=1) missing, behavioral targeting configuration (interest_categories, audience lists, remarketing), ad networks known for behavioral targeting (DoubleClick, AppNexus, Criteo, The Trade Desk integrations). If ads are served in a context where children may be viewing them, look for whether the ad call includes coppa=1 or tfcd=1 parameters that restrict the ad server to contextual-only ads. Look at whether ad code is completely suppressed for child accounts versus adult accounts.

• Pass criteria: No behavioral or interest-based advertising is served to child users (users under 13 or in contexts where children may be present). If ads are served in child contexts, ad calls include tfcd=1 (tag for child-directed) or coppa=1 parameters that restrict ad serving to non-behavioral, contextual-only ads. Child account sessions do not load behavioral tracking pixels (Facebook Pixel, TikTok Pixel, etc.) that feed interest-based ad targeting.

• Fail criteria: Behavioral ad networks operate without any child-directed restriction. Ad calls to Google AdSense, DFP, or other networks lack tfcd=1 or coppa=1 parameters on pages accessible to child users. Remarketing or audience-list tracking pixels fire on sessions belonging to child users.

• Skip (N/A) when: The application serves no advertising of any kind.

• Detail on fail: Specify the ad network and the missing configuration. Example: "Google AdSense integrated on all pages. No tfcd=1 or coppa=1 parameter set in ad calls. Child user sessions load AdSense without any child-directed restriction, enabling behavioral ad targeting." or "Facebook Pixel fires on all page views including those from child user sessions, feeding Meta's behavioral advertising system.".

• Remediation: Disable behavioral ads for child accounts and set child-directed flags in ad network configurations:

  // Determine if the current user session is a child account
  // app/lib/session.ts
  export async function isChildSession(userId: string): Promise<boolean> {
    const user = await db.user.findUnique({
      where: { id: userId },
      select: { accountType: true }
    })
    return user?.accountType === 'child'
  }
  
  // In your page or layout component, suppress or restrict ads for children
  // app/components/AdSlot.tsx
  export async function AdSlot({ userId }: { userId: string }) {
    const isChild = await isChildSession(userId)
  
    if (isChild) {
      // Option 1: No ads at all for child users
      return null
  
      // Option 2: Contextual-only ads (non-behavioral)
      // return <GoogleAdSense tfcd={1} npa={1} />
    }
  
    return <GoogleAdSense />  // Full ad experience for adult users
  }
  

  For Google Ad Manager / AdSense, add tfcd=1 (tag for child-directed treatment) to all ad requests in child contexts:

  // Google Publisher Tag — child-directed setting
  googletag.pubads().setPrivacySettings({ childDirectedTreatment: true })
  
  // Google AdSense — child-directed content
  // <ins data-ad-client="ca-pub-xxx" data-tag-for-child-directed-treatment="1"></ins>
  

  Remove or suppress behavioral tracking pixels (Facebook Pixel, TikTok Pixel) entirely for child user sessions — there is no safe "child-directed mode" for most of these.