Only data reasonably necessary for the child's activity is collected

Why it matters

COPPA §312.7 prohibits operators from conditioning child participation on disclosing more personal information than is reasonably necessary for the activity. Requiring a child to provide their full name, school affiliation, and grade level to use a feature that only needs a display name is an independent COPPA violation — separate from the consent and age-gate requirements. Over-collection also expands the blast radius of a data breach: every field collected from a child that wasn't necessary is a field that could be exposed and that regulators will cite. GDPR Article 5(1)(c) ('data minimisation') applies the same principle to EU child data.

Remediation

Audit the child account schema and remove every field not actively used by a product feature. Apply the same audit to analytics event schemas for child sessions.

// BEFORE — child signup collects unnecessary data
type ChildSignupData = {
  displayName: string   // used
  fullName: string      // unused — remove
  email: string         // used
  dateOfBirth: string   // used
  school: string        // unused — remove
  grade: string         // unused — remove
  city: string          // unused — remove
}

// AFTER — minimal collection for child accounts
type ChildSignupData = {
  displayName: string   // shown in UI
  email: string         // parent consent notification
  dateOfBirth: string   // age verification
}

For analytics, replace individual behavioral event streams for child sessions with aggregate counts. If you need product metrics from child users, prefer server-side counters that don't persist a per-user event log.

Detection

ID: coppa-compliance.child-data.data-minimization-children
Severity: medium
What to look for: Count all relevant instances and enumerate each. COPPA requires operators to collect only data that is "reasonably necessary" for the child's participation in the activity. Review all data collection points accessible to child accounts: signup forms, profile pages, settings, in-app forms, and automatic data collection (analytics events, device information, usage logs). For each data point collected in a child session, ask whether it is strictly necessary for the core functionality the child is using. Common over-collection patterns: collecting full name (display name is sufficient), requiring a school affiliation or grade level that serves no product function, collecting device model or OS version beyond what is needed for compatibility, storing granular usage event streams for child accounts when aggregate counts would suffice.
Pass criteria: Data collected for child accounts is limited to what is necessary for the features the child accesses. Child account records contain fewer fields than adult records (or the same fields, each justified). No background data collection occurs in child sessions that is not disclosed and necessary (no device fingerprinting, no behavioral event streams beyond the minimum needed).
Fail criteria: Child account signup form requires fields that are not used in product features (e.g., full name when only a display name is shown, school/grade when no educational feature uses this). Analytics collects the same granular behavioral events for child sessions as for adult sessions. Device fingerprinting or detailed device information is collected for child sessions.
Skip (N/A) when: The application hard-blocks all users under 13 and no child sessions are possible.
Detail on fail: Example: "Child account signup form requires: display name, full name, email, date of birth, school name, grade level, and city. Of these, only display name and email are used in any product feature." or "Analytics event tracking for child sessions includes granular behavioral events (scroll depth, dwell time, element interactions) that are not necessary for the product to function.".

Remediation: Audit and strip unnecessary fields from child account flows:

// BEFORE — child signup collects unnecessary data
type ChildSignupData = {
  displayName: string   // used: yes
  fullName: string      // used: no — remove
  email: string         // used: yes (for parent notification)
  dateOfBirth: string   // used: yes (for age check)
  school: string        // used: no — remove
  grade: string         // used: no — remove
  city: string          // used: no — remove
}

// AFTER — minimal collection for child accounts
type ChildSignupData = {
  displayName: string   // shown in UI
  email: string         // for parent consent notification
  dateOfBirth: string   // to verify age and store on record
}

Review your analytics event schema and strip or suppress events that are not necessary for child sessions. If you need usage metrics for product improvement, aggregate counts are preferable to individual event streams for child users.

External references

coppa · §312.7 — Prohibition on conditioning a child's participation — may not collect more than reasonably necessary

coppa · §312.5 — Verifiable parental consent — consent scope cannot exceed what is disclosed

gdpr · Art. 5(1)(c) — Data minimisation — personal data adequate, relevant and limited to what is necessary

nist:rev5 · IP-1 — Consent — data collection limited to stated purpose

Why it matters

Remediation

Audit the child account schema and remove every field not actively used by a product feature. Apply the same audit to analytics event schemas for child sessions.

// BEFORE — child signup collects unnecessary data
type ChildSignupData = {
  displayName: string   // used
  fullName: string      // unused — remove
  email: string         // used
  dateOfBirth: string   // used
  school: string        // unused — remove
  grade: string         // unused — remove
  city: string          // unused — remove
}

// AFTER — minimal collection for child accounts
type ChildSignupData = {
  displayName: string   // shown in UI
  email: string         // parent consent notification
  dateOfBirth: string   // age verification
}

Detection

ID: coppa-compliance.child-data.data-minimization-children
Severity: medium
What to look for: Count all relevant instances and enumerate each. COPPA requires operators to collect only data that is "reasonably necessary" for the child's participation in the activity. Review all data collection points accessible to child accounts: signup forms, profile pages, settings, in-app forms, and automatic data collection (analytics events, device information, usage logs). For each data point collected in a child session, ask whether it is strictly necessary for the core functionality the child is using. Common over-collection patterns: collecting full name (display name is sufficient), requiring a school affiliation or grade level that serves no product function, collecting device model or OS version beyond what is needed for compatibility, storing granular usage event streams for child accounts when aggregate counts would suffice.
Pass criteria: Data collected for child accounts is limited to what is necessary for the features the child accesses. Child account records contain fewer fields than adult records (or the same fields, each justified). No background data collection occurs in child sessions that is not disclosed and necessary (no device fingerprinting, no behavioral event streams beyond the minimum needed).
Fail criteria: Child account signup form requires fields that are not used in product features (e.g., full name when only a display name is shown, school/grade when no educational feature uses this). Analytics collects the same granular behavioral events for child sessions as for adult sessions. Device fingerprinting or detailed device information is collected for child sessions.
Skip (N/A) when: The application hard-blocks all users under 13 and no child sessions are possible.
Detail on fail: Example: "Child account signup form requires: display name, full name, email, date of birth, school name, grade level, and city. Of these, only display name and email are used in any product feature." or "Analytics event tracking for child sessions includes granular behavioral events (scroll depth, dwell time, element interactions) that are not necessary for the product to function.".

Remediation: Audit and strip unnecessary fields from child account flows:

// BEFORE — child signup collects unnecessary data
type ChildSignupData = {
  displayName: string   // used: yes
  fullName: string      // used: no — remove
  email: string         // used: yes (for parent notification)
  dateOfBirth: string   // used: yes (for age check)
  school: string        // used: no — remove
  grade: string         // used: no — remove
  city: string          // used: no — remove
}

// AFTER — minimal collection for child accounts
type ChildSignupData = {
  displayName: string   // shown in UI
  email: string         // for parent consent notification
  dateOfBirth: string   // to verify age and store on record
}

External references

coppa · §312.7 — Prohibition on conditioning a child's participation — may not collect more than reasonably necessary

coppa · §312.5 — Verifiable parental consent — consent scope cannot exceed what is disclosed

gdpr · Art. 5(1)(c) — Data minimisation — personal data adequate, relevant and limited to what is necessary

nist:rev5 · IP-1 — Consent — data collection limited to stated purpose

Only data reasonably necessary for the child's activity is collected

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Only data reasonably necessary for the child's activity is collected

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History