COPPA §312.2, §312.4, and §312.5 classify making a child's personal information 'publicly available' to other users as a form of disclosure that requires parental consent. A child's display name on a public leaderboard, a public profile page, or direct messages readable by other users all fall within this definition. AI-built apps frequently expose child accounts to the same social feature set as adult accounts because the permission model was never explicitly scoped by account type. The result is that child display names, avatars, and posts become searchable and visible to arbitrary users — and each such exposure is an unconsented disclosure under §312.5.
Low because social feature access by itself is a disclosure violation rather than direct data exfiltration, but each public profile view or message exchange constitutes an independent unconsented COPPA disclosure.
Restrict social feature endpoints to adult account types and make child profile pages private by default.
// app/api/messages/route.ts
export async function POST(req: Request) {
const session = await getServerSession()
const user = await db.user.findUnique({ where: { id: session?.user?.id } })
if (user?.accountType === 'child') {
return Response.json(
{ error: 'Messaging is not available for child accounts.' },
{ status: 403 }
)
}
// ... message creation
}
// app/profile/[userId]/page.tsx
export default async function ProfilePage({ params }: { params: { userId: string } }) {
const profile = await db.user.findUnique({ where: { id: params.userId } })
if (profile?.accountType === 'child') {
const session = await getServerSession()
if (!session) return <div>This profile is private.</div>
}
return <ProfileView profile={profile} />
}
If you want to enable social features for child accounts, the parental consent notice must specifically disclose that the child's information will be visible to other users, and the parent must consent to that disclosure.
ID: coppa-compliance.child-data.no-social-features-unconsented
Severity: low
What to look for: Count all relevant instances and enumerate each. Identify social and community features in the application: user-to-user messaging (direct messages, chat), public profiles visible to other users, friend or follower relationships, content sharing or posting (posts, comments, uploads visible to others), leaderboards with real user identifiers. Under COPPA, making a child's personal information "publicly available" is itself a form of disclosure that requires parental consent. This includes a child's username on a public leaderboard, a public profile page with a child's display name, or a child's messages readable by other users. Check whether these features are gated by account type. Look for whether child accounts are restricted from social features entirely, or whether social features are available to child accounts after parental consent includes disclosure of social data sharing.
Pass criteria: Social features (messaging, public profiles, user-generated content visible to others) are either (1) disabled for child accounts entirely, or (2) enabled only when the parental consent notice disclosed that the child's information would be made available to other users and the parent consented to that specifically. At least 1 implementation must be verified.
Fail criteria: Child accounts have access to the same social features as adult accounts with no restriction. Public profile pages exist for child accounts that expose display name or other information to unauthenticated visitors. Child accounts can send or receive direct messages from other users without parental consent covering social features.
Skip (N/A) when: The application has no social or community features whatsoever — no user profiles, no messaging, no public content.
Detail on fail: Example: "Child accounts have fully functional user profiles that are publicly accessible without authentication, displaying the child's display name and avatar." or "Direct messaging feature available to all account types including child accounts. No restriction or parental consent required to access this social feature.".
Remediation: Restrict social feature access for child accounts:
// app/api/messages/route.ts — block messaging for child accounts
export async function POST(req: Request) {
const session = await getServerSession()
const user = await db.user.findUnique({ where: { id: session?.user?.id } })
if (user?.accountType === 'child') {
return Response.json(
{ error: 'Messaging is not available for child accounts.' },
{ status: 403 }
)
}
// ... message creation for adult accounts
}
// app/profile/[userId]/page.tsx — make child profiles private
export default async function ProfilePage({ params }: { params: { userId: string } }) {
const profile = await db.user.findUnique({ where: { id: params.userId } })
if (profile?.accountType === 'child') {
// Require authentication AND parent relationship to view child profiles
const session = await getServerSession()
if (!session) return <div>This profile is private.</div>
}
return <ProfileView profile={profile} />
}