COPPA §312.8 and §312.2 hold operators responsible for third-party misuse of children's data when the operator 'discloses' that data to the third party. Sending a child's email address to SendGrid, a child's session data to Sentry, or a child's page views to Google Analytics constitutes disclosure — and the FTC treats operators as liable for what those third parties do with the data if there is no contractual obligation binding them to the same COPPA protections. GDPR Article 28 requires a Data Processing Agreement with any processor that handles EU personal data, including children's. Standard GDPR DPAs often lack COPPA-specific children's data provisions, creating a gap for US child data.
Info because the violation is contractual rather than technical — the data flows already exist, and the question is whether downstream handling is covered — but COPPA §312.8 makes the operator directly liable for third-party non-compliance.
Audit every third-party service that receives data from child sessions and take one of three actions: bind them to COPPA terms, configure their COPPA-compliant mode, or exclude child sessions from their data collection entirely.
Third-party COPPA checklist:
Google Analytics
Action: Set tfcd=1 or exclude child sessions entirely
Config: googletag.pubads().setPrivacySettings({ childDirectedTreatment: true })
Sentry (error tracking)
Action: Configure data scrubbing to exclude PII from child sessions
Docs: docs.sentry.io/data-management/sensitive-data
SendGrid / Resend / Postmark
Action: Verify DPA covers use with children's data; restrict to
transactional emails to parent addresses only
Supabase / Vercel / AWS
Action: Standard DPAs generally cover COPPA — verify current DPA
for COPPA or CIPA references explicitly
Auth0 / Clerk / Supabase Auth
Action: Confirm vendor does not use children's auth data for
their own product analytics
Add to any vendor agreement where child data may flow: 'Vendor shall not use personal information of users under 13 for any purpose other than providing the contracted service, and shall not share such information with third parties.'
ID: coppa-compliance.operator-obligations.third-party-coppa-binding
Severity: info
What to look for: Count all relevant instances and enumerate each. If the application shares children's data with any third-party services (analytics, CDN, email provider, authentication provider, error tracking), check whether those third parties are contractually bound to the same COPPA protections. COPPA holds operators responsible for third-party misuse of children's data when the operator "discloses" the data to the third party. Look for Data Processing Agreements (DPAs) or service agreements with third-party vendors that include COPPA-specific terms. Check the terms of service or DPA for each vendor that could receive child data. Some vendors (like Google Analytics) offer COPPA-compatible modes — verify these are configured. Look for any third-party vendor whose standard terms explicitly prohibit use with data from children under 13.
Pass criteria: Each third-party service that could receive personal information from child users either (1) is bound by a DPA or contractual clause committing them to COPPA-equivalent data protections, or (2) is configured in a COPPA-compliant mode (e.g., Google Analytics with child-directed content flag) that prevents collection of behavioral data from children, or (3) does not receive child data (child sessions are routed away from third-party data collection entirely).
Fail criteria: Third-party services that receive child data (analytics, email providers, CDN logs with IP addresses) are not bound by any COPPA-specific contractual obligations. Standard DPAs exist but do not include COPPA terms.
Skip (N/A) when: The application hard-blocks all users under 13 and no child sessions exist. Or the application uses no third-party services that receive any user data.
Detail on fail: Example: "Google Analytics, Sentry error tracking, and SendGrid transactional email all receive data from child user sessions. Standard DPAs are in place for GDPR, but none include COPPA-specific terms or commitments regarding children's data.".
Remediation: Review each third-party vendor's COPPA stance and take appropriate action:
Third-party COPPA checklist:
Google Analytics
- Action: Set tfcd=1 (child-directed) or exclude child sessions entirely
- Google's COPPA terms: google.com/policies/privacy/frameworks
SendGrid / Resend / Postmark (email)
- Action: Verify DPA covers use with children's data or restrict child data in emails
- Limit: Only send transactional emails (not marketing) to parent addresses for child accounts
Sentry (error tracking)
- Action: Configure Sentry to scrub or not capture personal data from child sessions
- Sentry data scrubbing: docs.sentry.io/data-management/sensitive-data
Supabase / AWS / Vercel (infrastructure)
- Action: Standard DPAs generally cover COPPA as a matter of US law compliance
- Verify: Check current DPA for COPPA or CIPA references
Auth providers (Clerk, Auth0, Supabase Auth)
- Action: Verify vendor does not use children's auth data for their own analytics
- Clerk COPPA: clerk.com/legal (verify current terms)
Add a clause to any vendor agreement where children's data may flow: "Vendor agrees not to use personal information of users under 13 for any purpose other than providing the contracted service, and shall not share such information with third parties."