If users under 13 possible: explicit parental consent flow and COPPA compliance

Why it matters

COPPA §312.5 prohibits collecting personal information from children under 13 without verifiable parental consent — violations carry civil penalties up to $51,744 per child per violation. GDPR Art. 8 sets the age of digital consent at 16 (or 13 in member states that lower it), and requires parental authorization below that threshold. General-purpose tools, educational apps, and games are high-risk categories because children are a foreseeable audience even when not explicitly targeted. A missing age gate means every under-13 signup is a distinct legal violation, and the regulator does not need to prove harm — the unauthorized collection is the violation.

Remediation

For adult-only services, add an explicit age gate at signup and document in the privacy policy that the service is not intended for users under 13 (or 16 for GDPR jurisdictions).

// In your signup form — adult-only gate
<label className="flex items-center gap-2">
  <input type="checkbox" required name="ageConfirm" />
  I confirm I am 18 years of age or older
</label>

// Server-side: validate the checkbox was submitted
if (!formData.get('ageConfirm')) {
  return { error: 'You must confirm your age to create an account.' }
}

For services that do allow minors, a checkbox is insufficient for COPPA — verifiable parental consent requires a credit card charge, digital signature, or government ID. Consult a legal advisor before building a COPPA-compliant parental consent flow. At minimum, include language in your Terms of Service and privacy policy explicitly stating the minimum age.

Detection

ID: data-protection.storage-retention.child-safety-coppa
Severity: medium
What to look for: Enumerate every relevant item. Check the signup and login flows for any age verification step. Does the application ask for age or date of birth? Is there an age gate (e.g., "You must be 18 or older to use this service")? If the application could attract users under 13 (general-purpose tools, educational tools, games, social apps), look for parental consent mechanisms: a parent email collection step, a parental approval workflow before a child account can access the service, and a child-specific privacy notice. For US-based applications, check whether COPPA (Children's Online Privacy Protection Act) compliance is documented. COPPA requires: no data collection from children under 13 without verifiable parental consent, a child-safe privacy notice, and the ability for parents to review and delete their child's data.
Pass criteria: If the application targets or could realistically have users under 13, a parental consent workflow is implemented. A child-safe privacy notice exists. US apps have documented COPPA compliance. If the application explicitly targets adults only, there is a clear age gate at signup (checkbox, age input, or date-of-birth requirement) with documentation.
Fail criteria: Application allows users under 13 but has no parental consent mechanism, no age gate, and no child privacy notice. General-purpose application with no age indication and no protections.
Skip (N/A) when: The application explicitly targets adults only with a clear age gate (e.g., date-of-birth required at signup, "I am 18+" checkbox, or Terms of Service that restrict use to 18+) and documentation in privacy policy confirms the service is not intended for users under 13.
Detail on fail: Example: "No age gate found. Signup form accepts any email with no age verification. No parental consent mechanism or child privacy notice." or "Educational tool likely to attract under-13 users, but no COPPA compliance documentation found.".
Remediation: Implement age-gating for adult-only services or a parental consent flow for services that allow minors:
```
// Age gate at signup (adult-only service)
// In your signup form, add:
<label>
  <input type="checkbox" required />
  I confirm that I am 18 years of age or older
</label>

// Or collect date of birth and validate:
function isAdult(birthdate: Date): boolean {
  const age = new Date().getFullYear() - birthdate.getFullYear()
  return age >= 18
}
```
For services that do allow minors, implement a COPPA-compliant parent verification flow. Consult a legal advisor for COPPA — the requirements involve verifiable parental consent methods (credit card verification, digital signature, or government ID) and cannot be satisfied by a simple checkbox.

Why it matters

Remediation

For adult-only services, add an explicit age gate at signup and document in the privacy policy that the service is not intended for users under 13 (or 16 for GDPR jurisdictions).

// In your signup form — adult-only gate
<label className="flex items-center gap-2">
  <input type="checkbox" required name="ageConfirm" />
  I confirm I am 18 years of age or older
</label>

// Server-side: validate the checkbox was submitted
if (!formData.get('ageConfirm')) {
  return { error: 'You must confirm your age to create an account.' }
}

Detection

ID: data-protection.storage-retention.child-safety-coppa
Severity: medium
What to look for: Enumerate every relevant item. Check the signup and login flows for any age verification step. Does the application ask for age or date of birth? Is there an age gate (e.g., "You must be 18 or older to use this service")? If the application could attract users under 13 (general-purpose tools, educational tools, games, social apps), look for parental consent mechanisms: a parent email collection step, a parental approval workflow before a child account can access the service, and a child-specific privacy notice. For US-based applications, check whether COPPA (Children's Online Privacy Protection Act) compliance is documented. COPPA requires: no data collection from children under 13 without verifiable parental consent, a child-safe privacy notice, and the ability for parents to review and delete their child's data.
Pass criteria: If the application targets or could realistically have users under 13, a parental consent workflow is implemented. A child-safe privacy notice exists. US apps have documented COPPA compliance. If the application explicitly targets adults only, there is a clear age gate at signup (checkbox, age input, or date-of-birth requirement) with documentation.
Fail criteria: Application allows users under 13 but has no parental consent mechanism, no age gate, and no child privacy notice. General-purpose application with no age indication and no protections.
Skip (N/A) when: The application explicitly targets adults only with a clear age gate (e.g., date-of-birth required at signup, "I am 18+" checkbox, or Terms of Service that restrict use to 18+) and documentation in privacy policy confirms the service is not intended for users under 13.
Detail on fail: Example: "No age gate found. Signup form accepts any email with no age verification. No parental consent mechanism or child privacy notice." or "Educational tool likely to attract under-13 users, but no COPPA compliance documentation found.".
Remediation: Implement age-gating for adult-only services or a parental consent flow for services that allow minors:
```
// Age gate at signup (adult-only service)
// In your signup form, add:
<label>
  <input type="checkbox" required />
  I confirm that I am 18 years of age or older
</label>

// Or collect date of birth and validate:
function isAdult(birthdate: Date): boolean {
  const age = new Date().getFullYear() - birthdate.getFullYear()
  return age >= 18
}
```
For services that do allow minors, implement a COPPA-compliant parent verification flow. Consult a legal advisor for COPPA — the requirements involve verifiable parental consent methods (credit card verification, digital signature, or government ID) and cannot be satisfied by a simple checkbox.

If users under 13 possible: explicit parental consent flow and COPPA compliance

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

If users under 13 possible: explicit parental consent flow and COPPA compliance

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History