Kids-app security — COPPA + GDPR-K + age-verification + marketing limits
Under-13 apps face COPPA (US) + GDPR-K (EU) + state-specific kids-privacy laws. Verifiable parental consent + data minimization + no behavioral advertising are table stakes.
Top security risks
Collecting under-13 PII without VPC
Verifiable Parental Consent (VPC) required before any PII collection from under-13. FTC fines reached $20M+ for major violations.
Third-party SDK leaking kids' data
Even one analytics or ad SDK without kids-mode = full COPPA violation.
Behavioral advertising to kids
FTC + state AGs enforce strictly. Kids-mode = contextual ads only or no ads.
Cross-device tracking
Cross-device IDs are PII under COPPA.
Regulatory context
COPPA (US under-13), GDPR-K (EU under-16, varies by member state 13-16), state laws (CA AB-2273), KOSA (US, pending).
Checklist
- VPC flow before any PII collection
- All SDKs in kids-mode (or removed)
- Behavioral advertising disabled
- Data retention < 12 months
- Annual COPPA-Safe Harbor audit
- Age-gate at signup
Parent-side trust signals: COPPA Safe Harbor logo, 'no ads' marketing, clear data deletion. Schools require COPPA + state-law compliance for adoption.