Nothing Undermines Trust Like Leaking Children’s Data

Virginia, Utah, Texas, New Jersey, Indiana, Iowa, and Tennessee all have laws protecting children’s data. Other specific state laws that Vault can help ensure compliance with include: 

• CAADCA, the California Age‑Appropriate Design Code Act
  CAADCA requires online services likely to be accessed by minors (under 18) to conduct Data Protection Impact Assessments and mitigate risks to children’s privacy, safety, and well‑being through high‑privacy defaults and age‑appropriate design.
• CTDPA, the Connecticut Data Privacy Act amendments (2023)
  The 2023 CTDPA amendments added heightened protections for minors (under 18) and prohibit targeted advertising and the sale of personal data involving known minors, while treating children’s data (under 13) as sensitive data requiring opt‑in consent.
• CPA, Colorado Privacy Act amendments (2024–2025)
  The CPA establishes heightened duties when processing minors’ data (under 18) and requires data protection assessments for processing activities that present heightened risks to children (under 13), including profiling, targeted advertising, and other sensitive data uses.
• FDBR, Florida Digital Bill of Rights
  The FDBR imposes restrictions on processing minors’ data (under 18) and prohibits targeted advertising to known children (under 13), aligning children’s data with heightened‑risk and sensitive‑data obligations.
• DPDPA, Delaware Personal Data Privacy Act
  The DPDPA prohibits targeted advertising and the sale of personal data based on data of known minors (under 18), and treats the personal data of children (under 13) as sensitive data requiring opt‑in consent.
• OCPA, Oregon Consumer Privacy Act
  The OCPA provides enhanced protections for minors (under 18) and prohibits targeted advertising to known children (under 13), treating children’s data as sensitive and subject to opt‑in consent requirements.

Under CAADCA, the California Age‑Appropriate Design Code Act, businesses can only sell the personal information of a child that they know to be under the age of 16 if they get affirmative authorization (“opt-in”) for permitting the sale. For children under the age of 13, that opt-in must come from the child’s parent or guardian. For children who are at least 13 years old but under the age of 16, the opt-in can come from the child. (https://oag.ca.gov/privacy/ccpa)

The CTDPA or Connecticut Data Privacy Act amendments (2023), requires businesses to use “reasonable care” to avoid any heightened risk of harm to minors and forbids using children’s data for targeted advertising, sale, or profiling without obtaining proper consent. Consent is also needed for any feature designed to “significantly increase, sustain or extend any minor’s use of an online service, product or feature”.  Geolocation data can be collected unless “necessary”, and the business must provide a signal for the duration of the collection. Consent mechanisms must not “subvert or undermine user autonomy, decision-making, or choice”. Direct messaging for minors must offer “readily accessible and easy-to-use” safeguards against the ability of adults to send “unsolicited communications to minors.” And businesses must conduct data protection assessments for “any online product, service, or feature offered to minors”.

Effective October 1, 2025, amendments to the Colorado Privacy Act (CPA) created enhanced protections when a minor’s personal data is processed in ways that present a heightened risk of harm. The law applies to any business that controls personal data and conducts business in Colorado or targets Colorado residents, regardless of revenue or data volume.

If a company offers an online service, product, or feature to someone it knows to be a minor, it must conduct a documented data protection assessment where such risk exists and use reasonable care to avoid harm to children. Without appropriate consent, including parental consent for children under 13, businesses may not use minors’ data for targeted advertising, sale, or profiling; may not process data beyond disclosed purposes; and may not retain it longer than reasonably necessary. Companies are also forbidden from using design features that materially extend a minor’s use of a service or collect precise geolocation data except in limited circumstances, unless consent is given.

The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law regulating the online collection of personal information from children under 13. It applies to websites, apps, and online services directed to children, as well as general-audience services that have actual knowledge they are collecting data from children under 13. Covered organizations must provide notice and obtain verifiable parental consent before collecting childrens’ personal information. They must also maintain reasonable security and allow parents to access or delete their child’s data.

Of course, the laws vary by state, and state laws differ from COPPA. But in general, if you have “actual knowledge” that you are collecting personal information from a child under 13, you are subject to legal restrictions. That knowledge may arise from date-of-birth fields, account data, support communications, or analytics indicating users are under 13 years old.  Once you have that knowledge, you must either stop collecting data or implement compliant parental consent mechanisms.

Regulators assess subject matter, animated characters, language, advertising channels, and audience composition. Design is a major factor, as a child-directed design will trigger compliance obligations regardless of intent. If it is determined that your service appeals primarily to children under 13, COPPA applies, even if you include a disclaimer.

Under many state privacy laws and COPPA, personal information includes traditional identifiers such as names, email addresses, and postal addresses, as well as persistent identifiers like cookies, IP addresses, device IDs, and advertising IDs when used for tracking. It can also include geolocation data, photos, videos, and audio files containing a child’s voice. Several state laws extend similar protections to teens and restrict how their data can be used for advertising or profiling. As a result, many common tracking technologies can fall within these definitions.

Yes. Under several state privacy laws and COPPA, personal information can include persistent identifiers such as cookies, device IDs, IP addresses, and advertising identifiers when used for tracking. If analytics tools, ad pixels, SDKs, or third-party scripts collect those identifiers from children under 13 without verifiable parental consent, it may violate COPPA and state laws that restrict targeted advertising or profiling involving minors, including teens. The risk often arises not from your core application code, but from embedded vendor technologies that activate automatically when a page loads if the tools collect data before age screening or parental consent occurs.

COPPA violations can result in significant civil penalties enforced by the Federal Trade Commission (FTC) and state attorneys general. The FTC may seek monetary penalties per violation. In large-scale cases involving millions of users, settlements have reached tens or even hundreds of millions of dollars. Beyond fines, companies may be subject to consent decrees requiring long-term compliance monitoring, independent audits, mandated changes to data practices, and strict reporting obligations. Reputational damage, litigation risk, and business disruption often exceed the monetary penalty itself.

If your website is not directed to children and you do not have “actual knowledge” that you are collecting personal information from a child under 13, COPPA generally does not apply. However, some state privacy laws impose additional obligations if a company knows—or reasonably should know—that minors are using the service, particularly regarding targeted advertising and profiling. As a result, even general-audience sites may need safeguards to prevent the collection or use of children’s data without proper consent.

Vault helps organizations operationalize compliance with children’s data laws by testing what actually happens on their websites and apps, not just what policies say. It analyzes live network traffic, third-party scripts, cookies, SDK activity, and request payloads, detecting the collection of persistent identifiers and other children’s personal information. Vault can simulate under-13 user journeys to verify that age gates and parental consent mechanisms properly block non-essential tracking before data is collected or shared. Timestamped, audit-ready reports showing consent state, vendor activity, and data flows enable your teams to detect misconfigurations early, remediate quickly, and demonstrate defensible oversight in the event of regulatory scrutiny.

Vault analyzes real-time network traffic, embedded scripts, SDK calls, cookies, and request payloads to identify data elements that qualify as “personal information” under state laws and COPPA, including persistent identifiers like device IDs, IP addresses, cookies, and advertising identifiers. Vault evaluates when and where those identifiers are collected, whether they are transmitted to third parties, and the consent status at the time. By simulating under-13 user journeys and age-gate flows, we can detect whether tracking occurs before parental consent is obtained.

Yes. Vault simulates real-world user journeys across multiple age and consent scenarios, including under-13 users, rejected consent, and granted parental consent, to verify whether tracking and data collection are properly restricted. Vault analyzes live network traffic to determine whether cookies, persistent identifiers, SDK calls, or third-party scripts activate before age verification or parental authorization. If non-essential tracking fires during the age-screening process, Vault flags the behavior for remediation. This approach ensures your consent flow is not just in the design, but also technically enforced in practice.

Vault continuously audits analytics tools, advertising pixels, tag manager deployments, and embedded SDKs on child-directed pages. Because many risks originate from vendor scripts rather than core application code, Vault provides visibility into third-party behavior and maps it to children’s data compliance risk.

Yes. Vault generates timestamped, exportable reports documenting which data was collected, which vendors were involved, and the consent state in effect at the time of collection. This includes visibility into persistent identifiers, third-party transmissions, and whether tracking was properly blocked before parental consent. By preserving structured logs and mapping findings to legal requirements, Vault enables organizations to demonstrate proactive oversight and technical enforcement of consent controls and provide documentation of remediation efforts during audits or regulatory inquiries.