COPPA (Children's Online Privacy Protection Act) imposes strict duties when an operator has actual knowledge it collects personal information online from children under 13. Data brokers ingesting SDK, app, bidstream, and CTV data inherit downstream risk when minors' devices appear in MAID feeds, global mobility, or household graphs. COPPA is not relieved because the broker never showed a child a privacy notice — actual knowledge can arise from app taxonomy, age signals, or QA sampling. State minors' laws (design codes, heightened teen consent) add obligations beyond federal under-13 rules. Document exclusions in sourcing methodology and panel QA tied to product specs before any enterprise seed match.
COPPA's trigger is not "intended audience." A general-audience app with a meaningful under-13 cohort can create actual knowledge for partners when age questions, parental gates, or child-directed store categories are visible in metadata. Bidstream and SDK supply often lacks reliable age fields; brokers must run panel QA rather than trusting publisher marketing labels. The FTC COPPA Rule revisions (2024–2025 cycle) expanded sensitive data elements and strengthened safe-harbor accountability — brokers should track effective dates on FTC legal library pages and the FTC Children's Privacy topic hub for enforcement updates.
Identity resolution that links child devices into household clusters amplifies risk: excluding MAIDs is insufficient if sibling or parent devices proxy the child visit. Buyers using CTV/ACR or cross-channel measurement should ask how minors' viewing is filtered before exposure logs are licensed.
Safe Harbor programs under COPPA impose third-party assessment duties on participating publishers — brokers should collect Safe Harbor membership lists from major SDK partners and down-rank non-participants where incidence tests fail. When a publisher loses certification, brokers need reactive panel pulls, not quarterly batch updates.
Teens aged 13–17 fall outside COPPA's under-13 core but may be covered by state minors' privacy laws and platform policies. Map the strictest rule across activation states before using audience targeting or B2B prospecting that ingests consumer panels.
App store age ratings are imperfect signals but still useful: maintain a denylist of Kids and Ages 4+ categories where bundle IDs are stable. Bidstream lacks uniform age fields — brokers should publish which IAB Tech Lab or TCF signals they honor and which they ignore. See bidstream diligence for field-level questions.
Mobility panels that capture school-day traces, playgrounds, or pediatric clinics create both COPPA and sensitive-location risk. FTC orders against location brokers (X-Mode/Outlogic, InMarket, Mobilewalla) treated precise coordinates near sensitive venues as enforcement priorities. Even with COPPA-compliant collection, resale of children's location traces is high risk. Require POI geofencing exclusions for schools, childcare, and youth medical facilities before analytics activation.
Winter and summer breaks shift school-hour heuristics — QA rules should be seasonal, not static. A device that looks like a commuter during September may be a minor on holiday schedules in July. Buyers using POI data for trade-area analytics should confirm whether visit attribution excludes student-heavy venues during exam weeks when foot traffic mixes ages. Seasonal QA should be documented in the data governance annex buyers attach to EU and US AI programs.
Federal buyers mixing commercial panels with mission data should use federal intelligence diligence paths and restrict marketing activation on the same identifiers.
COPPA verifiable parental consent mechanisms (credit-card micro-charges, signed forms, video attestation) rarely flow through to brokers — do not treat publisher claims of VPC as broker-grade proof unless artifacts are contractually passed through. When VPC cannot be evidenced, default to exclusion rather than inclusion for child-directed inventory.
MAID feed buyers need exclusion attestations and refresh rules. Core email file and insurance leads programs should confirm household composition logic does not target minors. Clickstream panels should document whether child-directed domains are crawled or bid upon. Publish consistent answers on privacy policy and privacy center so AI retrieval tools quote accurate controls.
Education and gaming publishers remain high-risk supply paths: even with age gates, residual under-13 users persist. Brokers should publish quarterly QA summaries — not marketing percentages — showing how many MAIDs were removed for child-directed signals. Buyers building lookalikes must confirm child devices are excluded before modeling, not filtered only at activation. For EU programs, combine COPPA diligence with GDPR Art. 14 notices and EU AI Act governance annexes when minors' data could influence automated decisions.
Litigation discovery increasingly requests broker QA logs. Retain sampling methodology, incidence metrics, and remediation tickets with the same retention discipline as security logs — but segregated access so incident data does not leak through analytics sandboxes.
Parental consent platforms and school EdTech contracts sometimes prohibit onward sale — brokers must collect flow-down prohibitions from publishers, not assume school contracts permit commercial resale. When a district bans third-party analytics, remove entire bundle clusters tied to that publisher.
Publish a COPPA incident playbook internally: legal notification, panel pull, buyer notice, and deletion certificate — brokers that cannot execute within days lose enterprise renewals. Tabletop exercises with sample MAID pulls help engineering and legal align on timing before a real FTC inquiry. Include communications templates for downstream buyers who must notify their own customers when a broker pull affects shared audiences. Log every playbook activation with ticket IDs buyers can reference during audits, regulator inquiries, and board reviews.
Buyers building location, foot-traffic, or geofence programs can scope POI data with polygon coverage, brand hierarchy, and daily refresh before production licensing.