WebsiteCategorizationAPI
Home
Demo Tools - Categorization
Website Categorization Text Classification URL Database Taxonomy Mapper
Demo Tools - Website Intel
Technology Detector Quality Score Competitor Finder
Demo Tools - Brand Safety
Brand Safety Checker Brand Suitability Quality Checker
Demo Tools - Content
Sentiment Analyzer Context Aware Ads
Resources
API Documentation Pricing Login
Try Categorization

COPPA Compliance Risk Scoring

Score any URL 0–100 for children's-privacy risk in real time. One API call answers the two questions COPPA enforcement turns on — is this content directed at children under 13, and is personal data being collected from them — then decomposes the answer into five audited sub-scores your legal and compliance teams can act on, page by page, before the FTC or a plaintiff's attorney does it for you.

5
sub-scores, each 0–20, fully decomposed
$50k+
statutory penalty exposure per violation
Real-time
URL in, scored JSON out
102M
domain database for batch audits
Request a Sample Report API Documentation

The problem: COPPA liability scales with your page count, and enforcement is escalating

The Children's Online Privacy Protection Act is not a new law, but the way it is enforced has changed decisively. The FTC no longer waits for a data breach or a parental complaint: it reads the content of your pages, looks at the trackers loading on them, and asks whether a persistent identifier was set on a site or service directed to children without verifiable parental consent. Civil penalties are assessed per violation — currently more than $50,000 each under the FTC's inflation-adjusted schedule — and a "violation" can be counted per child, per collection event. At web scale that arithmetic gets catastrophic quickly, which is exactly the leverage regulators have been using in settlement negotiations.

Nine-figure penalties are now the precedent

Google and YouTube paid $170 million in 2019 for serving behaviorally targeted ads on child-directed channels. Epic Games paid a $275 million COPPA civil penalty in 2022 — the largest ever for an FTC rule violation. Musical.ly (now TikTok) set the earlier record with $5.7 million in 2019, and the DOJ sued TikTok again over COPPA in 2024. The trend line only points up.

Ad tech is strict-liability adjacent

Since the 2013 COPPA Rule amendments, persistent identifiers — cookies, device IDs, fingerprints used for behavioral advertising — are personal information. A third-party ad script on a child-directed page collects personal data from children whether or not you meant it to, and both the operator and the network with actual knowledge are on the hook.

"Child-directed" is a judgment call — operationalized badly

The FTC weighs subject matter, vocabulary, visuals, music and audience evidence in a multi-factor test. In practice most companies operationalize this as a spreadsheet column filled in by whoever onboarded the site — or not at all. Nobody is measuring vocabulary level or topic mix, which is precisely the evidence the test turns on.

Manual review cannot reach the scale of the problem

An SSP screens thousands of publishers; a kids' media group runs hundreds of thousands of pages; a filtering vendor labels the whole web. Reviewing each page for signup forms, tracker loads and privacy-policy language by hand is impossible — so exposure accumulates silently until a regulator or researcher measures it for you.

The solution: five audited sub-scores, one composite risk number

The COPPA Compliance Risk Score decomposes the legal question into five measurable dimensions, each scored 0–20 and summed into the 0–100 composite. Every sub-score returns its underlying signals by name — the exact form fields found, the exact tracking vendors loaded, the exact privacy-policy language matched — so the number is defensible in front of counsel, an auditor or a publisher dispute. Pages are rendered in a real headless browser with the consent dialog auto-accepted, because a crawler that never clicks "Accept" never sees the trackers that fire on real children.

child_directed_content

Is this page directed at children under 13? An LLM judges the extracted content the way the FTC's multi-factor test does — subject matter, vocabulary level (elementary vs adult), topics and framing — and returns a calibrated 0–1 score. It is combined with:

  • Child-keyword density in the page text ("kids", "for children", grade levels)
  • Meta rating tags and kid-safety seals (kidSAFE, ESRB-style declarations)
  • A separate classification object with is_child_directed, confidence and written reasoning

personal_data_collection

What personal information does the page actually solicit? We parse the rendered DOM for:

  • PII form fields by type: name, email, birthday, age, phone, address, school
  • Account-creation flows — including signup CTAs that only open a form behind a JavaScript flow, reported as signup_cta_detected
  • Chat widgets and community features (open text is personal data in a child's hands)
  • Newsletter and email-capture forms

A birthday field on a child-directed page is one of the strongest single COPPA signals that exists.

tracking_identifiers

The sub-score the YouTube and TikTok cases were built on. Because persistent identifiers are personal information under the COPPA Rule, we enumerate:

  • Ad and tracking scripts by vendor — ad servers, SSPs, header bidding, retargeters
  • Distinct third-party tracking domains contacted (a proxy for third-party cookies)
  • Fingerprinting techniques (canvas, audio, font probing)

Consent is auto-accepted during rendering, so consent-gated trackers — the ones a naive crawler never observes — are counted too.

privacy_controls_absent

An inverted score: points accrue for safeguards that are missing. We check whether a privacy policy exists, then actually fetch and read it, looking for children's-privacy language — mentions of children, under-13 users, COPPA and parental consent. We also detect:

  • Age gates and neutral age-screening mechanisms
  • Consent banners and the CMP behind them
  • A verifiable parental-consent mechanism, on-page or described in the policy

A kids' site whose policy never mentions children is telling you it has never had this conversation internally.

content_appropriateness

Not strictly a COPPA element, but inseparable from children's-privacy risk in practice: content moderation of the page text using Google-NLP-based classifiers for toxicity, profanity, violence and sexual content, each returned as a 0–1 probability. A page that scores child-directed and carries mature content is a reputational and regulatory problem in its own right — and a red flag for advertisers screening kids' inventory.

Why five, why 0–20 each

COPPA exposure is conjunctive: it takes child-directed content plus data collection plus absent safeguards to create liability. Equal-weighted sub-scores keep the composite interpretable — a 49 made of heavy tracking on child-directed content reads completely differently from a 49 made of missing policies on a general-audience site, and the response shows you which one you have.

One call, one score

POST a URL, get back the composite score, the five sub-scores with named signals, and the child-directed classification with written reasoning. Nothing is a black box — every point in the score traces to an observable fact about the page.

Request (curl)
curl -X POST "https://www.websitecategorizationapi.com/api/coppa/score.php" \
  -d "query=https://www.coolmathgames.com" \
  -d "api_key=YOUR_API_KEY"
Request (Python)
import requests

resp = requests.post(
    "https://www.websitecategorizationapi.com/api/coppa/score.php",
    data={"query": url, "api_key": API_KEY},
    timeout=180,
)
result = resp.json()

child_directed = result["classification"]["is_child_directed"]
tracking = result["sub_scores"]["tracking_identifiers"]["score"]

if child_directed and tracking >= 10:
    # persistent identifiers on child-directed content:
    # the exact pattern COPPA enforcement targets
    escalate_to_compliance(result)
Response — a real child-directed gaming site
{
  "url": "https://www.coolmathgames.com",
  "coppa_risk_score": 49,
  "risk_level": "MEDIUM",
  "sub_scores": {
    "child_directed_content": {
      "score": 12, "max": 20,
      "signals": [
        "llm_child_directed_score: 0.80",
        "vocabulary_level: elementary",
        "child_keywords: 1 found (kids)"
      ]
    },
    "personal_data_collection": {
      "score": 11, "max": 20,
      "signals": [
        "form_pii_fields: name, password, username",
        "account_creation: signup_cta_detected (form behind JS flow)"
      ]
    },
    "tracking_identifiers": {
      "score": 16, "max": 20,
      "signals": [
        "ad_tracking_scripts: 18 detected (Google Ad Manager / DoubleClick,
         Google AdSense, Amazon Publisher Services (TAM), Prebid.js, Criteo,
         PubMatic, Magnite / Rubicon, Index Exchange, Xandr / AppNexus, TripleLift)",
        "third_party_tracking_domains: 26 (proxy for third-party cookies)",
        "fingerprinting: not_detected"
      ]
    },
    "privacy_controls_absent": {
      "score": 10, "max": 20,
      "signals": [
        "privacy_policy: found_with_coppa_mention (under 13)",
        "age_gate: not_detected",
        "consent_banner: detected (Google Funding Choices)",
        "parental_consent: not_detected"
      ]
    },
    "content_appropriateness": {
      "score": 0, "max": 20,
      "signals": ["toxic: 0.16", "sexual: 0.00", "profanity: 0.05", "violent: 0.00"]
    }
  },
  "classification": {
    "is_child_directed": true,
    "confidence": 0.8,
    "reasoning": "The content is primarily directed at children under 13,
     featuring games with simple, accessible vocabulary and topics
     appealing to a younger audience."
  },
  "status": 200
}

Read the pattern here: the page is classified child-directed with 0.8 confidence, yet loads 18 ad-tech vendors across a full header-bidding stack and contacts 26 third-party tracking domains — persistent identifiers on child-directed content, which is exactly the exposure pattern the YouTube settlement was built on. A consent banner is present, but no parental-consent mechanism was detected, and the composite lands at MEDIUM: not an emergency, but precisely the kind of page a compliance team should have on a list.

Risk tiers

The 0–100 composite maps to four tiers. The thresholds are returned in every response, and the sub-score breakdown tells you why a page sits where it does — so the same tier can route to different actions depending on which dimension is driving it.

ScoreTierMeaningTypical action
0–30LOWGeneral-audience content, or child-directed with safeguards in placeAllow; include in periodic re-scoring
31–55MEDIUMChild-directed signals plus meaningful data collection or trackingCompliance review; restrict to contextual ads pending remediation
56–80HIGHLikely child-directed with substantial tracking or PII collection and weak controlsSuspend behavioral monetization; escalate to legal; notify the publisher
81–100CRITICALClear child-directed content, active personal-data collection, safeguards absentBlock or remove immediately; document remediation for the record

What the signals mean

llm_child_directed_score & vocabulary_level

The LLM's calibrated judgment of the FTC's audience test, plus the measured reading level of the page text. "Elementary" vocabulary on a games site is evidence; the same vocabulary on a plain-language government page is not, and the model knows the difference.

form_pii_fields & signup_cta_detected

Every PII input type found in rendered forms, by name. Sites that hide registration behind a JavaScript modal still get caught: the signup call-to-action itself is reported even when the form fields are not yet in the DOM.

ad_tracking_scripts & third_party_tracking_domains

Named ad-tech vendors plus the count of distinct third-party hosts contacted during the rendered session — measured after consent auto-acceptance, so what we count is what a real child's browser would load.

privacy_policy: found_with_coppa_mention

We follow the privacy-policy link and read the document. The signal reports the exact matched language ("under the age of 13", "parental consent"), so counsel can verify the finding in seconds without re-crawling anything.

age_gate, consent_banner & parental_consent

Three distinct safeguards, reported separately — because a GDPR-style cookie banner is not an age gate, and neither one is verifiable parental consent. Conflating them is the single most common COPPA misunderstanding we see.

toxic / sexual / profanity / violent

Google-NLP moderation probabilities for the page text. Near-zero on genuinely child-directed pages; anything elevated alongside is_child_directed: true deserves a human look regardless of the composite score.

Who uses this

Ad platforms & SSPs

COPPA prohibits behavioral advertising on child-directed inventory — contextual only, no persistent identifiers for targeting. Platforms screen supply at onboarding and flag child-directed domains so bid requests can be marked and behavioral demand excluded, before a researcher publishes the screenshot for them.

Kids' app & edtech publishers

Self-audit every property and page on a schedule. The tracking_identifiers sub-score catches the SDK or tag a partner added last sprint; the privacy_controls check catches the policy that was never updated to mention children. Cheaper to find it yourself.

Media auditors & compliance teams

Attach a decomposed, evidence-backed score to every finding. Because each sub-score lists the exact vendors, form fields and policy language observed, audit reports survive pushback — the publisher can reproduce every claim from their own browser.

Web filtering vendors

Enrich filtering products with a children's-privacy dimension: schools and family-safety products increasingly want to distinguish "safe for kids to view" from "safe for kids to be tracked on" — different questions with different answers.

Frequently asked

We have a consent banner — doesn't that make us compliant?

No. A cookie banner implements GDPR/ePrivacy-style consent from the visitor; COPPA requires verifiable parental consent — consent from the parent, obtained through a method reasonably calculated to ensure it is actually the parent — before collecting personal information from a child under 13. This is why the API reports consent_banner and parental_consent as separate signals: the coolmathgames example above has the first and not the second, and that distinction is most of its privacy_controls_absent score.

How is "child-directed" decided?

We mirror the FTC's multi-factor test: subject matter, language and vocabulary level, visual and audio presentation, and the presence of child-oriented activities or characters. An LLM applies the test to the extracted page content and the response returns is_child_directed with a confidence value and written reasoning — so a borderline 0.6-confidence call is visibly borderline, and your reviewers spend their time exactly where the model is uncertain.

Is this only for single URLs?

No. The real-time endpoint scores individual URLs on demand, and the same scoring runs in batch against the 102M-domain database — the practical path for auditing an entire supply portfolio, ad network or filtering list rather than checking pages one at a time.

How does this relate to your other classification layers?

It composes with them on the same page fetch: IAB content categorization tells you what the page is about, the web filtering taxonomy tells you whether it belongs in a managed environment, quality scores tell you whether the content is any good, and the COPPA score tells you whether children's personal data is at stake. One URL in, four independent intelligence layers out.

Related resources

See your own inventory scored

Send us a list of domains or URLs and get back a scored sample with the full five-dimension breakdown — the same format our compliance and audit customers work from.

Request a Scored Sample Read the API Docs
Stay in the loop

You are on the list!

We will send you updates that matter — no spam.