Score any URL 0–100 for children's-privacy risk in real time. One API call answers the two questions COPPA enforcement turns on — is this content directed at children under 13, and is personal data being collected from them — then decomposes the answer into five audited sub-scores your legal and compliance teams can act on, page by page, before the FTC or a plaintiff's attorney does it for you.
The Children's Online Privacy Protection Act is not a new law, but the way it is enforced has changed decisively. The FTC no longer waits for a data breach or a parental complaint: it reads the content of your pages, looks at the trackers loading on them, and asks whether a persistent identifier was set on a site or service directed to children without verifiable parental consent. Civil penalties are assessed per violation — currently more than $50,000 each under the FTC's inflation-adjusted schedule — and a "violation" can be counted per child, per collection event. At web scale that arithmetic gets catastrophic quickly, which is exactly the leverage regulators have been using in settlement negotiations.
Google and YouTube paid $170 million in 2019 for serving behaviorally targeted ads on child-directed channels. Epic Games paid a $275 million COPPA civil penalty in 2022 — the largest ever for an FTC rule violation. Musical.ly (now TikTok) set the earlier record with $5.7 million in 2019, and the DOJ sued TikTok again over COPPA in 2024. The trend line only points up.
Since the 2013 COPPA Rule amendments, persistent identifiers — cookies, device IDs, fingerprints used for behavioral advertising — are personal information. A third-party ad script on a child-directed page collects personal data from children whether or not you meant it to, and both the operator and the network with actual knowledge are on the hook.
The FTC weighs subject matter, vocabulary, visuals, music and audience evidence in a multi-factor test. In practice most companies operationalize this as a spreadsheet column filled in by whoever onboarded the site — or not at all. Nobody is measuring vocabulary level or topic mix, which is precisely the evidence the test turns on.
An SSP screens thousands of publishers; a kids' media group runs hundreds of thousands of pages; a filtering vendor labels the whole web. Reviewing each page for signup forms, tracker loads and privacy-policy language by hand is impossible — so exposure accumulates silently until a regulator or researcher measures it for you.
The COPPA Compliance Risk Score decomposes the legal question into five measurable dimensions, each scored 0–20 and summed into the 0–100 composite. Every sub-score returns its underlying signals by name — the exact form fields found, the exact tracking vendors loaded, the exact privacy-policy language matched — so the number is defensible in front of counsel, an auditor or a publisher dispute. Pages are rendered in a real headless browser with the consent dialog auto-accepted, because a crawler that never clicks "Accept" never sees the trackers that fire on real children.
Is this page directed at children under 13? An LLM judges the extracted content the way the FTC's multi-factor test does — subject matter, vocabulary level (elementary vs adult), topics and framing — and returns a calibrated 0–1 score. It is combined with:
classification object with is_child_directed, confidence and written reasoningWhat personal information does the page actually solicit? We parse the rendered DOM for:
signup_cta_detectedA birthday field on a child-directed page is one of the strongest single COPPA signals that exists.
The sub-score the YouTube and TikTok cases were built on. Because persistent identifiers are personal information under the COPPA Rule, we enumerate:
Consent is auto-accepted during rendering, so consent-gated trackers — the ones a naive crawler never observes — are counted too.
An inverted score: points accrue for safeguards that are missing. We check whether a privacy policy exists, then actually fetch and read it, looking for children's-privacy language — mentions of children, under-13 users, COPPA and parental consent. We also detect:
A kids' site whose policy never mentions children is telling you it has never had this conversation internally.
Not strictly a COPPA element, but inseparable from children's-privacy risk in practice: content moderation of the page text using Google-NLP-based classifiers for toxicity, profanity, violence and sexual content, each returned as a 0–1 probability. A page that scores child-directed and carries mature content is a reputational and regulatory problem in its own right — and a red flag for advertisers screening kids' inventory.
COPPA exposure is conjunctive: it takes child-directed content plus data collection plus absent safeguards to create liability. Equal-weighted sub-scores keep the composite interpretable — a 49 made of heavy tracking on child-directed content reads completely differently from a 49 made of missing policies on a general-audience site, and the response shows you which one you have.
POST a URL, get back the composite score, the five sub-scores with named signals, and the child-directed classification with written reasoning. Nothing is a black box — every point in the score traces to an observable fact about the page.
curl -X POST "https://www.websitecategorizationapi.com/api/coppa/score.php" \ -d "query=https://www.coolmathgames.com" \ -d "api_key=YOUR_API_KEY"
import requests
resp = requests.post(
"https://www.websitecategorizationapi.com/api/coppa/score.php",
data={"query": url, "api_key": API_KEY},
timeout=180,
)
result = resp.json()
child_directed = result["classification"]["is_child_directed"]
tracking = result["sub_scores"]["tracking_identifiers"]["score"]
if child_directed and tracking >= 10:
# persistent identifiers on child-directed content:
# the exact pattern COPPA enforcement targets
escalate_to_compliance(result)
{
"url": "https://www.coolmathgames.com",
"coppa_risk_score": 49,
"risk_level": "MEDIUM",
"sub_scores": {
"child_directed_content": {
"score": 12, "max": 20,
"signals": [
"llm_child_directed_score: 0.80",
"vocabulary_level: elementary",
"child_keywords: 1 found (kids)"
]
},
"personal_data_collection": {
"score": 11, "max": 20,
"signals": [
"form_pii_fields: name, password, username",
"account_creation: signup_cta_detected (form behind JS flow)"
]
},
"tracking_identifiers": {
"score": 16, "max": 20,
"signals": [
"ad_tracking_scripts: 18 detected (Google Ad Manager / DoubleClick,
Google AdSense, Amazon Publisher Services (TAM), Prebid.js, Criteo,
PubMatic, Magnite / Rubicon, Index Exchange, Xandr / AppNexus, TripleLift)",
"third_party_tracking_domains: 26 (proxy for third-party cookies)",
"fingerprinting: not_detected"
]
},
"privacy_controls_absent": {
"score": 10, "max": 20,
"signals": [
"privacy_policy: found_with_coppa_mention (under 13)",
"age_gate: not_detected",
"consent_banner: detected (Google Funding Choices)",
"parental_consent: not_detected"
]
},
"content_appropriateness": {
"score": 0, "max": 20,
"signals": ["toxic: 0.16", "sexual: 0.00", "profanity: 0.05", "violent: 0.00"]
}
},
"classification": {
"is_child_directed": true,
"confidence": 0.8,
"reasoning": "The content is primarily directed at children under 13,
featuring games with simple, accessible vocabulary and topics
appealing to a younger audience."
},
"status": 200
}
Read the pattern here: the page is classified child-directed with 0.8 confidence, yet loads 18 ad-tech vendors across a full header-bidding stack and contacts 26 third-party tracking domains — persistent identifiers on child-directed content, which is exactly the exposure pattern the YouTube settlement was built on. A consent banner is present, but no parental-consent mechanism was detected, and the composite lands at MEDIUM: not an emergency, but precisely the kind of page a compliance team should have on a list.
The 0–100 composite maps to four tiers. The thresholds are returned in every response, and the sub-score breakdown tells you why a page sits where it does — so the same tier can route to different actions depending on which dimension is driving it.
| Score | Tier | Meaning | Typical action |
|---|---|---|---|
| 0–30 | LOW | General-audience content, or child-directed with safeguards in place | Allow; include in periodic re-scoring |
| 31–55 | MEDIUM | Child-directed signals plus meaningful data collection or tracking | Compliance review; restrict to contextual ads pending remediation |
| 56–80 | HIGH | Likely child-directed with substantial tracking or PII collection and weak controls | Suspend behavioral monetization; escalate to legal; notify the publisher |
| 81–100 | CRITICAL | Clear child-directed content, active personal-data collection, safeguards absent | Block or remove immediately; document remediation for the record |
The LLM's calibrated judgment of the FTC's audience test, plus the measured reading level of the page text. "Elementary" vocabulary on a games site is evidence; the same vocabulary on a plain-language government page is not, and the model knows the difference.
Every PII input type found in rendered forms, by name. Sites that hide registration behind a JavaScript modal still get caught: the signup call-to-action itself is reported even when the form fields are not yet in the DOM.
Named ad-tech vendors plus the count of distinct third-party hosts contacted during the rendered session — measured after consent auto-acceptance, so what we count is what a real child's browser would load.
We follow the privacy-policy link and read the document. The signal reports the exact matched language ("under the age of 13", "parental consent"), so counsel can verify the finding in seconds without re-crawling anything.
Three distinct safeguards, reported separately — because a GDPR-style cookie banner is not an age gate, and neither one is verifiable parental consent. Conflating them is the single most common COPPA misunderstanding we see.
Google-NLP moderation probabilities for the page text. Near-zero on genuinely child-directed pages; anything elevated alongside is_child_directed: true deserves a human look regardless of the composite score.
COPPA prohibits behavioral advertising on child-directed inventory — contextual only, no persistent identifiers for targeting. Platforms screen supply at onboarding and flag child-directed domains so bid requests can be marked and behavioral demand excluded, before a researcher publishes the screenshot for them.
Self-audit every property and page on a schedule. The tracking_identifiers sub-score catches the SDK or tag a partner added last sprint; the privacy_controls check catches the policy that was never updated to mention children. Cheaper to find it yourself.
Attach a decomposed, evidence-backed score to every finding. Because each sub-score lists the exact vendors, form fields and policy language observed, audit reports survive pushback — the publisher can reproduce every claim from their own browser.
Enrich filtering products with a children's-privacy dimension: schools and family-safety products increasingly want to distinguish "safe for kids to view" from "safe for kids to be tracked on" — different questions with different answers.
No. A cookie banner implements GDPR/ePrivacy-style consent from the visitor; COPPA requires verifiable parental consent — consent from the parent, obtained through a method reasonably calculated to ensure it is actually the parent — before collecting personal information from a child under 13. This is why the API reports consent_banner and parental_consent as separate signals: the coolmathgames example above has the first and not the second, and that distinction is most of its privacy_controls_absent score.
We mirror the FTC's multi-factor test: subject matter, language and vocabulary level, visual and audio presentation, and the presence of child-oriented activities or characters. An LLM applies the test to the extracted page content and the response returns is_child_directed with a confidence value and written reasoning — so a borderline 0.6-confidence call is visibly borderline, and your reviewers spend their time exactly where the model is uncertain.
No. The real-time endpoint scores individual URLs on demand, and the same scoring runs in batch against the 102M-domain database — the practical path for auditing an entire supply portfolio, ad network or filtering list rather than checking pages one at a time.
It composes with them on the same page fetch: IAB content categorization tells you what the page is about, the web filtering taxonomy tells you whether it belongs in a managed environment, quality scores tell you whether the content is any good, and the COPPA score tells you whether children's personal data is at stake. One URL in, four independent intelligence layers out.
Send us a list of domains or URLs and get back a scored sample with the full five-dimension breakdown — the same format our compliance and audit customers work from.
Request a Scored Sample Read the API Docs