Ad platforms, agencies, affiliate networks and fintechs are accountable for thousands of partner and publisher sites they do not control. Replace point-in-time manual audits with continuous, automated scanning: COPPA risk scoring for children's-privacy exposure, category-based detection of gambling, alcohol and pharma placements, and MFA screening for media-spend compliance — re-scored on a schedule, with diffs.
A compliance team can control its own privacy policy. It cannot control the 5,000 publishers in the network, the affiliates bidding on its brand terms, or the sites a DSP quietly added to a deal last week. Yet COPPA liability, restricted-vertical placement rules and client media policies all attach to exactly those third-party pages — and the pages change without notice.
Serving behavioral ads or dropping tracking identifiers on a child-directed site is a federal violation with per-violation penalties. The risky inventory is rarely the obvious kids' brand — it is the games portal nobody flagged as child-directed.
Gambling, alcohol and pharmaceutical content carry jurisdiction-specific placement rules. A publisher that pivots to casino affiliate content mid-contract puts every advertiser on the page out of policy — and nobody re-reviewed the site since onboarding.
The annual manual review documents what a site looked like on one afternoon. Trackers get added, privacy policies get replaced, ownership changes. A finding that is eleven months old is not evidence of compliance — it is evidence you were not looking.
Client contracts and internal standards increasingly ban Made-for-Advertising inventory outright. Proving spend stayed off MFA — continuously, not just in the RFP deck — requires scoring placements, not trusting labels.
Each check is an API call against a URL you are accountable for. Together they turn the partner list into a monitored portfolio with a defensible paper trail.
COPPA compliance scoring renders the live site
and returns a 0–100 risk score built from five sub-scores: child-directed content,
personal data collection, tracking identifiers, absent privacy controls, and content
appropriateness — each with named signals you can hand to counsel.
POST /api/coppa/score.php.
The IAB taxonomy and the
web-filtering taxonomy surface gambling, alcohol and
pharma content by classification, not keyword guesswork — one
POST /api/iab/iab_web_content_filtering.php per URL, with confidence scores that
set your escalation threshold.
MFA detection
(POST /api/mfa/score.php) scores placements 0–100 for
Made-for-Advertising risk with every signal exposed, so "no MFA inventory" clauses become
checkable line items in the placement report rather than assurances.
Because every check is an API call, monitoring is a cron job: re-score the portfolio nightly or weekly, diff against the stored baseline, and alert only on change — a new tracker on a child-directed site, a category flip into Gambling. Pre-screen at onboarding with the 102M-domain database and quality scores.
A real (trimmed) response for a children's games site. The headline number matters less than the decomposition: the site is unambiguously child-directed and runs a programmatic ad stack, while its privacy policy never mentions COPPA — a specific, actionable gap.
POST /api/coppa/score.php{
"url": "https://www.abcya.com",
"coppa_risk_score": 47,
"risk_level": "MEDIUM",
"sub_scores": {
"child_directed_content": { "score": 14, "max": 20,
"signals": ["llm_child_directed_score: 1.00",
"vocabulary_level: elementary"] },
"personal_data_collection": { "score": 2, "max": 20,
"signals": ["account_creation: signup_cta_detected"] },
"tracking_identifiers": { "score": 14, "max": 20,
"signals": ["ad_tracking_scripts: 4 detected (Google Ad
Manager / DoubleClick, Google AdSense,
Prebid.js, Google Analytics / gtag)",
"third_party_tracking_domains: 5"] },
"privacy_controls_absent": { "score": 17, "max": 20,
"signals": ["privacy_policy: found_no_coppa_mention",
"age_gate: not_detected",
"parental_consent: not_detected"] },
"content_appropriateness": { "score": 0, "max": 20,
"signals": ["toxic: 0.09", "sexual: 0.00"] }
},
"classification": { "is_child_directed": true,
"confidence": 1.0 },
"status": 200
}
BASE = "https://www.websitecategorizationapi.com"
RESTRICTED = {"Gambling", "Alcohol", "Pharmaceuticals"}
for domain in load_portfolio(): # partners, affiliates
url = f"https://{domain}"
iab = post(f"{BASE}/api/iab/iab_web_content_filtering.php",
{"query": url, "api_key": KEY, "data_type": "url"})
cats = {c["category"] for c in iab["classification"]
if c["confidence"] >= 0.60}
if cats & RESTRICTED:
open_finding(domain, "restricted-vertical", cats)
coppa = post(f"{BASE}/api/coppa/score.php",
{"query": url, "api_key": KEY})
if coppa["risk_level"] in ("HIGH", "CRITICAL"):
open_finding(domain, "coppa", coppa["sub_scores"])
diff_vs_baseline(domain, coppa) # alert only on change
mfa = post(f"{BASE}/api/mfa/score.php",
{"query": url, "api_key": KEY})
if mfa["mfa_score"] >= 66: # HIGH tier
open_finding(domain, "mfa", mfa["mfa_risk"])
The diff step is what makes this monitoring rather than auditing: yesterday's response is the baseline, and a tracking sub-score jumping from 5 to 14 on a child-directed site pages someone today — not at next year's review.
Thresholds are returned with every response, so the report your regulator or client sees uses the same scale your automation enforces:
| Score | Tier | Reading | Typical action |
|---|---|---|---|
| 0–30 | LOW | No material COPPA risk profile | Monitor on schedule |
| 31–55 | MEDIUM | Child-directed with gaps (e.g. tracking, no COPPA policy) | Remediation request to partner |
| 56–80 | HIGH | Multiple failing sub-scores on a child-directed site | Pause child-directed monetization |
| 81–100 | CRITICAL | Severe, compounding violations | Suspend and escalate to counsel |
Note how the example above lands: a well-known educational games site scores MEDIUM — not because the content is unsafe, but because four ad-tracking scripts run on a site the classifier marks child-directed with confidence 1.0, and the privacy policy is silent on COPPA. That nuance is what a keyword scan can never produce and what an auditor can act on.
No — it is evidence, structured the way counsel needs it. Each of the five sub-scores lists the concrete signals behind it (which trackers, which policy language, which form fields), so your legal team decides with facts rather than screenshots. See the COPPA compliance feature for the full methodology.
Nightly for active publisher and affiliate relationships, weekly for the long tail. Because you diff against a baseline and alert only on change, the review workload tracks how much the portfolio actually changed — not its size.
Yes. Run the partner list against the 102M-domain database first to segment by category offline, then aim the per-URL COPPA and MFA scans at the segments that matter — children's content, restricted verticals, and monetized publishers.
Send us fifty partner or publisher domains and get back a scored compliance report — COPPA risk with sub-scores, restricted-vertical flags and MFA tiers — in the format your nightly job would produce.
Try the COPPA Demo Request a Sample Read the API Docs