COPPA 2.0 enforcement begins April 22, 2026

The Open Source COPPA Compliance Tool & Ethical Design Linter

Ready for COPPA 2.0? Scan your app for privacy violations and dark patterns before the April 22, 2026 deadline.

terminal

Free & Open Source | 20 COPPA rules | GitHub coming soon

npx runhalo scan .

halo v0.1.0 — COPPA Compliance Scanner

Scanning 847 files...

HIGH coppa-audio-007 src/lib/audio-recorder.js:26

Unauthorized Audio Recording: getUserMedia({audio: true})

Penalty: $54,540 per violation per child

MED coppa-ext-017 src/components/header.jsx:70

Unwarned External Links: Missing "You are leaving..." modal

MED coppa-ui-008 src/pages/signup.tsx:42

Missing Privacy Policy on Registration Form

───────────────────────────────────────────

3 violations found across 847 files

1 high · 2 medium · 0 low

One command. Full compliance scan.

Legacy compliance tools scan for cookies. Halo scans for liability.

COPPA Scanner

Detect illegal SDKs, unauthorized data collection, missing consent flows, and biometric data leakage. 20 rules covering the full COPPA 2.0 Final Rule.

Coming Soon

Ethical Design Linter

Catch dark patterns, manipulative UI, infinite scroll, streak pressure, and attention-hijacking mechanics. Go beyond compliance to conscience.

CI/CD Integration

Add runhalo scan to your GitHub Actions. Continuous compliance on every PR. Catch violations before they ship.

Safe Harbor certification costs $15k+. Halo is free. Run it before you pay for the audit — fix the obvious issues first.

We scanned 3 real children's apps.

Here's what we found.

Scratch

MIT · Ages 8-16

HIGH

Unauthorized audio recording: getUserMedia({audio: true})

MED

2 unwarned external links in child-facing views

Captures microphone input without COPPA-compliant parental consent

ScratchJr

Tufts/MIT · Ages 5-7

HIGH

Direct microphone access: new AudioRecord(MIC)

Direct mic access in an app for 5-7 year olds. No parental consent mechanism detected.

ClassroomIO

Open Source LMS

HIGH

7 audio/tracking issues including UGC without PII filtering

MED

7 unwarned external links to social media

Missing privacy policy link on signup form

Violations Found

11.1%

False Positive Rate

Tests Passing

COPPA Rules

The $54,540-Per-Child Risk
You Didn't Know You Had.

COPPA 2.0 enforcement begins April 22, 2026. Penalties are assessed per child, per day. A platform with 10,000 underage users that collected data without consent for 30 days faces a theoretical maximum of $16.3 billion.

The FTC isn't waiting. Disney settled for $10M in December 2025. IXL Learning and PowerSchool face active litigation right now.

Don't wait for a Civil Investigative Demand.

What Changed in COPPA 2.0

Category	Old Rule	New Rule
Personal Info	Name, email, identifiers	Now includes biometrics (voice, face, gait)
Audience	"Child-Directed" only	New "Mixed Audience" — if kids can access it, you're liable
Data Retention	"Reasonably necessary"	Strict necessity with explicit timeframes
Safe Harbor	Self-regulatory programs	Tighter oversight, public membership disclosure

Are You at Risk?

Check the boxes that apply to your product.

Do you collect voice, face, or gait data? (New biometric rules) Do you have colorful characters or simple games? (Mixed Audience risk) Do you retain user data indefinitely "for analytics"? (Retention violation) Do you use third-party ad SDKs? (Strict liability for trackers)

Get Started in 30 Seconds

No signup. No config. Just scan.

Run the scan

npx runhalo scan .

Review violations

Each finding includes the rule, penalty, and fix suggestion

Ship compliant

Add to CI/CD for continuous compliance on every PR

Open source core — free forever.

CLI, 20 COPPA rules, VS Code extension, JSON/SARIF output, .haloignore

GitHub coming soon

Pro features coming soon — CI/CD dashboard, compliance reports, scan history

Coming Soon

Design Conscience

COPPA compliance is the floor, not the ceiling. Halo's ethical design linter catches dark patterns, manipulative mechanics, and attention-hijacking — the things regulation hasn't caught up with yet.

No infinite scroll

No streak pressure

No variable rewards

No manipulative notifs

No artificial scarcity

FAQ

When is the COPPA 2.0 compliance deadline?

April 22, 2026. The FTC's COPPA 2.0 Final Rule (published April 22, 2025) includes a 12-month grace period ending April 22, 2026. After that date, enforcement begins with penalties up to $54,540 per violation per child per day.

Is Halo free?

Yes. The core scanner is open source and free forever. Run it with npx runhalo scan . in any Node.js project. Pro features (CI/CD dashboard, compliance reports, scan history) are coming soon.

What does Halo scan for?

COPPA 2.0 violations including PII collection without consent, missing consent flows, data retention issues, unauthorized tracking SDKs, biometric data leakage (voice, face, gait), unwarned external links, and missing privacy policies. 20 rules covering the full COPPA 2.0 Final Rule.

Does Halo work with my framework?

Halo scans source code files directly — it works with React, Vue, Angular, Svelte, plain HTML/JS, and any other web framework. It also scans Java (Android) and Swift (iOS) files. If it's text, Halo can scan it.

The Open Source COPPA Compliance Tool & Ethical Design Linter

One command. Full compliance scan.

COPPA Scanner

Ethical Design Linter

CI/CD Integration

We scanned 3 real children's apps.

Scratch

ScratchJr

ClassroomIO

The $54,540-Per-Child RiskYou Didn't Know You Had.

What Changed in COPPA 2.0

Are You at Risk?

Get Started in 30 Seconds

Run the scan

Review violations

Ship compliant

Open source core — free forever.

Design Conscience

FAQ

The $54,540-Per-Child Risk
You Didn't Know You Had.