We Scanned 100 Top Children's Apps. Here's What We Found.
We ran Halo against the source code of 100 of the most popular children's apps and open-source projects targeting kids. The results surprised us, and they should concern every team building products that children use.
regulatory violations found
across 100 codebases, against existing and upcoming COPPA 2.0 standards
The breakdown
Not all violations are equal. We categorized each finding by type to understand where the biggest gaps exist.
Analytics SDKs, tracking pixels, and device fingerprinting activated before any consent flow runs. The most common pattern: Firebase Analytics initialized in the app entry point, collecting data from every user regardless of age.
Manipulative UI elements designed to nudge children toward actions they wouldn't otherwise take. Urgency timers on in-app purchases, confirmshaming copy on opt-out buttons, and "recommended" badges on premium features.
No age gate, no date-of-birth collection, or neutral age screens that accept any input. Some apps ask for birthday but don't enforce any logic based on the answer.
Geolocation, camera, or microphone access requested without explaining why. Location data collected in background. Behavioral tracking across sessions without disclosure.
No data deletion mechanism. No retention policy disclosed. User data stored indefinitely with no way for a parent to request removal.
No parental dashboard. No way to review or limit a child's activity. No mechanism for a parent to manage consent or delete data.
The financial exposure
Under COPPA 2.0, the FTC can levy penalties of $53,088 per violation per day. Applied to the violations we found across these 100 apps, the potential statutory exposure is staggering.
Potential statutory penalties based on the FTC's maximum per-violation rate. This is a theoretical maximum, not a prediction. Actual enforcement depends on the nature of each violation, user base size, and the company's compliance history.
Why this happens
Most of these violations aren't intentional. Engineering teams are building great products for kids. They're just doing it without visibility into the regulatory landscape.
A developer adds Google Analytics to understand user behavior. Reasonable. But if that analytics SDK fires before an age gate or consent flow, it's collecting data from minors without verifiable parental consent. That's a COPPA violation.
A designer adds a countdown timer to a sale. Standard e-commerce pattern. But if the product is used by children, that timer is a dark pattern under the UK's Age Appropriate Design Code and several US state laws.
The gap between intention and compliance is the most dangerous place to be. Regulators don't evaluate intent. They evaluate outcomes.
What you can do about it
The good news: these violations are fixable. Most require small code changes, not architectural rewrites. Add a consent flow before analytics initialization. Replace a countdown timer with a static price. Implement an age gate on account creation.
The first step is knowing what's in your code. That's why we built Halo.
Scan your own codebase
One command. Results in seconds. Find out what's in your code before a regulator does.
Methodology
We scanned 100 open-source and publicly available codebases from applications listed in the App Store and Google Play "Kids" categories. Scans were performed using Halo v1.2.5 with all 180 rules enabled. Each violation was confirmed by at least one human reviewer. We focused on code-level patterns only and did not evaluate server-side behavior, privacy policies, or operational practices. The $189M figure is a theoretical maximum based on the FTC's published per-violation penalty rate applied to the total violation count, and is presented for risk awareness purposes only.
Don't wait for an enforcement action.
Find out what's in your code. Free to start. Takes under two minutes.
Start for free arrow_forward