COPPA 2.0 enforcement begins April 22, 2026

The Open Source COPPA 2.0 Audit Scanner & Ethical Design Linter

Prepare for COPPA 2.0. Scan your codebase for potential privacy risks and dark patterns before the April 22, 2026 deadline.

terminal
Copied!
Free & Open Source | 20 COPPA rules | View on GitHub
npx runhalo scan .
halo v0.1.0 — COPPA Risk Scanner
Scanning 847 files...
 
HIGH coppa-audio-007 src/lib/audio-recorder.js:26
Unauthorized Audio Recording: getUserMedia({audio: true})
Penalty: $54,540 per violation per child
MED coppa-ext-017 src/components/header.jsx:70
Unwarned External Links: Missing "You are leaving..." modal
MED coppa-ui-008 src/pages/signup.tsx:42
Missing Privacy Policy on Registration Form
───────────────────────────────────────────
3 potential issues found across 847 files
1 high · 2 medium · 0 low

One command. Deep codebase scan.

Legacy tools scan for cookies. Halo scans for risk.

COPPA Scanner

Identify known high-risk SDKs, data collection patterns, missing consent flows, and biometric data leakage. 20 rules covering the full COPPA 2.0 Final Rule.

Coming Soon

Ethical Design Linter

Catch dark patterns, manipulative UI, infinite scroll, streak pressure, and attention-hijacking mechanics. Go beyond scanning to ethics.

CI/CD Integration

Add runhalo scan to your GitHub Actions. Continuous scanning on every PR. Surface risks before they ship.

Safe Harbor certification costs $15k+. Halo is free. Run it before you pay for the audit — fix the obvious issues first.

We scanned 3 real children's apps.

Here's what we found.

Scratch

MIT · Ages 8-16

3
HIGH

Unauthorized audio recording: getUserMedia({audio: true})

MED

2 unwarned external links in child-facing views

Captures microphone input without detected parental consent mechanism

ScratchJr

Tufts/MIT · Ages 5-7

1
HIGH

Direct microphone access: new AudioRecord(MIC)

Direct mic access in an app for 5-7 year olds. No parental consent mechanism detected.

ClassroomIO

Open Source LMS

14
HIGH

7 audio/tracking issues including UGC without PII filtering

MED

7 unwarned external links to social media

Missing privacy policy link on signup form
18
Issues Detected
11.1%
False Positive Rate
97
Checks Passing
20
COPPA Rules

The $54,540-Per-Child Risk
You Didn't Know You Had.

COPPA 2.0 enforcement begins April 22, 2026. Penalties are assessed per child, per day. A platform with 10,000 underage users that collected data without consent for 30 days faces a theoretical maximum of $16.3 billion.

The FTC isn't waiting. Disney settled for $10M in December 2025. IXL Learning and PowerSchool face active litigation right now.

Don't wait for a Civil Investigative Demand.

What Changed in COPPA 2.0

Category Old Rule New Rule
Personal Info Name, email, identifiers Now includes biometrics (voice, face, gait)
Audience "Child-Directed" only New "Mixed Audience" — if kids can access it, you're liable
Data Retention "Reasonably necessary" Strict necessity with explicit timeframes
Safe Harbor Self-regulatory programs Tighter oversight, public membership disclosure

Are You at Risk?

Check the boxes that apply to your product.

Get Started in 30 Seconds

No signup. No config. Just scan.

1

Run the scan

npx runhalo scan .
2

Review findings

Each finding includes the rule, risk level, and fix suggestion

3

Ship with confidence

Add to CI/CD for continuous scanning on every PR

Open source core — free forever.

CLI, 20 COPPA rules, VS Code extension, JSON/SARIF output, .haloignore

View on GitHub

Pro features coming soon — CI/CD dashboard, compliance reports, scan history

Coming Soon

Design Conscience

COPPA compliance is the floor, not the ceiling. Halo's ethical design linter catches dark patterns, manipulative mechanics, and attention-hijacking — the things regulation hasn't caught up with yet.

No infinite scroll
No streak pressure
No variable rewards
No manipulative notifs
No artificial scarcity

FAQ

When is the COPPA 2.0 compliance deadline?
April 22, 2026. The FTC's COPPA 2.0 Final Rule (published April 22, 2025) includes a 12-month grace period ending April 22, 2026. After that date, enforcement begins with penalties up to $54,540 per violation per child per day.
Is Halo free?
Yes. The core scanner is open source and free forever. Run it with npx runhalo scan . in any Node.js project. Pro features (CI/CD dashboard, compliance reports, scan history) are coming soon.
What does Halo scan for?
Potential COPPA 2.0 risks including PII collection patterns, missing consent flows, data retention issues, known high-risk tracking SDKs, biometric data leakage (voice, face, gait), unwarned external links, and missing privacy policies. 20 rules covering the full COPPA 2.0 Final Rule.
Does Halo work with my framework?
Halo scans source code files directly — it works with React, Vue, Angular, Svelte, plain HTML/JS, and any other web framework. It also scans Java (Android) and Swift (iOS) files. If it's text, Halo can scan it.