Age-Mixed Audiences Under COPPA: How Apps Navigate the Actual Knowledge Standard

The Eight-Factor “Directed to Children” Test

COPPA’s threshold question is not what the operator intends — it is what the FTC concludes after applying a multi-factor test to the actual product. Under 16 CFR § 312.2, the Commission evaluates whether a website or online service is “directed to children” using eight enumerated factors: subject matter; visual content; use of animated characters or child-oriented activities; music or other audio content; age of models; presence of child celebrities or celebrities who appeal to children; advertising promoting or appearing on the service; and competent and reliable empirical evidence regarding audience composition. No single factor is dispositive. The determination requires consideration of the totality of the circumstances.

The 2025 COPPA Rule amendments expanded the evidentiary scope significantly. The FTC now considers marketing or promotional materials or plans, representations made to consumers or third parties, reviews by users or third parties, and the ages of users on similar websites or services. In practice, that means an operator’s own pitch deck, influencer briefs, app store marketing copy, and press releases are all on the FTC’s checklist. The service does not need to be marketed as a children’s product to be treated as one.

Two enforcement cases illustrate the bilateral risk. In the Musical.ly settlement, the FTC applied the multi-factor test to a platform that marketed itself as general-audience and concluded it was directed to children based on visual content, subject matter, and demonstrated audience composition — the operator’s self-characterization was irrelevant. In the Google/YouTube investigation, the FTC used the platform’s own internal channel-rating system against it: YouTube had classified numerous channels as child-directed, and FTC Chairman Simons stated those channels were “websites or services directed to children under the Rule.”

The practical implication is that internal business data — audience analytics, content categorization tags, demographic research, and advertiser-facing materials — can establish the very finding operators seek to avoid. A 13+ Terms of Service provides no protection: the FTC has confirmed that a service may be deemed directed to children even when its ToS explicitly prohibits users under 13. The ToS reflects what the operator says. The eight-factor test reflects what the FTC sees.

The “Actual Knowledge” Standard

General-audience operators are not automatically bound by COPPA’s notice and consent requirements for every user. The statute reaches them only when they have “actual knowledge” that a child under 13 is providing personal information. But actual knowledge is not limited to what an operator actively seeks — it includes what it passively receives.

The FTC’s guidance makes clear that COPPA does not require companies to ask users their age to establish actual knowledge. Without ever asking a user’s age, an operator may still acquire that knowledge if it receives data — grade level, birth date, parental inquiry, or platform-partner report — that allows it to determine the user is under 13. The trigger is the information received, not the question asked.

Four sources have generated actual knowledge findings in FTC enforcement actions:

• User registration data. In the Yelp settlement, the company collected birth dates during mobile app registration that indicated users were under 13. The FTC treated those birth dates as actual knowledge — Yelp’s own intake form created the obligation it failed to honor.
• Internal business intelligence. In the Epic Games case, the FTC cited scores of internal documents confirming employee awareness of child users, internal surveys, and market research showing 53% of children aged 10–12 played Fortnite weekly. User surveys and analytics dashboards are evidentiary assets in an FTC investigation.
• Third-party platform reports. Also in the Epic case, when a console platform notified Epic that a specific user was under 13, Epic failed to take COPPA compliance steps. That notification constituted actual knowledge from the moment it was received.
• User-generated content on operator-owned platforms. In the HoYoverse case, the FTC pointed to social media posts on HoYoLAB — Genshin Impact’s own social network — containing photographs, videos, and audio files from which a child’s age was apparent. Operators who run community features are monitoring data streams that can generate actual knowledge.

There is a safe harbor for operators who implement neutral age screening: an operator may rely on the age information its users enter, even if inaccurate, as long as the screening mechanism is neutral and not designed to encourage falsification. But that protection is prospective and conditional. If the operator later determines a particular user is under 13 — from any of the four sources above — the notice and consent obligations attach immediately regardless of what the user originally entered.

The Mixed-Audience Design Problem — Two Compliance Strategies

The 2025 COPPA Rule formally codified what practitioners had long been advising informally: there is a distinct legal category for services that are child-directed but not primarily so. A “mixed audience” website or online service is one that is directed to children under the Rule’s multi-factor test but does not target children as its primary audience because it also targets adults or older teens. Critically, a general-audience service does not become mixed-audience merely because some children use it — the child-directed factors must actually be present in the product’s design and content.

Once a service qualifies as mixed-audience under the 2025 Rule, operators face a binary. There is no middle ground.

• Strategy A — Treat all users as children. Apply COPPA’s full notice and verifiable parental consent requirements to every user. This is operationally simple and legally clean, but it means collecting parental consent at scale before any personal information is gathered — a significant product friction and a material constraint on data collection architecture.
• Strategy B — Neutral age screening with tiered compliance. Implement an age gate before collecting any personal information. Users who identify as 13 or older may proceed without parental consent. Users under 13 must receive COPPA-compliant treatment: parental notice, verifiable consent, and access to a non-data-collecting experience. Critically, operators cannot deny access to under-13 users — they can only condition full data collection on parental consent or offer a data-free mode.

Before the age screen is completed, the operator may collect no personal information at all — beyond what is strictly necessary to determine age. That means anonymous-mode operation as the default state for any unverified visitor.

The Epic Games consent order illustrates what happens when Strategy A is implemented poorly: the FTC required Epic to treat all existing Fortnite users as children until they passed a neutral age gate — a retroactive reversal across hundreds of millions of accounts. The operational cost of retroactive remediation is categorically larger than building the architecture correctly in advance. Strategy B requires upfront engineering investment; getting Strategy A wrong requires rebuilding everything under enforcement oversight.

Age Gates — What Works, What Doesn’t, and Why “Born in What Year” Fails

Not every age gate qualifies as neutral under COPPA. The FTC has published specific requirements, and the 2025 Rule codified additional constraints. Getting the design wrong means the gate provides no legal protection — the operator bears the same exposure as if no gate existed.

What does not qualify as neutral:

• Checkbox affirmations. The FTC has stated explicitly that a checkbox stating “I am over 12 years old” is not a neutral age-screening mechanism. It invites falsification without actually eliciting an age.
• Feature-differential messaging. Framing the age gate to indicate that users 13 and older receive additional features or a better experience constitutes improper incentivization. The 2025 Rule explicitly prohibits suggesting that visitors 13+ receive “additional benefits or a better experience.”
• Prospective-only coverage. Epic’s 2019 age gate failed in part because it applied only to new accounts — leaving hundreds of millions of existing users unverified. A gate that covers only new registrations while grandfathering an unverified legacy base provides no protection for that base.
• Third-party access-point gaps. Also in the Epic case, the age gate failed to capture players accessing Fortnite through console platforms. Any authentication path that bypasses the age screen is a coverage gap the FTC will treat as an architectural failure.

What does qualify: An open-field date-of-birth entry — allowing a user to freely enter month and year of birth — is the FTC’s stated example of a neutral screen. The FTC also recommends using a session cookie to prevent a user from back-buttoning to enter a different age, closing the most obvious circumvention vector.

The regulatory direction of travel is toward more robust verification. The FTC’s February 2026 age verification policy statement provides that operators may use technical age verification methods without first obtaining parental consent, so long as they limit use and disclosure to age determination purposes, delete the verification data promptly, provide clear notice to parents and children, implement reasonable security safeguards, and take reasonable steps to ensure the verification method produces accurate results. Self-reported birth dates remain legally sufficient for now — but the FTC has signaled that technical verification is the direction it expects the industry to move.

Enforcement Precedent — HoYoverse, Fortnite, and the Price of Getting It Wrong

Three enforcement actions define the current COPPA exposure landscape for mixed-audience digital products. Each established both a monetary penalty and an injunctive order — and the injunctive provisions are as operationally significant as the fines.

Google/YouTube — $170 million (2019). The FTC’s record settlement at the time established that a general-audience hosting platform bears COPPA obligations for child-directed channels it knowingly carries. Despite knowledge that child-directed channels operated on YouTube, Google served behavioral advertising on those channels — tracking viewers’ cookies and IP addresses across content the platform itself recognized as child-directed. The settlement required YouTube to develop a system for channel operators to designate child-directed content and to suspend behavioral advertising on such content.

Epic Games/Fortnite — $275 million COPPA penalty (2022). The largest COPPA civil penalty in history arose from three compounding failures: collecting personal information from under-13 users without parental consent; enabling default-on voice and text chat that matched children with strangers despite receiving repeated parental complaints and internal employee warnings; and implementing an age gate that applied only prospectively to new accounts. The consent order required retroactive age screening of all existing users and deletion of data previously collected from minors. Documented complaints that an operator ignores are direct evidence of willfulness — they inform both the liability finding and the penalty calculation.

HoYoverse/Genshin Impact — $20 million (2025). The FTC identified Genshin Impact as directed to children based on anime-style cartoon graphics, child-appealing character designs, child-oriented in-game events such as a “Hide & Seek” activity, and influencer marketing placed alongside Minecraft and Roblox content. HoYoverse collected user IDs and device-related persistent identifiers and shared them with third-party analytics firms and advertisers without parental consent. The settlement required deletion of all data from users under 13, a ban on loot box sales to users under 16 without parental consent, and deployment of age-gating technology the FTC noted HoYoverse “could have deployed” from the outset.

Across all three cases, the FTC’s injunctive remedies converge on the same architecture: neutral age screening before any data collection, parental consent for under-13 users, deletion of improperly collected data, and default-protective settings. These are not aspirational standards — they are the minimum remedial requirements the FTC imposes after enforcement. Building them in advance is both legally sound and materially cheaper than retrofitting under a consent order.

Neutral Design Strategies — How to Build a Mixed-Audience Product That Manages COPPA Risk

COPPA compliance for mixed-audience products is not primarily a legal operations problem — it is a product architecture problem. The operators who have faced enforcement did not lack lawyers; they built products that accumulated child data before designing the guardrails. Four proactive design levers address the structural risk.

1. Anonymous-mode default before age verification. The 2025 Rule’s requirement that operators collect no personal information from any visitor whose age has not yet been confirmed is also the strongest risk-reduction design available: if no data is collected before age verification, there is no improperly collected data. Every user begins in an anonymous state. Data collection begins only after the age screen is passed. Under-13 users who provide parental consent or choose a data-free experience never have personal information collected without authorization.

2. Data minimization and written retention policy. The 2025 Rule requires operators to retain children’s personal information only as long as reasonably necessary to fulfill the specific purpose for which it was collected — indefinite retention is prohibited. For mixed-audience products, applying the same minimization standard to all users reduces the amount of data that could later be characterized as improperly collected if a child user is subsequently identified. Short retention periods, vendor deletion obligations, and documented retention schedules are affirmative Rule requirements, not best practices.

3. Parental dashboard with default-protective settings. The Microsoft Xbox consent order established the template: child accounts default to the most restrictive privacy settings, and parents receive notice that creating a dedicated child account provides additional default protections. Building a parental dashboard proactively operationalizes the remedy the FTC would impose after enforcement and demonstrates good-faith architecture to regulators evaluating willfulness.

4. ESRB Privacy Certified or kidSAFE safe harbor enrollment. Operators who comply with an FTC-approved safe harbor program’s guidelines are deemed to be in compliance with the core COPPA Rule requirements. The compliance presumption reduces enforcement exposure and provides a documented audit trail. It is evidentiary protection, not litigation immunity: the FTC retains authority to investigate and act against any safe harbor participant found in actual violation. But enrollment demonstrates that an operator built its product against an independently audited compliance standard, which matters substantially in willfulness and penalty calculations.

The FTC’s note in the HoYoverse case that the company “could have deployed widely available age-gating technology” is a reasonableness benchmark. The argument that COPPA-compliant architecture is technically impractical is no longer available. The technology exists, the enforcement record is clear, and the April 2026 compliance deadline for the 2025 Rule amendments is present.

Practical Decision Framework — When to Treat Your Product as Directed to Children

The following three-gate framework is practitioner guidance derived from the regulatory text and the FTC’s enforcement record. It is not a formal FTC safe harbor and does not replace legal counsel — but it reflects the analytical structure the Commission has applied in every major COPPA action since 2019.

Gate 1: Run the directed-to-children test against your product as it actually exists. Pull every factor: subject matter, visual design, animated characters or child-oriented activities, audio content, models’ ages, celebrity appeal, and advertising placements. Then add the 2025 additions: marketing or promotional materials, third-party representations, user reviews, and audience demographics of comparable services. Do not audit the product you planned to build — audit the app store listing, the pitch deck you sent to investors, the influencer brief you gave to creators, and the analytics you receive from your ad network. If three or more factors point toward a child audience, treat the product as directed to children and move to Gate 2. This three-factor threshold is practitioner heuristic, not FTC authority — any factor combination requires analysis of the totality of circumstances.

Gate 2: If the service is mixed-audience, build neutral age screening and an anonymous-mode default. Under the 2025 amended Rule, operators of mixed-audience services must implement age screening before collecting any personal information — not as a best practice, but as a hard design requirement. The age screen must be neutral: open-field date-of-birth entry, no feature-differential messaging, no checkbox affirmations, retroactive coverage of existing accounts, and universal coverage of all authentication paths including third-party SSO and platform integrations. Until age is confirmed, the product operates in anonymous mode — zero personal data collected. After confirmation, adults proceed normally; users under 13 receive the parental consent flow or a data-free experience.

Gate 3: Monitor continuously for actual-knowledge triggers and treat each as a compliance action item. The FTC’s enforcement record identifies five sources that have established actual knowledge: user registration data (birth dates); internal business intelligence (surveys, analytics, employee communications); third-party platform reports; customer service complaint logs; and user-generated content on operator-owned social platforms. Each of these data streams requires a defined intake protocol. When a trigger is received, COPPA’s obligations attach immediately — not on the next product release cycle.

Once Gate 2 architecture is in place, consider enrolling in an FTC-approved COPPA Safe Harbor program (ESRB Privacy Certified, kidSAFE, or BBB National Programs). Compliance with an approved program’s guidelines creates a presumption of compliance with the Rule’s core requirements — the single most durable evidentiary protection available short of a consent order.

The April 22, 2026 compliance deadline for the 2025 Rule amendments makes this framework an active project. The mixed-audience definition, the anonymous-mode requirement, the age screening mandate, and the data minimization obligations are all operative. Operators still building toward compliance have a shrinking runway.