Prepare for COPPA 2.0. Scan your codebase for potential privacy risks and dark patterns before the April 22, 2026 deadline.
Be first to know when Pro launches. No spam.
Legacy tools scan for cookies. Halo scans for risk.
Identify known high-risk SDKs, data collection patterns, missing consent flows, and biometric data leakage. 20 rules based on the COPPA 2.0 Final Rule.
Help detect dark patterns, manipulative UI, infinite scroll, streak pressure, and attention-hijacking mechanics. Move beyond scanning to ethical design patterns.
Add runhalo scan to your GitHub Actions. Continuous scanning on every PR. Surface potential risks before they ship.
Safe Harbor certification costs $15k+. Halo is free. Run it before you pay for the audit — fix many obvious issues first.
39,000+ GitHub stars. Here's what we found.
MIT · Ages 8-16
Unauthorized audio recording: getUserMedia({audio: true})
2 unwarned external links in child-facing views
Tufts/MIT · Ages 5-7
Direct microphone access: new AudioRecord(MIC)
Open Source LMS
7 audio/tracking issues including UGC without PII filtering
7 unwarned external links to social media
COPPA 2.0 enforcement begins April 22, 2026. Penalties are assessed per child, per day. A platform with 10,000 underage users that collected data without consent for 30 days faces a theoretical maximum of $16.3 billion.
The FTC isn't waiting. Disney settled for $10M in December 2025. IXL Learning and PowerSchool face active litigation right now.
Don't wait for a Civil Investigative Demand.
| Category | Old Rule | New Rule |
|---|---|---|
| Personal Info | Name, email, identifiers | Now includes biometrics (voice, face, gait) |
| Audience | "Child-Directed" only | New "Mixed Audience" — if kids can access it, scrutiny increases |
| Data Retention | "Reasonably necessary" | Strict necessity with explicit timeframes |
| Safe Harbor | Self-regulatory programs | Tighter oversight, public membership disclosure |
Check the boxes that apply to your product.
No signup. No config. Just scan.
npx runhalo scan .
Each finding includes the rule, risk level, and fix suggestion
Add to CI/CD for continuous scanning on every PR
CLI, 20 COPPA rules, VS Code extension, JSON/SARIF output, .haloignore
Get notified when Pro launches — CI/CD dashboard, compliance reports, scan history.
COPPA alignment is the floor, not the ceiling. Halo's ethical design linter helps identify dark patterns, manipulative mechanics, and attention-hijacking — the things regulation hasn't caught up with yet.
Everything in the open source scanner, plus the tools your team needs to stay compliant at scale.
Scan history, trend charts, team-wide visibility across all repos.
PDF/HTML reports for legal teams. Exportable audit trail for regulators.
Centralized config, shared ignore rules, role-based access.
Real-time alerts when new violations appear in PRs or main branch.
AI-generated consent flows, age gates, and privacy policy scaffolds.
California Age-Appropriate Design Code Act scanning. Beyond federal COPPA.
No spam. We'll email you when Pro launches. Unsubscribe anytime.
npx runhalo scan . in any Node.js project. Pro features (CI/CD dashboard, compliance reports, scan history) are coming soon.