ISL Finds Location-Based Advertising on Kids’ Site

Written by Internet Safety Labs
May 8, 2024

Updated May 21, 2024: Since our original post, Sandbox Group has taken steps to make clear that is not intended for children under the age of 13, and that children under 13 should instead use Note however, that the advertising behavior in (particularly including the use of location information) is risky for users of any age. See the update at the end of the post for more details. 

1  Executive Summary

Last year, Internet Safety Labs (ISL) observed that website (from, LLC [referred to as “Cool Math”], owned by Sandbox Group) contained location-based behavioral advertisements. Using the Federal Trade Commission’s guidelines on a “child-directed” website, ISL believes may fall under the protections afforded by the US Children’s Online Privacy Protection Rule (COPPA).   ISL had seen Cool Math before, as it came up in our 2022 K-12 EdTech benchmark where twenty-five (3.8%) schools in the sample recommended or required Cool Math Games to students. Twenty-one (84%) of those 25 schools were elementary or middle schools (i.e. schools with children under the age of 13; see Table 8.1 for more details).   Of note, however, there is another Cool Math site called which has different ad behavior that may be compliant with COPPA. However, none of the schools in our 2022 benchmark recommended   Both Cool Math sites utilize a COPPA Safe Harbor Certified [by KidSafe] advertising platform from Playwire, who is also listed as the “ManagerDomain” for both Cool Math websites’ ads.txt files. The ManagerDomain role is responsible for managing ads on the domain. 

  • ISL wonders what Playwire’s responsibility is in ensuring that the COPPA Certified configuration is applied to child-directed sites for which it is the manager domain in the ads.txt file.
  • ISL further questions whether an ad platform really can/should be COPPA Safe Harbor certified, since they can be easily configured as either COPPA compliant or non-compliant, as seems to be the case with the Cool Math websites. 

ISL requested that, LLC / Sandbox Group modify the site, removing the behavioral advertising [i.e. suggested that they use the seemingly COPPA compliant version of the ads.txt file]. Despite our repeated attempts, Sandbox Group did not modify the site and the behavioral ads remain on the site.  

Description of Problem(s)


Number of Monthly Users:  13.03M monthly visitors.  74% from the USA, 6% each from the UK and Australia, 5% from Canada, and about 1% from New Zealand. (Source: 

Description of Problem:  While evaluating, ISL observed the presence of location based behavioral advertising and cross-site trackers uniquely identifying users (i.e. children).   Despite being contacted several times by ISL, Sandbox Group, the parent company Cool Math Games, has not acted on ISL’s request to change the advertising behavior in  

3  Details

The homepage has multiple ads on its website. As seen below in Figure 3.1, without scrolling the page the user sees three (3) advertisements. Thus, upon loading the webpage, viewer information is sent into the Real Time Bidding (RTB) stream as a part of filling the ad spaces on the homepage. This information includes data such as a unique user identifier, as well as geolocation information. These advertisements are not generic/contextual. The advertisement indicated “1”, contains geolocation information which is blurred for researcher privacy.  

Figure 3.1

Figure 3.2 shows the geolocation information in clear text in the website’s trafficAlong with the geolocation information, internet service provider (ISP) information is also collected and transferred.  Again, the geolocation information has been blurred for researcher privacy.

Figure 3.2

3.1  Ads.txt Files

Per the Internet Advertising Bureau (IAB) standard, any website that serves advertisements should contain an “ads.txt” file. This file can usually be found at /ads.txt, and contains a list of the Authorized Digital Sellers for ads served on the website. (Note that there is also a version of Authorized Digital Sellers for mobile apps, called app-ads.txt) Figure 3.3 shows the ads.txt files for, which indicates that the file is managed by 

Figure 3.3

In network traffic, researchers saw calls to a Playwire configuration json file. Figure 3.4 shows this configuration file, with the pertinent information for expanded. Note the presence of a “coppa” flag [set to “false”] as well as website categories including “kids” andgames_casual. Playwire offers COPPA compliant advertising services, but we can see this does not appear to be applied to, despite the primary category being, by their own designation “kids. 

Figure 3.4


These findings lead to three concerns.  

  1. First and foremost is the concern over the presence of behavioral ads—particularly location-based—in the website, a service that is recommended to students in elementary and middle schools around the country. In the ISL 2022 EdTech benchmark, 21 elementary or middle schools (with students as young as pre-K) recommended (see Table 8.1)    
  2. Second, how much responsibility does Playwire have in this scenario? It’s clear in their pre_content config file that the site is for “kids” but the COPPA flag is set to false. Moreover, Playwire has the role of ManagerDomain for the ads.txt file. What is their responsibility in this case? 
  3. Finally, ISL questions whether ad platforms like Playwire can realistically be COPPA Safe Harbor Certified—at least in the way that it is currently being performed. COPPA certification for ad platforms requires monitoring of the deployed configuration, and that does not appear to be happening right now. ISL was able to have a discussion with kidSAFE regarding these concerns, and the issue appears to be systemic in nature, i.e. with the nature of the Safe Harbor certification program requirements as prescribed by COPPA and the FTC. 

5  ISL’s Responsible Disclosures

ISL undertook the following efforts to make aware of the concerns stated in this report:

  1. December 12, 2023: ISL sends first email sent to 
  2. December 19, 2023: ISL receives response from Sandbox Group, including a number of questions. 
  3. December 22, 2023: ISL sends response with detailed data/files from research and answers to questions. No response was received. 
  4. January 16, 2024: ISL sends an email seeking a response. (None received.) 
  5. February 22, 2024: ISL sends another email seeking a response. (None received.)  

ISL also sent emails to Playwire ( on December 12, 2023 and twice on January 16, 2024, all times receiving an automated and unhelpful response. 

6  Call to Action for LLC, Sandbox Group, and Playwire

Once again, ISL requests that LLC and Sandbox Group to remove behavioral advertising from In particular: 

  1. Inform the ad networks and exchanges you partner with that this site is child-directed and should therefore receive COPPA protections, and  
  2. Immediately change the CoolMathGames ads.txt and app-ads.txt files for the website and the two mobile apps to the appropriate “Playwire COPPA Ads.txt” files.  

ISL also requests that Playwire take a more active role in providing the right ads.txt files for child-directed sites.  

7  Safety Suggestions

ISL suggests that schools refer students to instead of until behavioral advertising is removed from the latter site.

8  References

The following table 8.1 lists the schools from the ISL 2022 K-12 EdTech Safety Benchmark found to be recommending or requiring the use of CoolMathGames to students. 

Table 8.1 Schools in 2022 EdTech Benchmark Recommending CoolMathGames

About ISL Responsible Disclosures 

As a non-profit, independent product safety watchdog organization, Internet Safety Labs (ISL) is dedicated to catalyzing software changes to keep people safer while using technology. To this end, we sometimes discover serious safety risks as we conduct our ongoing research; we aren’t looking for these, but we happen upon them (such was the case with the dangling domain that Apple ultimately purchased, keeping potentially millions of people safe).  When we find these risks, our practice is to contact the developer and request that they make a specific change. We call this a responsible disclosure of a safety risk in the software, similar to the responsible disclosure of a security vulnerability. The best outcome is that the developer makes the change, and we then commend their commitment to keeping their users safe.   No organization is exempt from our safety scrutiny—whether it’s a commercial entity, a non-profit organization, or government organization. Our responsible disclosures of safety risks are offered in a constructive and supportive spirit, working from an assumption that the organization may not be aware of the risk. 

May 21, 2024 Update 

Since our original post, ISL has observed the following changes to and related materials: 

  1. The website has been modified to include a “Games for Kids” notification and link to in the upper right corner:

    Figure A.1

  2. The privacy policy was updated on May 11, 2024 and now includes the highlighted statement: is designed for users aged 13 and older. By accessing our Website, you attest that you are at least 13 years of age. If you are under 13 years of age, please visit our kids gaming website at”

    Figure A.2

  3. The terms of service has been similarly updated:

    “ is designed for users aged 13 and older. By accessing our Website, you attest that you are at least 13 years of age. If you are under 13 years of age, please visit our kids gaming website at”

    Figure A.3

  4. The “Kids” tag was removed from the Playwire config file, leaving only “games_casual“. The COPPA flag remains set to “false”:

    Figure A.4

ISL appreciates, LLC / Sandbox Group‘s recent efforts in clarifying that isn’t intended for children and students under the age of 13. This type of labeling is important and ISL would like to see it in place as a universal practice.

While ISL is glad that, LLC / Sandbox Group made these changes, we are disappointed that the changes didn’t come when we made the initial, private disclosure, and instead only happened after our 90-day window had expired and we published the first version of this blog post.