This is a guide on how to design your apps for children aged under 13 (and websites, since apps are a subset to the web) on the privacy front and under the rule of COPPA 2013.
This guide has one goal: we want to help you find your way to the app stores as fast as possible and would like to help you become compliant with privacy regulations. Below you will find a very comprehensive guide that runs you through the most important aspects of COPPA.
For our US readers: this information is provided as a general guide to the issues, and is not legal or technical advice
In a nutshell: If you develop apps or run websites directed to children under 13 years of age and collect their personal information you are very likely to fall under COPPA and should therefore follow its rules.
1. What is COPPA?
COPPA is an abbreviation for the Children’s Online Privacy Protection Act (COPPA) that was enacted by Congress in 1998 and required the Federal Trade Commission to issue and enforce regulations concerning children's online privacy. The amended Rule became effective on July 1st, 2013. The primary goal of COPPA is to protect children's privacy online (and at the same time on the mobile ecosystem). COPPA puts parents in control over what information from their children.
2. When Do I Fall under COPPA?
When do you as a web or mobile developer or operator/owner of these services fall under COPPA? And what does that fact mean for you? The Rule applies to operators of commercial websites and online services (again, it includes mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Let us dissect this catalogue:
- Operators of commercial websites and online services
- directed to children under 13
- that collect, use, or disclose personal information from children.
It also applies to:
- operators of general audience websites or online services
- if they have actual knowledge that they are collecting, using, or disclosing personal information
- from children under 13.
And it applies to:
- websites or online services that have actual knowledge that
- they are collecting personal information directly from users of another website or online service
- directed to children
There are a few things we still have to look at more deeply here. What is a website or online service as they are quoted in the Rule? What is personal information exactly? And what does collect, use or disclose mean in this context? Turns out the terms in the Rule are mostly defined broadly:
2.1 Website or online service?
- mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads)
- internet-enabled gaming platforms
- advertising networks
- internet-enabled location-based services
- voice-over internet protocol services
2.2 Personal Information
What kind of information is considered personal and therefore triggers the COPPA compliance requirement? This is important: COPPA has updated the list for "personal information" that cannot be collected without parental notice and consent to include geolocation information, photographs, video and audio files that contain a child’s image or voice. At large the list of personal information looks like this:
- full name;
- home or other physical address, including street name and city or town,
- online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier;
- screen name or user name where it functions as online contact information;
- telephone number;
- Social Security number;
- a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier;
- a photo, video, or audio file containing a child’s image or voice;
- geolocation information sufficient to identify a street name and city or town; or
- other information about the child or parent that is collected from the child and is combined with one of these identifiers.
What is, then, the collection of personal information like the above?
2.3 Collecting Personal Information
- let information be made publicly available (for example, with an open chat or posting function)
- unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records;
- or passively track a child online.
If another company collects personal information through your child-directed site or service — through an ad network or plug-in, for example — you’re responsible for complying with COPPA. If you have actual knowledge that you’re collecting personal information directly from users of a child-directed site or service, you’re responsible for complying with COPPA, too. So how do you go from being required to follow COPPA's rules, to actually complying?
3. How Do I Comply with COPPA?
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- Provide parents access to their child's personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child's personal information;
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
Let us dissect this again:
- that you won’t require a child to disclose more information than is reasonably necessary to participate in an activity;
- that they can review their child’s personal information, direct you to delete it, and refuse to allow any further collection or use of the child’s information;
- that they can agree to the collection and use of their child’s information, but still not allow disclosure to third parties unless that’s part of the service (for example, social networking); and
- the procedures to follow to exercise their rights.
3.2 Provide direct notice to parents and obtain verifiable parental consent
- that you collected their online contact information for the purpose of getting their consent;
- that you want to collect personal information from their child;
- that their consent is required for the collection, use, and disclosure of the information;
- the specific personal information you want to collect and how it might be disclosed to others;
- how the parent can give their consent; and
- that if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records.
If you change your practices, make sure to send an updated direct notice to parents so they know about those changes. There are circumstances that allow to skip the requirement for getting parental consent. Check the graph at the bottom of this site for more information. Additionally to the direct notice you need to get parents' verifiable consent before starting the collection of personal information from their children. The way you do this is up to you, but you should be able to ensure that the person giving consent is the child's parent. Acceptable methods of verifiable parental consent:
- sign a consent form and send it back to you via fax, mail, or electronic scan;
- use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder;
- call a toll-free number staffed by trained personnel;
- connect to trained personnel via a video conference; or
- provide a copy of a form of government issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process.
The method "Email Plus": If you will use a child’s personal information only for internal purposes and won’t disclose it, you may use a method known as “email plus.” Using that method, you'll send an email to the parent and have them respond with their consent. You must send a confirmation to the parent via email, letter, or phone call. Using "email plus", you must let the parent know they can revoke their consent anytime.
4. The App Store Part
Apple App Store and Coppa
- 24.2 Apps primarily intended for use by kids under 13 may not include behavioral advertising (e.g. the advertiser may not serve ads based on the user's activity within the App), and any contextual ads presented in the App must be appropriate for kids
- 24.3 Apps primarily intended for use by kids under 13 must get parental permission or use a parental gate before allowing the user to link out of the app or engage in commerce
- 24.4 Apps in the Kids Category must be made specifically for kids ages 5 and under, ages 6‐8, or ages 9‐11
Apple's 24.3 mentions the term "parental gate". What it is and how others make use of this technique can be found in this insightful post How are kids’ app developers communicating to parents? by MOMs with apps. The main techniques include the following pattern:
- System: touch the "THING" for "AMOUNT OF TIME".
- System: hold for "AMOUNT OF TIME".
- System: perform a "MATHEMATICAL OPERATION".
- You can read more about the App Store's requirements regarding privacy policies in iOS apps here
Google Play Store and COPPA
The Google Play store doesn't impose any similar additional rules as the App Store does. The only reference to COPPA is the following in the Google Play terms of service:
Age Restrictions. In order to use Google Play you must be 13 years of age or older. If you are between 13 and 18 years of age, you must have your parent or legal guardian’s permission to use Google Play. You must not access Google Play or accept these Terms if you are a person who is either barred or otherwise legally prohibited from receiving or using the Service or any Products under the laws of the country in which you are resident or from which you access or use Google Play.
- You can read more about Android and privacy policies in general here in our dedicated post about this topic.
Windows Phone Store and COPPA
Summary for COPPA Compliance