We’ve posted about the update in Apple’s App Review Guidelines which mainly brought some big changes for developers that create apps directed to children aged 13 years and younger. These changes are due to the fact that COPPA is out in a revised version since July 2013 (Children’s Online Privacy Protection Act dating back to 1998).
This post is highlighting some of the things you need to think about when you want to add your app to Apple’s App Store [a) Apple’s App Store Review Guidelines b) COPPA in general c) What’s personal information d) iubenda’s help].
- Mostly app developers may enjoy this very comprehensive guide on how to get on to the path to COPPA compliance.
I’d like to stress that iubenda is doing everything possible or reasonable to help developers and designers like you to become privacy regulation compliant, but that using iubenda is not always enough in terms of what you have to do or sometimes not do. This applies to your apps and COPPA.
Apple App Store and COPPA
As reported, Apple has updated their terms for their App Store admission and added the following regarding children under 13 years of age:
17.3 Apps may ask for date of birth (or use other age-gating mechanisms) only for the purpose of complying with applicable children’s privacy statutes, but must include some useful functionality or entertainment value regardless of the user’s age
17.4 Apps that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, persistent identifiers, the ability to chat, or other personal data) from a minor must comply with applicable children’s privacy statutes.
24.2. Apps primarily intended for use by kids under 13 may not include behavioral advertising (e.g. the advertiser may not serve ads based on the user’s activity within the App), and any contextual ads presented in the App must be appropriate for kids.
24.3. Apps primarily intended for use by kids under 13 must get parental permission or use a parental gate before allowing the user to link out of the app or engage in commerce.
24.4. Apps in the Kids Category must be made specifically for kids ages 5 and under, ages 6-8, or ages 9-11.
Notice how Apple wants you to pick the age range? Make sure you follow all of Apple’s and COPPA’s requirements.
What else are you supposed to do or to not do at all?
COPPA Rules in General
There are some general rules you need to follow when covered by the COPPA (quoted from the FTC COPPA FAQ):
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- Provide parents access to their child’s personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child’s personal information;
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
What is personal information in COPPA 2013?
Personal Information under COPPA 2013
Another change that COPPA brings in its 2013 form is the broader definition of “personal information”. Until now the term “personal information” included such categories as first and last name, a home or physical address, an email address, a phone number etc. The amended Rule defines personal information to include:
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or user name that functions as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
iubenda and COPPA
- You must give notice and get parental consent for personal information collected
on your applications from third parties, such as ad networks, unless an exception
- You must take reasonable steps to release children’s personal information only to
companies that are capable of keeping it secure and confidential.
- You must meet new data retention and deletion requirements.
Further helpful links: