Book a demo
Sign up

COPPA and Mobile Apps for Children Aged Under 13

This is a guide on how to design your apps for children aged under 13 (and websites, since apps are a subset to the web) on the privacy front and under the rule of COPPA 2013.

COPPA is an abbreviation for the Children’s Online Privacy Protection Act (COPPA) that was enacted by Congress in 1998 and required the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The amended Rule became effective on July 1st, 2013.

The primary goal of COPPA is to protect children’s privacy online (and at the same time on the mobile ecosystem). COPPA puts parents in control over what information from their children.

When Do I Fall under COPPA?

When do you as a web or mobile developer or operator/owner of these services fall under COPPA? And what does that fact mean for you?

The Rule applies to:

  • operators of commercial websites and online services (again, it includes mobile apps) directed to children under 13 that collect, use, or disclose personal information from children;
  • operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13;
  • websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.

In a nutshell: if you develop apps or run websites directed to children under 13 years of age and collect their personal information you are very likely to fall under COPPA and should therefore follow its rules.

There are a few things we still have to look at more deeply here:

  • What is a website or online service as they are quoted in the Rule?
  • What is personal information exactly?
  • And what does collect, use or disclose mean in this context?

Turns out the terms in the Rule are mostly defined broadly:

Website or online service

So what is the definition of a website or online service under COPPA?

  • mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads);
  • internet-enabled gaming platforms;
  • plug-ins;
  • advertising networks;
  • internet-enabled location-based services;
  • voice-over internet protocol services.

Personal Information

What kind of information is considered personal and therefore triggers the COPPA compliance requirement? This is important: COPPA has updated the list for “personal information” that cannot be collected without parental notice and consent to include geolocation information, photographs, video and  audio files that contain a child’s image or voice.

At large the list of personal information looks like this:

  • full name;
  • home or other physical address, including street name and city or town;
  • online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier;
  • screen name or user name where it functions as online contact information;
  • telephone number;
  • Social Security number;
  • a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier;
  • a photo, video, or audio file containing a child’s image or voice;
  • geolocation information sufficient to identify a street name and city or town; or
  • other information about the child or parent that is collected from the child and is combined with one of these identifiers.

What is, then, the collection of personal information like the above?

Collecting Personal Information

You are collecting information if you request, prompt, or encourage the submission of information, even if it’s optional.

  • let information be made publicly available (for example, with an open chat or posting function);
  • unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records;
  • or passively track a child online.

If another company collects personal information through your child-directed site or service — through an ad network or plug-in, for example — you’re responsible for complying with COPPA.

If you have actual knowledge that you’re collecting personal information directly from users of a child-directed site or service, you’re responsible for complying with COPPA, too. So how do you go from being required to follow COPPA’s rules, to actually complying?

How Do I Comply with COPPA?

  • Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children.
  • Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children.
  • Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents).
  • Provide parents access to their child’s personal information to review and/or have the information deleted.
  • Give parents the opportunity to prevent further use or online collection of a child’s personal information.
  • Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security.
  • Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

Let us dissect this again:

Post a clear and comprehensive online privacy policy

This is the first step where iubenda comes in helpful. To generate a privacy policy with us, visit the generator. You can add our COPPA compliance clause “The Service is directed to children under the age of 13”.

Generally, if you feel like doing it by yourself you’ll have to follow this pattern: describe clearly and comprehensively how personal information is collected. The notice must describe not only your own practices (description of what is collected and how it is used), but also the practices of any others collecting personal information on your site or service, like for example third party applications you may be using.

Link to your policy from a prominent spot. What separates the privacy policy under COPPA from other privacy policies is the inclusion of a description of parental rights. Your privacy policy must tell parents:

  • that you won’t require a child to disclose more information than is reasonably necessary to participate in an activity;
  • that they can review their child’s personal information, direct you to delete it, and refuse to allow any further collection or use of the child’s information;
  • that they can agree to the collection and use of their child’s information, but still not allow disclosure to third parties unless that’s part of the service (for example, social networking); and
  • the procedures to follow to exercise their rights.
Privacy Policy Generator - COPPA clause

If you want us to help you accomplish this, try the generator and don’t forget to add our COPPA clause.

Before you start collecting personal information from children, you need to give parents “direct notice”. The notice must be clear and easy to read and include the following:

  • that you collected their online contact information for the purpose of getting their consent;
  • that you want to collect personal information from their child;
  • that their consent is required for the collection, use, and disclosure of the information;
  • the specific personal information you want to collect and how it might be disclosed to others;
  • a link to your online privacy policy;
  • how the parent can give their consent; and
  • that if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records.

If you change your practices, make sure to send an updated direct notice to parents so they know about those changes. There are circumstances that allow to skip the requirement for getting parental consent. 

Additionally to the direct notice you need to get parents’ verifiable consent before starting the collection of personal information from their children. The way you do this is up to you, but you should be able to ensure that the person giving consent is the child’s parent.

Acceptable methods of verifiable parental consent:

  • sign a consent form and send it back to you via fax, mail, or electronic scan;
  • use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder;
  • call a toll-free number staffed by trained personnel;
  • connect to trained personnel via a video conference; or
  • provide a copy of a form of government issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process.

The method “Email Plus”

If you will use a child’s personal information only for internal purposes and won’t disclose it, you may use a method known as “email plus”.

Using that method, you’ll send an email to the parent and have them respond with their consent. You must send a confirmation to the parent via email, letter, or phone call. Using “email plus”, you must let the parent know they can revoke their consent anytime.

App Stores

If you are a mobile developer, let us walk you through some of the relevant information from the documentation.

Apple App Store and Coppa

Apple has recently changed their App Store Review Guidelines and requires you to include a privacy policy. In their guideline they go on to declare a few relevant things:

Apps in the Kids Category must not include links out of the app, purchasing opportunities, or other distractions to kids unless reserved for a designated area behind a parental gate. … These apps may not include behavioral advertising (e.g. the advertiser may not serve ads based on the user’s activity), and any contextual ads must be appropriate for young audiences. You should also pay particular attention to privacy laws around the world relating to the collection of data from children online.

And again:

It is critical to use care when dealing with personal data from kids, and we encourage you to carefully review all the requirements for complying with laws like the Children’s Online Privacy Protection Act (“COPPA”), the European Union’s General Data Protection Regulation (“GDPR”), and any international or local equivalents.

Apps may ask for birthdate and parental contact information only for the purpose of complying with these statutes, but must include some useful functionality or entertainment value regardless of a person’s age.

Moreover, apps in the Kids Category or those that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, the ability to chat, other personal data, or persistent identifiers used in combination with any of the above) from a minor must include a privacy policy and must comply with all applicable children’s privacy statutes.

Parental Gates

Apple’s 1.3 & 5.1.4 mention the term “parental gate”. Parental gates are used in apps targeted towards kids to prevent them from engaging in commerce or following links out of an app to websites, social networks, or other apps without the knowledge of their parent or guardian. 

There is no set way to do this. For example, you can:

  • include instructions that describe a specific task or combination of interactions for an adult to complete;
  • consider using a voice over prompt to help kids know they need to involve their parent; or 
  • require users to correctly answer age-appropriate questions in order to continue.

You can read more about the App Store’s requirements regarding privacy policies in iOS apps here.

Google Play Store and COPPA

The Google Play store doesn’t impose any similar additional rules as the App Store does. The only reference to COPPA is the following in the Google Play Terms of Service:

Age Restrictions. In order to use Google Play, you must have a valid Google account (“Google Account”), subject to the following age restrictions. If you are considered a minor in your country, you must have your parent or legal guardian’s permission to use Google Play and to accept the Terms. You must comply with any additional age restrictions that might apply for the use of specific Content or features on Google Play. Family managers and family members must meet these additional requirements as well.

You can read more about Android and privacy policies in general in our dedicated guide.

Summary for COPPA Compliance

If you collect any personal information by children you have to be extra careful with your privacy policy and what you do within your app. We advise you to follow COPPA’s requirements carefully and take a look at what you may need to do according to app store terms if you are a mobile developer.

Also don’t forget to double-check if your third party services are compliant with COPPA because you are liable for their collection practices as well.

Create a privacy policy for your app for children under 13 years

Start generating

See also