This guide has one goal: we want to help you find your way to the app stores as fast as possible and would like to help you become compliant with privacy regulations. Below you will find a very comprehensive guide that runs you through the most important aspects of COPPA.
For our US readers: this information is provided as a general guide to the issues, and is not legal or technical advice
In a nutshell: If you develop apps or run websites directed to children under 13 years of age and collect their personal information you are very likely to fall under COPPA and should therefore follow its rules.
COPPA is an abbreviation for the Children’s Online Privacy Protection Act (COPPA) that was enacted by Congress in 1998 and required the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The amended Rule became effective on July 1st, 2013. The primary goal of COPPA is to protect children’s privacy online (and at the same time on the mobile ecosystem). COPPA puts parents in control over what information from their children.
When do you as a web or mobile developer or operator/owner of these services fall under COPPA? And what does that fact mean for you? The Rule applies to operators of commercial websites and online services (again, it includes mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Let us dissect this catalogue:
It also applies to:
And it applies to:
There are a few things we still have to look at more deeply here. What is a website or online service as they are quoted in the Rule? What is personal information exactly? And what does collect, use or disclose mean in this context? Turns out the terms in the Rule are mostly defined broadly:
What kind of information is considered personal and therefore triggers the COPPA compliance requirement? This is important: COPPA has updated the list for “personal information” that cannot be collected without parental notice and consent to include geolocation information, photographs, video and audio files that contain a child’s image or voice. At large the list of personal information looks like this:
What is, then, the collection of personal information like the above?
If another company collects personal information through your child-directed site or service — through an ad network or plug-in, for example — you’re responsible for complying with COPPA. If you have actual knowledge that you’re collecting personal information directly from users of a child-directed site or service, you’re responsible for complying with COPPA, too. So how do you go from being required to follow COPPA’s rules, to actually complying?
Let us dissect this again:
If you change your practices, make sure to send an updated direct notice to parents so they know about those changes. There are circumstances that allow to skip the requirement for getting parental consent. Check the graph at the bottom of this site for more information. Additionally to the direct notice you need to get parents’ verifiable consent before starting the collection of personal information from their children. The way you do this is up to you, but you should be able to ensure that the person giving consent is the child’s parent. Acceptable methods of verifiable parental consent:
The method “Email Plus”: If you will use a child’s personal information only for internal purposes and won’t disclose it, you may use a method known as “email plus.” Using that method, you’ll send an email to the parent and have them respond with their consent. You must send a confirmation to the parent via email, letter, or phone call. Using “email plus”, you must let the parent know they can revoke their consent anytime.
Apple’s 24.3 mentions the term “parental gate”. What it is and how others make use of this technique can be found in this insightful post How are kids’ app developers communicating to parents? by MOMs with apps. The main techniques include the following pattern:
The Google Play store doesn’t impose any similar additional rules as the App Store does. The only reference to COPPA is the following in the Google Play terms of service:
Age Restrictions. In order to use Google Play you must be 13 years of age or older. If you are between 13 and 18 years of age, you must have your parent or legal guardian’s permission to use Google Play. You must not access Google Play or accept these Terms if you are a person who is either barred or otherwise legally prohibited from receiving or using the Service or any Products under the laws of the country in which you are resident or from which you access or use Google Play.