COPPA Compliance: How to design COPPA compliant mobile apps for kids

COPPA Compliance: Data protection has been a buzzword for quite some time now. The focus on the protection of data, and security around data that is collected is now constantly on the mind of consumers, developers, and tech giants alike. With ever-evolving laws, codes, and rules around data protection companies now have to be even more particular about how they collect a user’s data and how they use it.

This is now particularly important for any and all app developers as laws are becoming more and more stringent thereby making development the foundation to ensure these laws are complied with. A number of laws are now coming into the picture and some have been around for a while.

What is COPPA?

COPPA stands for Children’s Online Privacy and Protection Act. As the name suggests, the law specifically is for the personal information of kids, under the age of 13 and how it is collected by apps, websites, and other online platforms. COPPA was first enacted in 1998. It became effective in 2000 and an amended rule was published and put in effect in 2013. Violating the rules can attract penalties of up to $43,280 per violation.

As per the Federal Trade Commission website operators covered by the Rule must:

• Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
• Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
• Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
• Provide parents access to their child’s personal information to review and/or have the information deleted;
• Give parents the opportunity to prevent the further use or online collection of a child’s personal information;
• Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security;
• Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use; and
• Not condition a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

What is Personal Information, or Personally Identifiable Information (PII)?

Since the entire law consists around the gamet of collecting personal information, it is only logical that the law clarifies what really entails this PII.

COPPAclassifies a wide range of data as PII:

• First and last name;
• A home or other physical address including street name and name of a city or town;
• Online contact information;
• A screen or user name that functions as online contact information;
• A telephone number;
• A social security number;
• A persistent identifier that can be used to recognize a user over time and across different websites or online services;
• A photograph, video, or audio file, where such file contains a child’s image or voice;
• Geolocation information sufficient to identify street name and name of a city or town; or
• Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
• Verifiable parental consent must be obtained before any of the above personal information can be collected. Even publishing a child’s user name to a public leader board with their high score can be a violation of COPPA. 

How to make apps for Children: complying with COPPA

Have a clear privacy policy that complies with COPPA

First things first, it is of utmost importance for any app to clearly state their privacy policy that complies with COPPA. This should be posted in a very visible location and should be easy to access. The policy should be clearly written and should specify how PII that the company gets from kids under 13 handles. Other than how PII is collected and used, it should also clearly mention parental rights. These parental rights are what differentiates COPPA-compliant privacy policy from other privacy policies.

In short, a good, COPPA-compliant Privacy Policy should- Assure, Inform, and Educate. Assure parents that only the necessary information that is required will be collected. Inform them that they can review that information, ask the operator to delete and refuse to share anymore. Lastly, educate parents about how they can act if required.

Notify parents directly

To be COPPA compliant, an operator needs to give parents direct notice before it starts collecting information from children. The notice should be an extremely clear document and should be easy to read without complicated jargon. Since this is mandatory, it must include the following-

• State that the operator has collected the parent’s online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent’s consent;
• State that the parent’s consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any personal information from the child if the parent does not provide such consent;
• Set forth the additional items of personal information the operator intends to collect from the child or the potential opportunities for the disclosure of personal information, should the parent provide consent;
• Contain a hyperlink to the operator’s online notice of its information practices (i.e., its privacy policy); Provide the means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information; and
• State that if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online contact information from its records.

There is more information that may need to be shared depending on the operator. More details on this can be found on the FTC website. It is also essential to remember that if any point practices of an operator are changed, parents must be given direct notice with the updated practices so they are aware of the changes.

Obtain verifiable parental consent and give parents the choice

Other than notifying parents about collecting information etc, it is of extreme importance for an operator to obtain verifiable consent from parents. This consent needs to be obtained before collecting any information from kids. This consent can be received via a form, email, toll-free number set up the operator, electronic scan, copy of a govt ID, etc. This can also be obtained via the payment system, transaction, or a video call.

Maintain confidentiality

It is important for an operator to ethically maintain confidentiality, ensure data security of information that is being collected from children. This should include who the data is being released to (if any) and if they are capable of maintaining security.

App Store and COPPA

The Apple App Store, as per its new guidelines require all app developers to put across privacy guidelines and policy if they are targeting children who are less than 13 years of age. These App Store guidelines are essential as they are also linked to COPPA.

• Apps intended for kids under the age of 13 should not have behavioral advertising. It also states that contextual ads should be kids appropriate.
• The app owner needs parental permission or consent, or a parental gate before any user links or before it is used for commerce.
• Apps in the kids’ category need to be classified in these three age groups:
  a. 0 – 5
  b. 6 – 8
  c. 9 – 11

Google Play and COPPA

Similar to Apple Store, apps that are designed for the family section in the Google Play Store needs developers and operators to comply with COPPA guidelines, especially when they are targeting kids under the age of 13. You’ll need to specify that your app is intended for kids under the age of 13, this way Google can modify and customize the add these apps receive and make sure they are age-appropriate. In the case of apps for kids, it will not be required to have a Google sign-in.

How can TechAhead help

TechAhead, renowned as one of the top mobile app development companies, has over 10 years of experience serving fortune 500 clients to high growth enterprises. The company has proven expertise in the Internet of Things (IoT), and other emerging technologies such as AR-VR and their integration with mobile apps. Our team is adept at iOS and Android app development. Additionally, we are well versed with all rules, laws, and data protection regulations to be followed and ensured by any app developer.

Needless to say, making sure your app is COPPA complied is of utmost importance. Non-compliance can attract major fines. It is thereby important to ensure you are educated about COPPA and so are your partners. This way, your app will be COPPA compliant.