6-Step Guide to COPPA Compliance for Mobile Apps
Today the digital space is moving faster than ever and the importance of building great digital products for children is tremendous. Children (and their parent’s) are looking for unique and engaging mobile apps, that allow them to connect and share with other kid’s across the world, but are also very safe and secure to use.
In recent years, if you market your app to kids under 13 in the US, by law you much follow the Children’s Online Privacy Protection Act (COPPA) and make sure that you’re fully compliant. This act regulates how you collect and store personal information of any under-13 users of your product or mobile app.
Violating COPPA by accident is no small matter, with companies including HASBRO, Mattel, Viacom and Yelp being fined already, and more lawsuits announced every month. Indeed, COPPA fines can be very hefty. For example, Yelp was hit with a $450,000 fine for violating COPPA a few years ago. COPPA fines were even a topic discussed on the hit HBO show Silicon Valley, where Dinesh and the rest of the Pied Piper crew debate the extend of violating COPPA.
COPPA can be intimidating and difficult to navigate if you’re new to the regulation, so we’ve pulled together a six-step guide just for you whether you’ve already built or are thinking about building a children’s mobile app product.
What is COPPA:
The Children’s Online Privacy Protection Act (COPPA) was created to protect the online privacy of children under the age of 13 within the US. You can read COPPA in it’s entirety here but we’ve done our best to some key points below:
- COPPA only applies to children in the US under the age of 13. If you are a US-based company, then you are expected to protect U13 globally. However, if your company is based outside of the US, you are only legally obligated under COPPA to protect American children on your platform — or risk a potentially crippling finefrom the FTC or even a US State Attorney General.
- COPPA is designed to protect children’s online privacy and data security, but it doesn’t seek to prevent cyberbullying or profanity
- COPPA is not just about removingprivate information. It’s also about having parental consent to collect, use, disclose, track or share private information.
- COPPA also applies to third-party plugins and services you use. This is a very tricky situation and requires proper due diligence.
- Website or online service is defined broadly but covers all mobile apps, internet-enabled gaming platforms, plug-ins, ad networks, internet enabled location-based services and IoT devices.
What is “Directed to children under 13”:
The FTC will look at various factors to determine if your site or service is directed to children under 13 based on subject matter, visual / audio content, animation or presence of child celebrities, to name a few. Even if your website or service doesn’t target children as it’s primary audience, you may still be held accountable for applying COPPA protections only to users under age 13. In this case, you must not collect personal information without first collecting age information and parental consent.
What is Personal Identifiable Information (PII):
- full name;
- home or other physical address, including street name and city or town;
- online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier;
- screen name or user name where it functions as online contact information;
- telephone number;
- Social Security number;
- a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, a push notification token or a unique device identifier;
- a photo, video, or audio file containing a child’s image or voice;
- geolocation information sufficient to identify a street name and city or town; or
- other information about the child or parent that is collected from the child and is combined with one of these identifiers.
The 6 Steps:
- Determine if your company is a website or online services that collects personal information from kids under 13
- Is your website or online service directed to children under 13 and do you collect PII from them? Are you directed to a general audience but have actual knowledge that you collect PII from children under 13?
- Write a clear and comprehensive description on how the PII from kids under 13 is handled. Add a clear and prominent link to your site or homepage.
- To comply, you must include: collected PII, a description of how it’s collected and used, and a description of parental rights.
- Notify parents directly about your information practices before collecting personal information from their kids:
- COPPA requires a direct notice that includes:
- that you collected their online contact information for the purpose of getting their consent;
- that you want to collect personal information from their child;
- that their consent is required for the collection, use, and disclosure of the information;
- the specific personal information you want to collect and how it might be disclosed to others;
- how the parent can give their consent; and
- that if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records.
- COPPA requires a direct notice that includes:
- Get parents verifiable consent before collecting personal information form their kids:
- You can decide how to collect verifiable consent from parent’s, through the use of a consent form via email or electronic scan, toll-free number, copy of a form of government issued ID or verifiable driver’s license photo ID.
- Honor parent’s ongoing rights with respect to personal information collected from their kids:
- Even after parental consent, if a parent asks then you must give them a way to review their child’s PII, give them a way to revoke their consent and refuse it further or to permanently delete their child’s PII.
- Implement reasonable procedures to protect the security of kid’s personal information:
- Reasonable steps include, reducing the amount of PII you collect, restrict access to service providers and third parties, hold onto PII only as long as is reasonable necessary for the purpose and securely dispose of it once you no longer have a reason for retaining it.
Whether you like it or not, COPPA is here to stay. If you’re new to the children’s online website or mobile app space, we recommend following the 6-step compliance guide to COPPA compliance and keeping up-to-date directly from the ftc.gov website here.
COPPA is a serious matter and should be an important part of your plan if your product is directed to children under 13.