Guide to COPPA in Websites and Mobile Apps
As time goes on, the general public seems to spend more and more time in the online environment. Websites, apps, online services and tools, social media platforms and they all use private user information to verify, authenticate, and in some cases, store that data. The public is recognizing that they have less and less control over their own data and the way it is used. Some companies even capitalize on selling this information to third parties.
The Children's Online Privacy Protection Act or COPPA is very important to know and abide by if your website or app is designed for kids under the age of 13. We are going to give a short explanation of this act and then we are going to dive into the particularities that make up this act and the practical steps you can take to ensure you are COPPA compliant.
What is COPPA?
COPPA is designed to protect the privacy of children in the online environment, as well as in the mobile sphere. This act puts the control of this information in the hands of parents and is effective since July 2013. The FTC (Federal Trade Commission) is responsible for issuing and enforcing this act. The Children's Online Privacy Protection Act was enacted all the way back in 1998 by Congress. Its goal is to protect children under 13 within the dynamic online environment and put control over private user information of users under 13 in the hands of their parents.
When do I need to comply with COPPA?
The quick answer is that, if you operate on the web (including mobile applications), and your actions include collecting private information of a child that is younger than 13, you fall under the Children's Online Privacy Protection Act.
It is important to understand what is considered personal information under COPPA so as to avoid unnecessary worries. It basically includes any and all information that can be used to identify a specific user under the age of 13. This includes:
- The users' first and last name.
- Collecting any information that is related to the users' place of residence including but not limited to their address, street name, city/town.
- Any kind of online information.
- Public user or screen name that can be used to contact the user.
- Telephone number or any other information that can be used to contact the user via telephone.
- Social Security Number.
- Any type of information that can be used to track the user across multiple websites and online services.
- Any kind of multimedia file containing the user's aspiration including photographs, audio files, videos, etc.
- Geolocation sufficient to pinpoint any information about the place of residence.
- Any information collected online about the parents or the child, which can be combined with the identifiers above to gain further information.
If your service, app or websites collects any identifiers cited above, you definitely fall under COPPA. Even if your information gathering is done through voluntary methods and you don't requisition it as mandatory, you still fall under this act. This act doesn't require operators to screen their users through age checks, but if they find that a child is using their services, COPPA is automatically triggered and they need to follow procedure. Furthermore, if you are using third party data (like that of marketing networks) you also fall under COPPA.
Does COPPA apply to mobile apps? What about international mobile apps (outside of the US)?
This act applies to mobile applications that use private information of children younger than 13. It applies to mobile apps regardless of the fact that they are targeting children inside or outside the US. It also targets foreign operators that are a part of US commerce and target kids in the USA.
How to comply with COPPA?
We are going to discuss the concrete steps you can take to ensure that you are COPPA compliant.
- Notify the parents before you start collecting data.
- Make it clear that their consent is required to start collecting data and confirm that it will serve the purpose of internal use and notify them about any third-party's included in the service provided that will have access to that data.
- Allow parents to review the private data that you intend to collect.
- Allow parents to discontinue the acquisition of private information at any time.
- Ensure the safety and privacy of the data collected, including cases where it is shared with a third-party collaborator.
- Limit the storage of the collected data only to a time when you need it to provide a service and ensure that it's safe during that time and that it is destroyed after.
- Assurance that you will not require more information from the child than is absolutely necessary to use the service or participate in an activity.
- Informing the parents about their right to review the information, instruct you to delete it, and/or refuse access to any further information.
- That they have the right to agree to the use of their child's data without it being shared with third parties.
- Educate them about the procedures they have at their disposal in order to take action.
The policy needs to be displayed in a visible place and also needs to be always available for review.
2. Parental notification
It is mandatory that you notify the parents before you start to gather and use any private information. There are specific things that your notification needs to cover:
- The fact that you have collected their contact information for the sole purpose of prompting them for consent and that, in case of their refusal, you will remove this information from your database.
- Inform them that you intend to collect and use information about their child.
- That their consent is mandatory before you start collecting this data.
- Explain the process for them to give their consent if they opt to do that.
- Explain what data will be collected and who will have access to that data.
There are more than a few ways you can accept this consent:
- A signed consent can be delivered to you via electronic scan, mail, or fax.
- A free of charge call center with trained support team.
- A video conference with support staff.
- Use of online payment methods which notify the owner about each separate transaction.
- A copy of a government issued ID card with the assurance that personal data will destroyed after the verification process is complete.
If you are using the data for internal purposes, you can use the "email plus" method, but you need to make it clear that the parent or parents can revoke their consent at any point in time.
Apple Store and COPPA
The Apple Store has changed their guidelines to require app developers to provide privacy guidelines if they are targeting children that are less than 13 years old. These are the important changes to the guidelines that are connected to COPPA.
- Behavioral advertising is forbidden in cases where the app is intended for kids that are younger than 13. Contextual ads need to be appropriate for kids.
- Before the user links out of the app or uses it for commerce, the app owner needs to get parental permission or use a parental gate.
- Apps in the kids category need to be targeting kids in the three prescribed age groups:
a. 0 - 5
b. 6 - 8
c. 9 - 11
Google Play Store and COPPA
The Designed for Families section in the Google Play Store store also requires developers to comply with COPPA in cases where they are targeting kids under the age of 13. This goes for apps that are specifically intended for children as well as apps intended for all ages and may have users that are less than 13 years old.
Google Mobile ads
In case you are using google mobile apps in your app, you will need to indicate that the app is intended for an audience younger than 13. This is done so that Google can modify the type of ads they are dishing out and make them age appropriate.
The sign in
If your app is directed at children under the age of 13, you will not be allowed to use Google sign-in or the Google Play Game service. The same thing applies if your app is intended for mixed audiences.
The android speech API is not to be used in situations where kids are the potential users of the app in question, unless the app is designed to participate in the Designed for Family program.
Fines for not complying with COPPA
Fines for not complying with COPPA can range from $16,000 to $40,000 per individual violation. This means that the more users' information you manage, the larger your fine will be. The COPPA is so present that it was even featured in an episode of Silicon Valley, a popular TV show.
There are more than a few cases of companies being fined for not complying with COPPA. Yelp was fined with a $300,000 fine for not properly screening their users before they allowed them to login to their apps. They were also charged with not properly testing if kids could make accounts using their apps.
Playdom Inc received the largest fine for collecting and discussing minor personal information on their website. Their fine was 3 million US dollars and, while this may seem like a large fine, it doesn't really add up to the proposed fines that are supposed to be cumulative. In Playdom's case, the estimated number of children that registered to their site was somewhere around 800,000. If we multiply this number with the lowest possible fine per individual violation, $16,000, we get a final number that is a lot higher than 3 million.
CoppaNow, a website that follows COPPA related cases, has so far calculated that the average fine per individual violation is closer to $2.28 than the minimum $16,000. Still, even if this is true, the numbers can stack up and you may end up with more fines than your company can pay. This is especially true for small developer companies who are not yet financially capable to handle being fined and dragged to court.
Incarceration is also a possibility in some cases of gross misconduct, so be careful when deciding if you have done everything in your power to become COPPA compliant. Double-check with a legal advisor and avoid relying on half-truths and potential disinformation.
There is a growing concern about how the FTC is handling the enforcement and fining of COPPA violators, but regardless of this, you can still get fined for not complying with it and some publishing platforms may ban your app or your profile all together for not complying with this act. Even though the FTC isn't really being tenacious about the enforcement of this act, you can't really say that it is completely ignored.
Furthermore, being COPPA compliant gives parents a clear green light that they can allow their children to use the app and/or website. This is a big edge if your business model is built around targeting kids as your primary users.
- August 7, 2017