Hannah Peretz, Head of Strategic Partnerships, KIDOZ
Everyone is talking about COPPA & GDPR, but what does it mean for app developers, and why should they comply?
Featuring tips and examples by Shai Samet, the founder of kidSAFE Seal Program, and Claire Quinn, VP Compliance at PRIVO.
A simple game with a cute interface, preferably combined with educational content, is often thought to be the perfect recipe for a successful app for kids. No doubt these are the main ingredients, but to have an app that will truly make it in the long run, a developer must be very thoughtful when it comes to the app’s monetization strategy, and ensure its genuine kid-friendliness – not only in interface and content – but also with respect to data, ads, third party SDKs, and security.
So, what exactly does it take these days to create a kid-friendly app? In addition to great content, anyone creating products for kids must follow privacy specifications. However, since COPPA (the Children’s Online Privacy Protection Act) was passed by Congress in 1998, the digital landscape has changed drastically. As a result, COPPA has had to evolve to address new needs for mobile apps, online games, and just about every other aspect of a young person’s digital footprint.
In 2016, the EU adopted a new law to replace their outdated data protection directive from 1995. The General Data Protection Regulation (GDPR) no longer left it up to the individual countries to decide how to implement data protection policies and required that all services and products that dealt with EU citizens needed to comply, even if they were not European companies. Enactment of the rule went into effect in May 2018, and app developers were whipped into a new frenzy. With this regulation, companies are being required to take more responsibility when doing data collection and more users are becoming informed about their rights.
Most recently, app developers who develop for kids are being forced to opt in to Google Play’s Designed for Families program if they want their apps included in the Store. This requirement ensures developers will be more attentive to COPPA regulations and ensure their apps and the third-party services they include are compliant.
Through KIDOZ, a COPPA-compliant content platform and monetization service, we have worked with hundreds of developers and device makers to provide great products for kids. We want to reassure developers that there IS something they can do. So then, what factors must developers keep in mind when creating apps for kids?
Simple solution? Design products that do not collect personal information
Parental consent can be a conversion killer. In accordance with COPPA, to collect and store personal information from kids, developers need to get prior parental consent. An extra step is required if information is shared with third parties, and in the case of GDPR, an additional ‘responsible adult’ verification is also needed. There are a variety of solutions for handling consent, including credit card authorization, email verification and digital images of a driver license to name a few, but regardless of the method, requiring this extra step can drop conversions and usage dramatically.
The simplest solution is to design your apps in such a way that no personal information, or only the smallest amount of information necessary, is collected. And in fact, if your app functionality does not rely on personal information, why even collect it in the first place?
Only work with certified COPPA and GDPR-Compliant partners
But if you want to monetize your app, or get analytics about its performance, what do you do? Because even if you build a product that is compliant, nearly every third-party service you want to use, including analytics tools, and monetization components, such as ad network SDKs, analytics SDKs or social plugins, are likely not compliant. And if the third-party services you integrate are not compliant, and collect or share kids’ personal information, your app will be held accountable.
For example, nearly all ad networks keep the device ID of users; this information is considered personal information, and should not be collected, especially if it is being used for targeted advertising.
Ad networks like KIDOZ have undergone stringent compliance processes for both COPPA and GDPR. If you’re using other networks, be sure to ask them to officially state in writing that they support fully COPPA- and GDPR- compliant methods and that your account is set to provide COPPA demand only.
Do your research, and ensure you are responsible for your compliance
We chatted with Shai Samet, the founder of kidSAFE, and Claire Quinn, VP Compliance at PRIVO. Both kidSAFE and PRIVO help the industry abide by privacy laws for kids, and ensure there are great digital resources for children. We discussed how developers can ensure they are following regulations when creating products for kids.
Hannah, KIDOZ: With regards to COPPA, what are the main things developers should keep in mind when planning on creating an app?
Shai, kidSAFE: COPPA compliance has to be built in from the very beginning stages of app development and design. Otherwise, you’ll find yourself having to make big adjustments later on, when it is often too costly or too late to make changes.
This is important also for purposes of getting your apps approved on app stores like Google Play. According to Google policies, it appears that “apps that are primarily child-directed must participate in the Designed for Families program.” A notable strength of the DFF program is that it requires relevant app developers to represent that they comply with COPPA before they can be listed within the Google Play Store. From a privacy-protection perspective, this effectively forces developers to consider their COPPA obligations, and, potentially, take steps to minimize data collection or implement parental notice and consent procedures. But this must be done at the early stages of development, not when it is time to submit your app for approval by Google.
When planning for COPPA compliance, developers need to address five key questions:
(1) Is the data they want to collect inside their app covered under COPPA: While information such as full name, physical address, and phone number are clearly personal information, many companies overlook more esoteric items, such as recordings of a child’s voice or, in some cases, identifiers such as IDFA or IP address. App developers need to keep a complete list of all data they are collecting and should evaluate if each item would be considered personal information under COPPA.
(2) Are the features they wish to offer covered under COPPA: Many apps include YouTube videos and sharing features for social media like Twitter, Instagram, or Facebook. Developers may think that they can integrate these features into their app given how popular they are and the size of the companies in question. However, these features may pose COPPA risks, and developers will need to be cautious about using any third-partyplug-ins that could collect or process a child’s personal information.
(3) Which third party SDKs can they integrate without running afoul of COPPA: Some third party SDKs may collect and use personal information for their own purposes. Others may collect what seems to be non-personal information about a child (eg. answers to a quiz), but may link this data to personal information or use it for marketing purposes, both of which could present issues under COPPA. It is important to not only vet the data collection and use practices of any third-party provider, but also ensure they are capable of protecting any personal information you share with them in a secure and confidential manner.
(4) When should they use a parental gate (such as a math equation) versus an age screen mechanism (such as a date of birth question): Age screening can be used to enhance your COPPA compliance, but are not a cure-all and don’t work in all cases. For example, a check box attesting to being over 13 is not COPPA-compliant. Additionally, parental gates (such as math questions) may be appropriate to keep kids out of app settings or other parent-focused areas not meant for them, but full and neutral age gating is often required in situations where personal data will be collected behind the age gate.
Claire, PRIVO: Developers should understand the implications of implementing third-party SDKs in relation to tracking users as well as execute continuing monitoring of SDKs or face regulatory privacy compliance issues that can result in hefty fines and brand damage. Understanding exactly what an SDK is doing is vital. Attribution and install tracking are key issues that we come across time and again. A developer should consider not just the issues of tracking that comes with interest based ads and ad partners but how they treat the user data they may have across all their own apps. Tracking across apps owned by one operator to build a profile of the child and market to them needs to be handled in a compliant way too.
It’s also important to understand how to align COPPA compliance with app store requirements when building an app. For example apps in Apple’s kid’s category require a parent gate over any links out but a parent gate is not COPPA compliant and is easily circumvented by a bright seven year old or younger these days. Transparency is key, state clearly what is collected, how it used and how parents can make contact in privacy notices. Baking privacy by design into apps from the start will ensure a foundation to build on, to support monetisation, life-time value and engagement.
The UK’s data protection authority will soon publish an age-appropriate design code for children’s apps, a requirement of the Data Protection Act, which will support developers globally to get it right, out of the gate.
Parental gate by SmartStudy Pinkfong
Hannah, KIDOZ: What are the key features of COPPA that pertain to mobile apps?
Shai, kidSAFE: The features inside of mobile apps that are most affected by COPPA are push notifications, social sharing plugins, third-party SDKs, and ad networks. In December 2015, the Federal Trade Commission finally brought its first COPPA enforcement case against app developers for allowing targeted advertising within their apps; and followed up in 2018 with a similar, but much larger COPPA case against Oath (formerly, AOL).
Claire, PRIVO: Apps do have some specific features that need to be addressed under COPPA such as persistent identifiers used to track users, attribution and push notifications. Mixed audience age gates must also be employed compliantly and are not always appropriate despite the fact we see many apps using them.
Hannah, KIDOZ: Businesses and developers are running the gamut from trying to decide whether to stop all marketing to Europe or to invest the time and money needed to implement collection practices and consent procedures that will comply with all regulations. What, in your opinion, is the practical value of being compliant?
Shai, kidSAFE: More than anything, it means being able to secure more business with potential partners and licensees/licensors, as most big brands/companies today won’t work with you if they can’t confirm your compliance. Being compliant also means mitigating the threat of a lawsuit from the FTC, State Attorney General, and possibly others. As we’ve seen, getting fined is no laughing matter.
With that said, there is likely no situation in which stopping EU activity is advisable over working towards GDPR compliance. First, there is always the danger that you or one of your vendors will continue to collect data, possibly unknowingly, from EU citizens. If this were to occur, EU enforcement bodies are likely to look disfavorably on your attempts to circumvent compliance.
Additionally, the GDPR is serving as a template for privacy laws across the globe. For example, the recent California Consumer Privacy Act (CCPA) was signed into law and includes many provisions similar to the GDPR. Because of the parallels between these laws, businesses and developers who have already undertaken the time and expense to comply with GDPR are well situated to comply with CCPA and already have many of the procedures (such as responding to requests for deletion) in place that would be required under CCPA.
The GDPR is the forerunner, but there will be more privacy laws like it across the world in the coming years. CCPA is just one of many laws that will be designed to bring GDPR-style protection to non-EU countries. As more GDPR-style laws are created, such as those in China, India and Brazil, it will become increasingly untenable for a business to simply withdraw from the relevant geographic areas. Eventually, creating technical barriers and workarounds in response to each of these laws will become an onerous chore more difficult and costly than simply taking the steps to build a compliant service globally.
Claire, PRIVO: Closing the door on EU marketing is shutting the door on business growth. If an app complies with COPPA in the US it’s part way there when it comes to processing children’s data in the EU. Working with a program that can support compliance with the GDPR is a relatively small investment that will reap returns. GDPRkids™ Privacy Assured Program can do just that. Apps are under the spotlight, not just the scrutiny of the FTC but we have seen State Attorneys General bringing actions for violations and a number of hard-hitting reports on tracking issues in the headlines. The risk of a fine and brand damage is clear but an often overlooked risk is missed opportunity. Working with a significant demographic, children, rather than just blocking them can bring rewards.
The record settlement with Oath in 2018 was for a whopping $4.95 million in penalties for violating COPPA, marking the largest penalty ever in a COPPA enforcement case.
And now with the EU’s GDPR ruling, the stakes are even higher. The GDPR ruling affects all companies dealing with European citizens – and the GDPR law allows for much larger fines than COPPA, 4 percent of turnover or €20 million, whichever is greater. And perhaps even more worryingly, it puts in place a framework for private lawsuits.
With COPPA and GDPR always in mind and using the right tools, developers can focus on creating the best products for kids. As mobile usage among kids is becoming the standard, better clarity about good practice is coming and behavior that was once acceptable is now a risk not worth taking. App developers must take the time to understand the legal implications of making products for kids, and can no longer afford to ignore compliance requirements. By ensuring we are following regulations, we are all creating a safe digital environment where kids can learn and grow.
About kidSAFE: Founded in 2010, the kidSAFE Seal Program’s mission is to make the Internet and digital ecosystem better for children around the world. kidSAFE does this by partnering with companies of all sizes and at all stages of development to help ensure that their child-focused apps and technologies are safely designed and privacy compliant. kidSAFE offers a variety of consulting, auditing, and certification services aligned with online safety best practices and legal privacy frameworks, including its flagship COPPA program which has been granted Safe Harbor status by the Federal Trade Commission.
About PRIVO: PRIVO is an FTC-approved COPPA safe harbor that provides online privacy compliance for COPPA, GDPR and student digital privacy laws and best practices, in addition to offering a robust customer identity and permission management platform that enable companies to legally and safely engage with children and their families online.