What Parents Need to Know About Mobile App and Device Permissions

Sep 17, 2020, 10:18 AM by BBB National Programs

 

If there is one thing most parents know, it’s that Kids. Love. Apps. Kids love apps so much that hundreds of articles highlighting the “best” new apps for kids come out every year; one article even listed 329 of the best new apps for kids. If that sounds overwhelming, there are other articles out there that list the apps that parents should avoid downloading for their kids. But what happens when your child wants to download an app that’s not on any of those lists? 

If you want to evaluate an app to determine how safe your child’s data will be if they use it, start by understanding the permissions the app asks for. Both iOS and Android devices allow apps to ask users for permission to access different information on the device that helps provide the app’s services. For example, a fitness app might ask you to enable your “Motion and Fitness” permission so it can help track calories burned, or a navigation app might ask you to enable your location permission so it can accurately direct your trip.  Apps may request permission for something innocuous, like setting the time zone, however sometimes those permissions are asking to access things that the Children’s Online Privacy Protection Act (COPPA) classifies as personal information. 

Example: Permission to Use Device Location
Example: Permission to Allow Notifications

 

Under COPPA, personal information includes information that can directly identify a child under 13 including their first and last name, home address or precise location, online contact information, or telephone number. If the operator of an online service collects, uses, or shares a child’s personal information, they must provide a notice that explains what they are doing with the personal information. If an operator is sharing personal information with third parties or using it for other purposes such as marketing, they must also get Verifiable Parental Consent (VPC) from the child’s parent or guardian to do so.

To learn more about COPPA, see our blog post “COPPA and Children's Privacy: What Parents Should Know and Do.”

When an app asks permission to access information from your phone, this is different than asking for VPC. App platforms such as Apple and Google require apps to ask for permissions, whereas obtaining VPC is required by law. For VPC to be required when an app asks for personal information, two things need to take place:

    1. The child under 13 is the person providing the personal information. If a parent or other person over 13 is the one providing the personal information (such as a parent uploading a photo of their child to Facebook), no VPC is needed as COPPA only applies to information collected directly from children under 13.
    2. The app is collecting, storing, or sharing the personal information. If the app saves personal information to its own servers, or discloses it to another company for another purpose, then VPC is required.


    To make this distinction clearer, let’s look at a hypothetical app that’s intended for kids under age 13:

    Let’s say an app allows kids to edit photos with silly stickers and effects. To let kids upload their own photos for editing, the app asks for permission to access the photo library on the device. If the app’s privacy policy says that the uploaded photos are not collected or stored to the app’s servers, then no VPC is needed. However, if the app’s privacy policy says the photos are collected or stored to the app’s servers, the app needs to ask the parent separately for their consent to collect the photos prior to allowing the child to upload photos to the app. 


    Here are three best practices to support safe app usage: 

      1. Review the apps’ privacy policy to determine what data it collects, stores, or shares before your child downloads it. The Google Play Store lists all the potential permissions an app may ask for in each Play Store listing. Apple also recently added this information to their App Store with the new release of iOS 14, but until then you can see which permissions an app that you’ve downloaded uses by going to the device Settings. 
      2. Decide what kinds of permissions you are okay with your child granting. If you are not comfortable with an app requesting your child’s exact location (even if that information is not stored or shared by the app), then be sure to use your discretion when looking at apps that need location to operate.
      3. Talk to your child! Once they are using the app, encourage them to ask you before granting any app permissions. Explain why you may be okay granting some permissions but not others. 

If you want to learn more about child-directed advertising and data privacy, but are a beginner, make sure you tune into Kidvertising 101 in November, a seminar that will teach the "need-to-know" basics and best practices for successfully navigating this complex landscape.


Other Blog Articles

Blog

Status Update on Transatlantic Data Transfers: Building Bridges Takes Time

As 2020 draws to a close it is a good time to reflect on learnings about the future of authorized transatlantic data transfer mechanisms. In light of Brexit and continuing developments surrounding Schrems II, we discuss what the structure of the current Privacy Shield Framework can teach us much about what future commercial transfer mechanisms are likely to look like, as well as what businesses can do to shore up their compliance efforts.
Read more
Blog

Operation Income Illusion: A Positive Step by the FTC to Curb Deceptive Income Claims

The Federal Trade Commission (FTC)’s December 14 Operation Income Illusion initiative is a crackdown by the FTC and 19 federal, state, and local law enforcement partners against those that purport to offer significant income opportunities but that end up costing consumers thousands of dollars. This effort is consistent with an ongoing effort in the direct selling industry to ensure income claims are communicated truthfully and accurately.
Read more
Blog

CFBAI and CCAI 2019 Report on Compliance and Progress Published

BBB National Programs has published the Children's Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) Report on Compliance and Progress During 2019. The report finds excellent compliance by all companies participating in the programs from January 2019 – December 2019. The report also notes the CFBAI participants’ implementation of stricter Uniform Nutrition Criteria in 2020.
Read more
Blog

CARU’s Year in Review: Defining Kidvertising and Tackling Hot Topics Head On

During an uncertain year, the team at the Children’s Advertising Review Unit (CARU) stayed busy. Through casework, online conferences, an evolving technology landscape, updates to policy and guidelines, and new thought leadership, our efforts furthered our mission to help companies comply with the laws and guidelines that protect children and their personal data.
Read more