BBB National Programs Insights
COPPA for App Developers
Are you an app publisher looking to make it big with that addictive new game you’ve come up with? Does your imagination spawn brilliant, colorful worlds that are the perfect setting for that mobile app game? Are you looking at ways to monetize your new app with different types of third-party data collection, including interest-based advertising? If you’ve answered “yes” to at least one of these questions, you might want to think about your obligations under the Children’s Online Privacy Protection Act of 1998, also known as COPPA.
What is COPPA?
COPPA is a U.S. privacy law that governs when and how different platforms are allowed to advertise to children (13 and under) online. The law includes some strict requirements that are important to be aware of and understand if you work in mobile app development. Basically, the law outlines when you or your third-party partners are allowed to collect personal information (PI) from children through your app or website.
How does COPPA define personal information?
Broadly speaking, PI under COPPA is any type of information that can identify an individual. This definition includes not only name, home address, screen name, and phone number, but also covers persistent identifiers, such as HTTP cookies or mobile device identifiers, which are technologies commonly used to facilitate interest-based advertising.
So, what are the rules?
Under COPPA, companies must obtain verifiable parental consent when they 1) allow the collection of PI from children they have actual knowledge are under the age of 13, or 2) allow the collection of PI on apps or websites that are child directed. Verifiable parental consent means permission from a parent for the collection of PI, which can be obtained through means such as a consent form, a credit card, answering knowledge-based questions, or providing a copy of a parent’s ID.
What do you mean by child directed?
What does child directed mean? It depends! The term “child directed” turns on legal interpretations of COPPA set out by the Federal Trade Commission (FTC), the U.S. government agency in charge of watching the marketplace for unfair and deceptive advertising practices. Under the FTC regulations, whether an application is child directed or not is based on a multi-factor test, which covers:
- Subject matter
- Visual content
- Use of animated characters
- Use of child-oriented activities or incentives
Back in 2014, the FTC applied this legal test in its TinyCo settlement. In that case, the FTC stated that a company’s mobile apps were child directed because they “appeal[ed] to children by containing brightly-colored, animated characters… and by involving subject matters such as a zoo, tree house, or resort inspired by a fairy tale.”
Critically, COPPA imposes strict liability on the owners and operators of child-directed services where third parties collect PI. This precludes app publishers from disclaiming data collection practices in their privacy policies with respect to children under the age of 13, and from disclaiming responsibility for the actions of third parties collecting on its app or website.
So, if you’re publishing a fantasy game app that might involve particularly cute, cuddly animal characters in a colorful environment, be careful! Your app might be considered child directed, and therefore you may have to get verifiable parental consent before being allowed to collect any data.
What if my app isn’t meant just for kids?
COPPA allows the designation of some child-directed apps as “mixed-audience” when the app does not target children as its primary audience but nonetheless “attract[s] a substantial number of children under 13.” In these circumstances, COPPA allows app publishers to use an age screen to flag users under the age of 13 so they can prevent their third-party partners from collecting PI, obtain parental consent prior to the collection of PI, or point the kids to content that doesn’t involve the collection or use of PI. Essentially, even if your app doesn’t target under 13-year-old kids as its primary audience and focuses on older teenagers, if the app is considered mixed audience, you still have to comply with COPPA.
So, let’s say you have a roleplay game app that you want to monetize with interest-based advertising that has a whimsical environment with animated characters. Your game, though intended by you for older teenagers, may attract under 13-year-old kids based on its content. In that scenario, you can add an age screen where users enter the year they were born. If users enter an under-13 age, you can engineer your app to halt data collection for targeted ads.
Do I have to follow these rules all the time? Are there any exceptions?
COPPA does list several exceptions that outline instances where verifiable parental consent for the collection of PI is not needed. A key exception is “support for internal operations.” App developers frequently showcase their mobile apps on their own websites in addition to listing them on the various app stores. Customers can even purchase licenses for apps through some of these sites. If your showcase website is setting and requesting HTTP cookies to maintain payment or delivery functions, these internal operations don’t require verifiable parental consent.
Other exceptions for COPPA cover scenarios that don’t involve the automatic collection of data from kids. For example, if the child is providing you with information that is only used to respond to a one-time request, you don’t need to get verifiable parental consent. Finally, if you’re responding to actions you must take as result of a court order, you also don’t need to get verifiable parental consent.
What else should I be looking out for?
You can work with BBB National Programs’ Children’s Advertising Review Unit, a designated COPPA Safe Harbor, to help come into compliance with the law! If you have a range of apps that you’re publishing that you’re considering monetizing with interest-based advertising, please also reach out to the Digital Advertising Accountability Program about complying with the Digital Advertising Alliance’s best practices for data privacy and interest-based advertising, which also incorporate COPPA’s child-protective rules.