BBB National Programs Insights

COPPA for App Developers

Jan 28, 2020, 11:00 AM by BBB National Programs
Are you an app publisher looking to make it big with that addictive new game you’ve come up with? Does your imagination spawn brilliant, colorful worlds that are the perfect setting for that mobile app game? Are you looking at ways to monetize your new app with different types of third-party data collection, including interest-based advertising?

Are you an app publisher looking to make it big with that addictive new game you’ve come up with? Does your imagination spawn brilliant, colorful worlds that are the perfect setting for that mobile app game? Are you looking at ways to monetize your new app with different types of third-party data collection, including interest-based advertising? If you’ve answered “yes” to at least one of these questions, you might want to think about your obligations under the Children’s Online Privacy Protection Act of 1998, also known as COPPA.

What is COPPA?

COPPA is a U.S. privacy law that governs when and how different platforms are allowed to advertise to children (13 and under) online. The law includes some strict requirements that are important to be aware of and understand if you work in mobile app development. Basically, the law outlines when you or your third-party partners are allowed to collect personal information (PI) from children through your app or website.

How does COPPA define personal information?

Broadly speaking, PI under COPPA is any type of information that can identify an individual. This definition includes not only name, home address, screen name, and phone number, but also covers persistent identifiers, such as HTTP cookies or mobile device identifiers, which are technologies commonly used to facilitate interest-based advertising.

So, what are the rules?

Under COPPA, companies must obtain verifiable parental consent when they 1) allow the collection of PI from children they have actual knowledge are under the age of 13, or 2) allow the collection of PI on apps or websites that are child directed. Verifiable parental consent means permission from a parent for the collection of PI, which can be obtained through means such as a consent form, a credit card, answering knowledge-based questions, or providing a copy of a parent’s ID.

What do you mean by child directed?

What does child directed mean? It depends! The term “child directed” turns on legal interpretations of COPPA set out by the Federal Trade Commission (FTC), the U.S. government agency in charge of watching the marketplace for unfair and deceptive advertising practices. Under the FTC regulations, whether an application is child directed or not is based on a multi-factor test, which covers:

  • Subject matter
  • Visual content
  • Use of animated characters
  • Use of child-oriented activities or incentives

Back in 2014, the FTC applied this legal test in its TinyCo settlement. In that case, the FTC stated that a company’s mobile apps were child directed because they “appeal[ed] to children by containing brightly-colored, animated characters… and by involving subject matters such as a zoo, tree house, or resort inspired by a fairy tale.”

Critically, COPPA imposes strict liability on the owners and operators of child-directed services where third parties collect PI. This precludes app publishers from disclaiming data collection practices in their privacy policies with respect to children under the age of 13, and from disclaiming responsibility for the actions of third parties collecting on its app or website.

So, if you’re publishing a fantasy game app that might involve particularly cute, cuddly animal characters in a colorful environment, be careful! Your app might be considered child directed, and therefore you may have to get verifiable parental consent before being allowed to collect any data.

What if my app isn’t meant just for kids?

COPPA allows the designation of some child-directed apps as “mixed-audience” when the app does not target children as its primary audience but nonetheless “attract[s] a substantial number of children under 13.” In these circumstances, COPPA allows app publishers to use an age screen to flag users under the age of 13 so they can prevent their third-party partners from collecting PI, obtain parental consent prior to the collection of PI, or point the kids to content that doesn’t involve the collection or use of PI.  Essentially,  even if your app doesn’t target under 13-year-old kids as its primary audience and focuses on older teenagers, if the app is considered mixed audience, you still have to comply with COPPA.

So, let’s say you have a roleplay game app that you want to monetize with interest-based advertising that has a whimsical environment with animated characters. Your game, though intended by you for older teenagers, may attract under 13-year-old kids based on its content. In that scenario, you can add an age screen where users enter the year they were born. If users enter an under-13 age, you can engineer your app to halt data collection for targeted ads.

Do I have to follow these rules all the time? Are there any exceptions?

COPPA does list several exceptions that outline instances where verifiable parental consent for the collection of PI is not needed. A key exception is “support for internal operations.” App developers frequently showcase their mobile apps on their own websites in addition to listing them on the various app stores. Customers can even purchase licenses for apps through some of these sites. If your showcase website is setting and requesting HTTP cookies to maintain payment or delivery functions, these internal operations don’t require verifiable parental consent.

Other exceptions for COPPA cover scenarios that don’t involve the automatic collection of data from kids. For example, if the child is providing you with information that is only used to respond to a one-time request, you don’t need to get verifiable parental consent. Finally, if you’re responding to actions you must take as result of a court order, you also don’t need to get verifiable parental consent.

What else should I be looking out for?

You can work with BBB National Programs’ Children’s Advertising Review Unit, a designated COPPA Safe Harbor, to help come into compliance with the law! If you have a range of apps that you’re publishing that you’re considering monetizing with interest-based advertising, please also reach out to the Digital Advertising Accountability Program about complying with the Digital Advertising Alliance’s best practices for data privacy and interest-based advertising, which also incorporate COPPA’s child-protective rules. 

Podcast

Why Teens Need Unique Privacy Protections

Teens are at risk online now more than ever, and the amount of their personal data being collected is vast. Tune in to our latest podcast to hear our experts discuss the key findings from their latest whitepaper on teenage privacy in the mobile app marketplace and the privacy implications of in-app purchases and interest-based advertising (IBA).
Read More
Podcast

Time for Revolution in the Direct Selling Industry

In this podcast episode, Direct Selling Association (DSA) President Joe Mariano discusses how the nature of the fast-changing direct-selling marketplace has informed the industry’s approach to self-regulation, how the Direct Selling Self-Regulatory Council (DSSRC) has helped, and the work that lies ahead.
Read more
Podcast

The Confidence and Perception Behind Online Reviews

For the majority, online reviews and ratings hold considerable merit in influencing purchasing decisions. They have integrated into a form of advertising for today’s companies. People feel more assured about spending their money on brands with five-star reviews than those with little to no feedback. A purpose that was once fulfilled primarily by word-of-mouth and social cues has been...
Read more
Podcast

A Cashless Future

How close are we from entering into a world where cash is no longer accepted? Do we truly understand the benefits and implications of completely going cashless and relying solely on financial transactions that are intimately connected with our data? Dr. Shelle Santana, Associate Professor at the Harvard University Business School, answers these questions and more on this episode of the >Better Series podcast.
Read more