News & Events

Last update: December 2021


OpenBack Publishes New Data Privacy for Kids’ Apps Playbook

At the height of the digital age, we’re all more connected now than we’ve ever been before. Children and teenagers especially are spending an unprecedented amount of time on mobile devices. In the US, kids between the ages of 6 and 12 have reported their daily screentime has jumped by 50% since the start of the coronavirus pandemic. While this makes now the ideal time to launch a mobile app or game for children, it also means kids’ data privacy has never been more important. In light of this, OpenBack are very excited to announce the launch of our latest whitepaper on data privacy for kids’ apps: Privacy First Mobile Engagement for Kids’ Apps Playbook.

Keep reading for our insights on COPPA, GDPR-K, and what your app can do to be regulation compliant and keep young users safe online.

Download our Kids’ Apps Data Privacy Playbook here:

Data Privacy Regulations for Kids: COPPA and GDPR-K

As a kids’ app developer, the two most important kids’ data privacy regulations you’ll encounter are the Children’s Online Privacy Protection Act (COPPA) of the US, and the EU’s GDPR-K. Both COPPA and GDPR-K outline explicity what data is protects, and for what age groups, and what the penalties are for violations. However, since COPPA is a complete regulation in its own right, and GDPR-K is only a small part of the EU’s larger GDPR (which all apps targeting the European market must comply with in its entirety), our playbook focused mainly on COPPA.

COPPA, which was passed by the US Federal Trade Commission (FTC) in 1998, defines “personal identifying information” as the following:

▶ full name
▶ home or other physical address, including street name and city
▶ online contact information such as email address, IM identifier, VoIP
identifier, etc.
▶ screen name or user name
▶ telephone number
▶ social security number
▶ a persistent identifier, such as a cookie number, IP address, or device
serial number
▶ a photo, video, or audio file of a child’s image or voice
▶ geolocation information specific enough to identify a city/town/street
▶ any other information about a child combined with the above

What Age Group Does COPPA Cover?

COPPA applies to all data tracked belonging to mobile app users younger than 13 in the US. (Keep in mind that state-level privacy regulations, such as CCPA, may have a different age limit that you will have to adhere to.)

However, in many cases an app or game can appeal to a mixed audience. Or it may be specifically for adults while also drawing in a lot of kids as well – for example, a mobile game that features characters from the Marvel Universe. This ambiguity has led to a lot of confusion, to the extent that YouTube has washed its hands of COPPA liability for its videos, putting the onus on content creators to flag their own videos as being for kids.

In Section 312.2 of COPPA, the FTC outlines that before labelling their app or content as being “directed to children” developers must consider:

“subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics… as well as whether advertising promoting or appearing on the Web site or online service is
directed to children.”

What Are the Penalties for Violating COPPA?

The penalty for violating COPPA is a fine of $43,280 per child per violation. Google and TikTok are both high-profile tech companies that have paid massive fines for violations of COPPA in the past. However, smaller app publishers should never assume they’re flying below the radar.

Hyperbeard, a publisher of kids’ apps and games based in Mexico, was fined $150,000 by the FTC for data privacy breaches. And Canadian publisher KuuHubb Inc. was fined $3 million. It’s important to note that, while both of these publishers are based outside the United States, they are still liable for COPPA violations for users living in the US. Moreover, it was actually due to the data-tracking activity of 3rd-party SDKs which the publishers had
installed in their apps that they were found to be violating COPPA. This is crucial for app developers to keep in mind:
as a publisher, you are liable for the data tracking activity of SDKs integrated into your apps.

data privacy for kids' apps

What Are the 4 Key Pillars of Data Privacy Regulation Compliance?

The follow key pillars can be used as good rules of thumb for complying to any privacy regulation in general, and COPPA in particular. To follow good data processing practices, kids’ apps should only track user data when it’s necessary for the app’s UX. And even then, try to minimize the amount of data you track, and delete it once it’s no longer needed. Apps should then ensure that utmost care is taken to keep data secure – that is, it shouldn’t be accessible to any 3rd parties. And the user should always be able to request to have their personal data erased at any time.

The 4th pillar that most kids’ apps will encounter is the requirement to gain parental consent to track the data of app users younger than 13. The parental consent gate can have repercussions hen it comes to app UX. The verifiable parental consent (VPC) flow can often be clunky, and there is a likelihood that parents will deny consent.

OpenBack’s Device-Side Data Hybrid Mobile Engagement Platform Is the Key to Compliance

The parental consent mechanism is often the primary stumbling block that many kids’ apps encounter when it comes to data privacy compliance. OpenBack solves this problem of either/or with its hybrid mobile engagement platform that uses machine learning and device-side data processing to leverage data points entirely on the user’s device. With all user data being leveraged 100% on-device, it never has to be transported to a cloud server, or be accessible to 3rd-parties. With OpenBack’s default data privacy mode, personal data stays 100% under the user’s control and ownership. As such, leveraging this data for internal purposes is fully COPPA and GDPR-K compliant. And there’s no need to request parental consent.

To learn more about OpenBack’s groundbreaking approach to data privacy, and other benefits to processing user data on-device, get in touch with one of our experts.

Or, download our Kids’ Apps Data Privacy Playbook here:


Translate »