Last update: September 2021

6 mins to read - 2018/12/18

How to Comply With COPPA: A 6-Step Guide for Mobile Apps

Today the digital space is moving faster than ever, and the average age for a kid getting their first smartphone is now 10.3 years. Children (and their parents) are looking for unique and engaging mobile apps that allow them to connect and share with other kids across the world. But it’s of paramount importance that those apps are very safe and secure to use. In recent years, if you market your app to kids under 13 in the US, by law you much follow the Children’s Online Privacy Protection Act (COPPA). This act regulates how you collect and store personal information of any under-13 users of your product or mobile app. It is the app’s responsibility to comply with this regulation and keep its users safe. And some companies just aren’t entirely sure how to comply with COPPA.

Violating COPPA by accident is no small matter, with companies including TikTok, YouTube, and Hyperbeard being fined already after data breach scandals. COPPA can be intimidating and difficult to navigate if you’re new to the regulation. So we’ve pulled together a 6-step guide just for you on how to comply with COPPA. This goes for whether you’re thinking about building a children’s mobile app product, or if it’s already up and running.

Download OpenBack’s whitepaper outlining our unique approach to data privacy and regulation compliance:

kids on smartphones how to comply with coppa

What Is COPPA?

The Children’s Online Privacy Protection Act (COPPA) was created to protect the online privacy of children under the age of 13 in the United States. You can read COPPA in its entirety here. But we’ve done our best to some key points below:

  • COPPA only applies to children in the US under the age of 13. If you are a US-based company, then you are expected to protect under-age 13 users globally. However, if your company is based outside of the US, you are only legally obligated under COPPA to protect American children on your platform — or risk a potentially crippling fine from the FTC or even a US State Attorney General.
  • COPPA is designed to protect children’s online privacy and data security. But it doesn’t seek to prevent cyberbullying or profanity
  • COPPA is not just about removing private information. It’s also about having parental consent to collect, use, disclose, track or share private information.
  • COPPA also applies to third-party plugins and services you use. This is a very tricky situation and requires proper due diligence.
  • Website or online service is defined broadly but covers all mobile apps, internet-enabled gaming platforms, plug-ins, ad networks, internet enabled location-based services and IoT devices.

How to comply with COPPA’s “directed to children under 13” stipulation

The FTC will look at various factors to determine if your site or service is directed to children under 13 based on:

  • subject matter
  • visual/audio content
  • animation
  • presence of child celebrities, among other factors.

Even if your website or service doesn’t target children as its primary audience, you may still be held accountable for applying COPPA protections to users under age 13. In this case, you must not collect personal information of users without first collecting age information and/or parental consent.

What is Personal Identifiable Information (PII)?

Its what runs the attention economy, and most “free” websites or mobile apps are in fact funded by the sale of personal data (also known as personal identifiable information or PII) to third-party advertisers. This data includes:

  • full name;
  • home or other physical address, including street name and city or town;
  • online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier;
  • screen name or user name where it functions as online contact information;
  • telephone number;
  • Social Security number;
  • a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, a push notification token or a unique device identifier;
  • a photo, video, or audio file containing a child’s image or voice;
  • geolocation information sufficient to identify a street name and city or town; or
  • other information about the child or parent that is collected from the child and is combined with one of these identifiers.

The 6 Steps for How to Comply With COPPA

  1. Determine if your company is a website or online services that collects personal information from kids under 13
    • Is your website or online service directed to children under 13, and do you collect PII from them? Are you directed to a general audience but have actual knowledge that you collect PII from children under 13?
  2. Post a privacy policy that complies with COPPA
    • Write a clear and comprehensive description on how you handle PII from kids under 13. Add a clear and prominent link to your site or homepage.
    • To comply, you must include: collected PII, a description of how you collect and use that PII, and a description of parental rights.
  3. Notify parents directly about your information practices before collecting personal information from their kids:
    • COPPA requires a direct notice in which you must inform the parents:
      • that you collected their online contact information for the purpose of getting their consent;
      • that you want to collect personal information from their child;
    • you require their consent for the collection, use, and disclosure of the information;
      • the specific personal information you want to collect and how you might disclose it to others;
      • a link to your online privacy policy;
      • how the parent can give their consent; and
      • if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records.
  1. Get parents’ verifiable consent before collecting personal information form their kids:
    • You can decide how to collect verifiable consent from parent’s, through the use of a consent form via email or electronic scan, toll-free number, copy of a form of government issued ID or verifiable driver’s license photo ID.
  2. Honor parents’ rights with respect to personal information collected from their kids:
    • If a parent requests, you must enable them to:
      • review their child’s PII,
      • give them a way to revoke their consent and refuse it further, or
      • permanently delete their child’s PII.
  3. Implement reasonable procedures to protect the security of kids’ personal information, such as:
    1. reducing the amount of PII you collect
    2. restrict access to service providers and third parties
    3. hold onto PII only as long as is reasonable necessary for the purpose, and
    4. securely dispose of it once you no longer have a reason for retaining it.

OpenBack Offers a Default COPPA Compliance Mode for Your App

Whether you like it or not, COPPA is here to stay. If you’re new to the children’s online website or mobile app space, we recommend following the 6-step compliance guide to COPPA compliance and keeping up-to-date directly from the website here.

If you’re interested in a fully reliable mobile engagement solution that will enable your app to leverage user data on the device – while remaining 100% regulation compliant – click here to learn more about OpenBack’s hybrid push notification platform.

Or get in touch with one of our experts to learn more.

Download our Mobile Marketing Playbook to perfect your user engagement game!


Data Security and Privacy: OpenBack's Innovative Approach


Translate »