Last update: August 2021

4 mins to read - 2021/08/11

A Beginner’s Guide to COPPA Compliance

As mobile device users – which is all of us – become more aware of the digital trail we leave behind, it’s crucial for mobile apps to be transparent and regulation-compliant with the way they interact with user data. This is even more important when it comes to your user base who are minors. Children are a robust market in the mobile industry, with a census by Common Sense Media showing that 53% of kids have their first smartphone by age 11. App developers and mobile marketers understandably want a piece of that market. But how can you ensure your app is complying with local data privacy regulations (which, in the US, means COPPA)? For a beginner’s guide to COPPA compliance for mobile apps and games, read on.

Download OpenBack’s whitepaper outlining our unique approach to data privacy and regulation compliance:

data privacy coppa compliance

A Beginner’s Guide: What Is COPPA?

First of all, COPPA is short for Children’s Online Privacy Protection Act. It is enforced by the US Federal Trade Commission (FTC). You can read the full document on the FTC website here, but in short COPPA was created to protect the personal data of children younger than 13.

COPPA dates back to 1996, so obviously the digital sphere was a lot different back then. With the internet still in its dial-up stages, the “personal data” COPPA sought to protect mainly dealt with basics such as name, address, phone number, social security number. etc. Now we have a much more sophisticated understanding of data, and the risks of its misuse are far vaster. According to the FTC, personal identifiable data (PII) can consist of:

  • full name;

  • home or other physical address, including street name and city or town;

  • online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier;

  • screen name or user name where it functions as online contact information;

  • telephone number;

  • Social Security number;

  • a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier;

  • a photo, video, or audio file containing a child’s image or voice;

  • geolocation information sufficient to identify a street name and city or town; or

  • other information about the child or parent that is collected from the child and is combined with one of these identifiers.

As such, the FTC has reviewed COPPA considerably over the years. COPPA has undergone many updates to keep it relevant to the times. Now, in order to remove any personal or behavioral data from the device of an app user younger than 13 requires you to gain parental consent first.

This seems like it should be a simple enough regulation to follow, but it has proved problematic for many apps and studios. YouTube and TikTok in particular are repeat offenders, consistently falling afoul of the regulation. To many, it seems as though the value of processing user data is worth even the hefty fines that these apps incur.

Are You Applicable?

COPPA compliance can seem like a minefield, especially for apps that target a wide range of age groups. There has been confusion in the past about whether apps that target a “mixed audience” are responsible for tailoring their data practices to comply with COPPA. Essentially, if your apps or games are deliberately targeting children – or, even if the content can be enjoyed by users of all ages, it’s primarily geared towards children – then yes. You fall under COPPA rules.

As COPPA is a regulation under US jurisdiction, any app company registered in the United States must comply if it targets users younger than 13. However, companies outside of the US can be liable as well, if their app is installed by users in the United States. Mexico’s largest mobile games developer, HyperBeard, was fined $150,000 for COPPA violations for allowing 3rd-party marketers to collect its users’ data and then send targeted ads to users younger than 13.

Even though HyperBeard had crossover appeal, with adults downloading its games as well, the FTC rules its games primarily targeted kids, due to their bright colors, cute characters, and cartoonish sound effects. So that is something worth considering… Even if you claim your app doesn’t specifically target children, the FTC may think otherwise.

How to Comply?

If you are going to be removing the data of users below 13 years old from their device for any reason, you have to gain parental consent first. You also have to make sure you have a clearly worded privacy policy that is in an easy-to-access part of your website.

When it comes to children’s apps – both in the eyes of the FTC and just generally the way the industry is going – transparency is king. It’s advisable that you include in your privacy policy a statement of why you’re collecting user data, and how it benefits the app. For example, parents may be more understanding towards having their children’s data collected for the purpose of personalizing content, or making sure you don’t send notifications during inappropriate hours, such as during school or in the middle of the night. You must ensure that children’s data isn’t store any longer than is necessary, and if parents request to see it you must comply.

Beginner’s Support: OpenBack Default Mode Can Guide You Through COPPA Compliance

For mobile apps who want to make sure they’re dealing with users’ data responsibly while staying COPPA compliant, OpenBack is your best bet. OpenBack offers a default data privacy (including COPPA) regulation compliance mode. Thanks to our hybrid platform, which uses machine learning and mobile edge computing process user data directly on the device, data never has to be removed to a 3rd-party server. Since data remains on the device and in the user’s possession, there are no data security risks your app is liable for. Using our innovative data privacy mode to send push notifications and in-app messages, your mobile app is COPPA-compliant by default, and there is no need to request parental consent.

Get in touch with one of our experts to learn more about using OpenBack.

Leave a Reply

Your email address will not be published.

7 + seven =

Download our FREE Mobile Marketing Playbook to perfect your user engagement game!


Translate »