Best Practices for Designing Age Appropriate Mobile Apps for Kids?
Since 2020, children between the ages of 6 and 12 have said they’ve been spending 50% more time in front of screens each day. Kids are using mobile apps for schoolwork, socializing, and entertainment to an unprecedented extent. As we have been exploring in recent blog posts, there exist various data privacy regulations around the world that govern what can and can’t be done with kids’ personal data. However, things are less organized when it comes to a code governing best practices for designing mobile apps for kids. The UK Information Commissioner’s Office (ICO) is the first organization to take a step in this direction, with their age-appropriate code of practice for designing online services. This covers not just data privacy practices, but the very architecture of the app, how it engages with children’s attention, how it advertises to to them, and more.
Download our Data Security Whitepaper to learn more about OpenBack’s innovative approach to data tracking and privacy regulation compliance:
Best Practices for Designing Kids’ Mobile Apps
At its core, the code of best practices released by the ICO hopes to lay down a structure for developers designing mobile apps, and thus make the digital realm safer for kids. In addition to the umbrella data privacy practices prescribed by regulations like COPPA and GDPR-K, the code creates design standards for parental controls, geolocation tracking, nudge techniques, and overall data minimization.
Best Interests of the Child
The #1 standard set by the ICO’s code is that all kids’ apps and online services should be designed primarily with children’s best interests in mind. Basing the concept of “best interests” on the language of the United Nations Convention on the Rights of the Child, the ICO defines this as “safety, health, wellbeing, family relationships, physical, psychological and emotional development, identity, freedom of expression, privacy and agency to form their own views and have them heard” as well as a right to privacy and freedom from economic exploitation.
Data Protection Impact Assessment
The ICO best practices code advocates doing a data protection impact assessment (DPIA) early on in designing apps for kids. This is in line with GDPR guidelines, which requires all products be assessed to mitigate risks to the users’ privacy rights and freedoms as a result of your data processing.
A DPIA should be exercised in the context not only of by-the-letter compliance with privacy regulations, but also with big-picture safety concerns. For example, new technology just as collecting biometric data, online tracking, and large-scale profiling.
For a detailed guide in conducting a DPIA, see the ICO’s walkthrough of the process here.
Essentially, it’s the developer’s responsibility to know the ages of its users. This means include an age-verification mechanism, and then apply data-processing practices that maximize security… or just design your app to include privacy-first data processing for all users.
To learn about how OpenBack’s mobile engagement platform is privacy-first by default, due to its use of device-side computing, read our recent blog post: Data Privacy Health Checklist for Kids’ Apps
Moreover, so children can keep up with the process, it’s key to provide small alerts at each step of the data-leveraging process. This must give them the chance to opt-in or withhold their consent.
It’s important to tailor this information to the age of the child using your app. This means use child-friendly language, and include audio and video media for very young children who can’t read yet.
Detrimental Use of Data
This point is self-explanatory. It means you should not use data in ways that are harmful to children, or which go against regulations. While it’s perfectly fine to use the best engagement practices – such as likes, rewards, and other mechanisms – when designing mobile apps for kids, it’s important to stay up to date on government regulations. Make sure you’re not using exploitative methods, such as overly addictive core game loops, continuous scrolling, auto-play videos, etc. Most countries prohibit certain content from being marketed to under-18s, such as gambling, tobacco/alcohol, dating/sexual services, etc.
Default Settings and Data Minimization
All privacy settings must be “high privacy” by default. (Again, when using OpenBack, this is no problem as our default mode is COPPA and GDPR compliant due to the fact that user data never has to leave the device.)
Data minimization is the act of only processing the data your app needs to function properly. For example, geolocation data should be switched off by default. However, Pokemon GO requires geolocation tracking to be enabled in order for the app to work. But a social media app that doesn’t need such data to function should not be requesting to track such data. Moreover, the app should not share kids’ data with a 3rd party without giving a compelling reason to do so.
The ICO code is unique in its approach to parental controls and monitoring. While most child data privacy laws focus on the right of the adult to control who has access to their kids’ data, as well as what content their children are viewing online, this code outlines the right of the child to know when their parents are monitoring their digital or mobile activity. In light of this, the app must always make it clear to the child – in transparent, child-friendly language – whether parental controls are in place, and when they are being monitored.
Profiling and Nudge Techniques
Profiling of children should be switched off by default. That is, you should only be using data to analyze and predict certain digital behaviors of under-18s if you have put safeguards in place against that data being exploited or used for harmful purposes.
Likewise, manipulative “nudge techniques” – for example, if the X button to exit an ad is very small and difficult for young children to press, or a “Yes” button being much more prominent than a “No” button – designed to steer users towards a certain action should be kept to a minimum. Developers should never include emotionally manipulative tactics in meant to drive kids towards watching ads or making purchases. Conversely, consider using nudges to encourage healthy behavior. For example, if a child has been playing your mobile game for longer than 30 minutes, you could send them an in-app message suggesting they go play outside.
To learn tips on the latest data privacy techniques in the mobile industry, or to get a free demo of our privacy-first mobile engagement platform, get in touch with one of our experts for more information.