COPPA Violation and Its Consequences: How Your App Can Avoid It
Last week we published a basic breakdown of COPPA and GDPR-K, comparing and contrasting the two most widely known children’s data privacy regulations. While the FTC’s COPPA guidelines are complete in their own right, GDPR-K is just one article (Article 8) in the larger regulation of GDPR. Companies and organizations are regularly being penalized for GDPR violations – Google was fined $57 million in 2020 for failing to acknowledge how its users’ data is processed. However, violations of minors’ data tends to be lumped under the umbrella of GDPR. So this week we will focus mostly on the consequences of COPPA violation, and how you can avoid them.
Download OpenBack’s whitepaper outlining our unique approach to data privacy and regulation compliance:
Recent Incidents of COPPA Violations
There’s a temptation to assume that smaller developers will fly below the FTC’s radar, as they will be too busy going after high-profile companies that make billions in profit each year. And it’s true, digital giants like Google, Facebook, and TikTok are repeat offenders, for both COPPA and GDPR. However, this isn’t because regulatory bodies only go after the big fish; rather, it’s because they’ve become so big that it’s more profitable for them to continue using shady data-processing methods and pay the fines if they get caught.
Smaller apps and publishers are just as liable to be fined for COPPA violations. In 2020, Mexican app studio HyperBeard was fined $4 million (which HyperBeard was unable to pay, so the penalty was settled upon payment of $150,000). And in July 2021, KuuHuub, based in Toronto, were fined $100,000 for their coloring book app Recolor’s allowing 3rd-parties to harvest the data of users younger than 13, for targeted advertising purposes. Any mobile app based in the US – or whose users are based in the US and are younger than 13 – falls under the purview of COPPA, no matter how small they are. So all must do their due diligence to stay compliant.
What Qualifies as Violating COPPA?
lnterestingly, the two developers mentioned above – Kuuhuu and Hyperbeard – suffered the consequences for violation of COPPA not for processing children’s data themselves. In fact, they both were found to be in breach of the data privacy regulation for allowing 3rd-parties to collect kids’ data through their apps. Advertisers then used the data to send targeted ads towards users, including those younger than 13. As both of these developers published free-to-play (F2P) apps, in-app advertising as well as in-app purchases made up their business model.
Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, states:
“If your app or website is directed to kids, you’ve got to make sure parents are in the loop before you collect children’s personal information. This includes allowing someone else, such as an ad network, to collect persistent identifiers, like advertising IDs or cookies, in order to serve behavioral advertising.”
More recently, a similar case occurred in New Mexico, where Rovio Entertainment (the publisher of the Angry Bird apps) was sued by the state’s Attorney General for collecting the personal data of users than 13 and sharing it with advertisers through SDKs embedded in the app. What’s more, Rovio failed to obtain parental consent to share kids’ data, which is a requirement if you intend to process the data of minors in the US.
This is key to remember: even if your COPPA violation is by proxy, you will still be slapped with the consequences. And even if your app is used by a mixed audience, if it’s overtly designed or marketed towards kids, you need to abide by COPPA.
What Are the Consequences for Committing COPPA Violations?
It’s worth comparing the penalties for GDPR-K to compare them with that of COPPA. For violations of GDPR, there are two tiers of penalty, depending on which specific articles are violated. Violations of Article 8 (GDPR-K) fall into the lower tier, which incurs a fine of upt to €10 million, or 2% annual global turnover – whichever is higher.
For COPPA violation, the consequence is a fine of $43,280 per child per violation. Although in some cases, as with Hyperbeard mentioned above, the FTC will let the developer off with a lighter penalty, if they can prove they are making all efforts to comply with COPPA in the future.
How Can You Be Sure Your App Is COPPA Compliant?
In the case of the app developers mentioned above – Hyperbeard, KuuHuub, and Rovio – they were penalized for COPPA violations not explicitly because of their own data processing, but for that of 3rd-party advertisers. In this case, they were sharing users’ sensitive data vicariously, through SDKs embedded in the app. It’s possible that they weren’t even aware that they were liable to be penalized for the data processing done by these 3rd-party SDKs. (Not that pleading ignorance will get you far in court.)
To avoid being caught for the illegal data processing of 3rd-party software, make sure you only embed SDKs that are fully COPPA compliant. OpenBack is the only push notification platform that is COPPA and GDPR-K compliant by default, due to our hybrid platform that uses mobile edge computing to process user data directly on the device. Since the data never has to leave the device, this means your app isn’t responsible for data security risks. It also means you can leverage user data safely in order to send users personalized push notifications, without having to obtain parental consent beforehand.
By using OpenBack for your mobile engagement platform, being compliant with COPPA and GDPR-K is easy with our default data privacy mode. To learn more about how OpenBack can help you monetize your mobile app while staying on the right side of all local data privacy regulations, get in touch with one of our experts.