Last update: August 2021

5 mins to read - 2021/08/27

COPPA vs. GDPR-K: A Privacy Regulation Breakdown

When it comes to data privacy in children’s apps, depending on where your app and user base are located, you are going to fall under one of the two main regulations: COPPA or GDPR-K. Most people know that, while both of these regulations deal with digital data privacy for children, COPPA is based in the United States, and GDPR-K is based in Europe. However, there are a few differences. For mobile apps just starting to dip their toe into the wonderful world of children’s data privacy, here are some key areas where these two regulations diverge.

Download OpenBack’s whitepaper outlining our unique approach to data privacy and regulation compliance:

eu gdpr

1. COPPA Is Its Own Regulation – GDPR-K Is an Article in a Larger Regulation

This may seem like a technicality, but the fact that COPPA is its own complete regulation affects both its weight and how developers think about it. App and website developers may do a lot of research on how they can be COPPA compliant. To cover all their bases, they may even enroll in a certification course to gain a bona fide COPPA compliance seal.

On the other hand, GDPR-K is another term for Article 8, one section of the larger regulation of GDPR. It is meant to be understood in the scope of GDPR as a whole, rather than independently of it. (Like COPPA is treated as something completely separate from, say, HIPAA.) As such, there is far less emphasis on kids’ apps in Europe being “GDPR-K compliant,” as all apps that function within the European Union are required to comply with GDPR in its entirety. And that includes GDPR-K by default.

2. COPPA Has Been Around for Over 20 Years

COPPA, or the Children’s Online Privacy Protection Act, was passed in 1998, when the digital world and the risks of having our data breached were much less complicated than they are now. As such, its original wording concerns itself more with protecting data to keep children safe from identity theft, or from having their physical address uncovered. Now, big data is functioning at a scale that we couldn’t have imagined twenty years ago, and we understand that virtually any data trace we leave behind has the potential for misuse. Periodically, the FTC has had to review the COPPA guidelines, to keep with the changing times.

GDPR-K, conversely, was put into effect in 2018. In many ways, it is essentially an updated version of the European Data Protection Directive of 1995, but it was drafted as a direct response to a woman who sued Google for accessing her emails in 2011. And, while the Cambridge Analytica scandal may not have directly affected the drafting of GDPR, the law was passed in the EU Parliament in 2016, the year that the scandal broke. So, the entire regulation is based on a more sophisticated understanding of the risks of data infiltration and misuse, more so than what went into the initial drafting of COPPA.

3. What Kind of Data Do COPPA and GDPR-K Cover?

GDPR is very explicit about what it considers to be “personal data“:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…

It also defines other terms that have come into play in the digital and mobile sector, including consent, genetic and biometric data, profiling, pseudonymization, processing, and third-parties.

For GDPR-K, misuse of a person’s data can exist solely in the digital realm. Whereas COPPA is primarily concerned with data that can be used to affect the user’s physical person or location:

(1) A first and last name;

(2) A home or other physical address including street name and name of a city or town;

(3) Online contact information as defined in this section;

(4) A screen or user name where it functions in the same manner as online contact information, as defined in this section;

(5) A telephone number;

(6) A Social Security number;

(7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;

(8) A photograph, video, or audio file where such file contains a child’s image or voice;

(9) Geolocation information sufficient to identify street name and name of a city or town; or

(10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.

girl with braids on phone coppa gdpr-k

4. What Age Do They Consider to be a “Minor”?

GDPR-K considers a child to be any user of a mobile app or website younger than 16 years old. Interestingly, “Member States [of the EU] may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.”

For COPPA, this age of consent is 13 years old. For both regulations, if your user is beneath the age of consent, you need to get consent from their parents before tracking their personal data.

5. What Are the Penalties for Violation?

COPPA’s standard penalty for being violated is $43,280 per child per violation. And for apps with vast user bases, such as YouTube or TikTok, this can add up. The FTC goes after smaller apps and publishers as well, as can be seen with the $150,000 fine incurred by HyperBeard, a mobile games publisher based in Mexico.

As for GDPR-K, there are two tiers of penalties an app can pay, depending on the extent of the violation:

  1. Up to €10 million, or 2% annual global turnover – whichever is higher.
  2. Up to €20 million, or 4% annual global turnover – whichever is higher.

According to Article 25 of GDPR, you must take “appropriate technical and organisational measures,” and you must do all you can to prioritize data protection of your users “by design and default.” This means not only take all technological precautions to prevent data breaches, but also to only collect the minimum of the data required for your app’s utility.

When it comes to doing your technological due diligence, OpenBack is the simplest and most effective way of sending push notifications while ensuring that you don’t fall afoul of privacy regulations. OpenBack’s data privacy mode is compliant by default with both COPPA and GDPR-K. Our patented hybrid mobile engagement platform processes user data directly on the device, without having to send it to a 3rd-party cloud processor. Because of this, data remains safely in the user’s possession, enabling COPPA and GDPR-K compliance without obtaining parental consent.

To learn more about OpenBack’s innovative take on push notifications and in-app messages, get in touch with one of our experts.

Leave a Reply

Your email address will not be published.

three × one =

Download our Mobile Marketing Playbook to perfect your user engagement game!


Translate »