Last update: October 2021

4 mins to read - 2021/10/20

Data Privacy Health Checklist for Kids’ Apps

Launching a mobile app is a complicated process, with a lot of boxes to check to ensure you’ve done your due diligence in providing a flawless UX while remaining compliant with local privacy regulations. And this goes double for mobile apps targeting kids. While different countries – and even different states in the USA – have slightly different requirements on how to approach data privacy for youngsters, there are a few basic groundrules that qualify universally. Here is a basic data privacy checklist to gauge the health of your kids’ app.

Download our Data Security Whitepaper to learn more about OpenBack’s innovative approach to data tracking and privacy regulation compliance:

kids' app health

Does Your App Target Children?

First of all, you need to determine whether or not your app specifically targets children. For app users below a region’s digital age of consent, you will need to obtain permission from their parents or guardians before you can transfer personal data (and this includes a push token!) off of the device. If you live in the United States, COPPA designates the digital age of consent to be 13. In the EU, GDPR-K designates the official age of consent to be 16, although individual countries may have lower age thresholds.

An app needs to be very careful about what type of content it creates, if it intends to have a dual audience. For example, many mobile games may appeal to both children and adult users. However, if it’s overtly geared towards children with cute cartoon characters, bright colors, child celebrities, characters from children’s TV shows, etc., your app will need to fall in line with children’s regulation guidelines.

Parental Consent vs. Data Privacy by Design

Once you have determined that your app targets children, you can go one of two routes with regards to processing data. First, assuming you will be using a conventional, cloud-computing based method of data processing, you will need to obtain permission from the parents of all users younger than 13. Different apps use various methods of obtaining verifiable parental consent, the most effective involving sending an activation code to a parent’s email address. And even then, you will have to do your utmost to ensure that data is protected. The FTC advises the following tactics:

  • Nominate someone to be responsible for security
  • Audit and inventory the data you collect and store
  • Acknowledge the differences between platforms
  • Add security features that support built-in platform security
  • Never store passwords in plaintext
  • Use encryption
  • Protect your servers

The other path you could take is to do all data processing device-side. This eliminates all security liabilities before they are a problem, and as such enables your app to be fully COPPA and GDPR-K compliant having to request parental consent. In addition to privacy compliance, there are various other benefits to device-side data processing. But we’ll return to this idea of device-side data processing farther down.

Privacy Policy Checklist

No matter which route you end up using to process data – parental consent or device-side – you will need to include a privacy policy with a special clause geared at kids apps. (This is a requirement for all apps on the iOS App Store, and most apps on the Google Play Store.)

To comply with both COPPA and GDPR, your privacy policy will need to be clearly worded and located in an easy-to-find page of your website.

It’s advisable to have a legal professional look over your privacy policy for you. But as you compose your first draft, here is a basic privacy policy checklist of points you need to address:

  • What personal data does your app collect?
  • How will that data be used?
  • Will the data be disclosed to 3rd parties?

A kids’ app will have to include this information in its privacy policy, as well as the following points:

  • What rights a parent has with regards to viewing, accessing, and requesting deletion of their child’s data
  • Procedural notices

All apps are then required to link to their privacy policy in the metadata section of their App Store or Google Play Store page.

App Store Requirements for Kids’ Apps

Once you have ascertained that your app is compliant with whatever regional privacy regulations it falls under, there are also requirements for listing your app in the App Store. Overall, Apple tends to be more on the ball when it comes to privacy and transparency than its Android counterpart. (A shocking 1 in 5 kids’ apps on Google Play were found to violate COPPA!)

In order to be able to list your app is the App Store’s “Kids” category, you must abide by the following restrictions:

  • Keep any deep links and purchases behind a parental gate
  • Comply with regional data privacy regulations
  • Not send personally identifiable or device data to 3rd parties
  • Not use 3rd-party analytics or advertising

In some cases, 3rd-party analytics can be permissible, as long as the IDFA or any other identifiable information isn’t transmitted off the device. Likewise, in some cases, 3rd-party advertising is allowed, so long as it’s contextual with the app content and has been reviewed for age appropriateness.

Device-Side Data Processing = Privacy By Design

When it comes to data-privacy restrictions, and asking parental consent, all of that can by bypassed – while staying fully COPPA and GDPR compliant – by processing user data at its source. OpenBack’s hybrid mobile engagement platform uses machine learning and mobile edge computing to process all user data directly on the device. This means that user data never has to be transported to a 3rd-party cloud server for processing.

This next-gen, streamlined way of personalizing push notifications means you don’t have to go throw the unwieldy process of sending a user’s push token to Apple’s APNS or Google’s Firebase for processing. This means you cut out all the security risk of sending user data to a centralized server, and consequently you don’t need to ask for parental consent. (Unless you intend to send data to 3rd parties for other purposes than sending notifications.) But there are other benefits as well: device-side processing means your notifications will deliver reliably and in real-time, meaning mobile marketers have full control over scheduling their messages for the perfect moment. What’s more, the OpenBack SDK provides full metrics tracking, so you can optimize push campaigns for increased return on your push notifications.

To learn more, get in touch with one of our experts, and we’ll give you a free demo.

Leave a Reply

Your email address will not be published.

one × 4 =

Download our Mobile Marketing Playbook to perfect your user engagement game!


Translate »