Last update: June 2021

5 mins to read - 2021/06/21

The Brave New World of Data Privacy Laws for Kids Apps

As the digital world becomes more and more intertwined with the analogue world – and as more of our devices and gadgets become “smart” – we seem to be constantly coming to terms with renewed definitions of what qualifies as personal data. And as our phones, our watches, even our refridgerators are tracking our step count, our heart rate, our likes and dislikes, and our behaviors in real-time, data privacy laws drafted in the 1990s, such as HIPAA and COPPA, strike us as quaint and naive in comparison.

Every day, we create 1.145 trillion MB of data globally, and there is an enormous amount of potential in that data. In the ideal world, developers could leverage and analyze that data as a means of improving UX of applications – both on smartphones and other devices. However, it’s becoming more and more common to hear news about tech companies being fined by the FTC or other regulatory bodies for illegal or unethical use of user data. (TikTok in particular is a repeat offender.) As regulatory bodies struggle to keep up with all the different ways tech companies are innovating methods of exploiting user data, software companies – such as Apple and Google – are attempting to put control of their data back into the users’ hands. Amid all these watersheds and clashes of titans, where do children’s apps belong? How can they stay compliant with local regulations, and what responsibility do they have towards users?

Download our Data Security Whitepaper to learn more about OpenBack’s innovative approach to data privacy:

data privacy security laws

The World of Data Privacy, from Apple to TikTok

The data privacy world has been all abuzz with news of Apple’s changes to the way its iOS devices approach the tracking and handling of user data. First, as of January 2021, Apple implemented their requirement that apps obtain user consent before tracking their IDFA. This means that users receive an upfront OS  notification requesting them to either opt-in or opt-out of having their behavior tracked by each app they install on their device. While many mobile marketers have decried this as the end of targeted advertising to app users, others have applauded it as a step in the right direction.

New developments underway for the iOS 15, as announced at Apple’s WWDC 2021 conference, will offer more customizable options for the Focus Mode. Essentially, users will have more control over which apps they do and don’t hear from, and at what times. Apple’s aim seems to be to reinforce boundaries between users’ personal lives and their apps monetization tactics.

On the other end of that spectrum, in the Wild West of the mobile app industry, you have big tech multinationals, like TikTok and YouTube. They seem to be constantly making headlines for egregious violations of COPPA. TikTok in particular – an app targeted primarily at a younger demographic of users – is infamous for dodgy dealings with the information of its kid users, including illegally holding the data of users younger than 13, and most recently updating its privacy policy to hint at future collection of new types of biometric data, such as “faceprints and voiceprints.”

Assuming you’re just a run of the mill mobile app, somewhere between these two tech giants, the ever-changing world of data privacy and liability can be daunting.

What Data Privacy Laws Do Kids’ Apps Need to Know?

For children’s apps, the main two data privacy regulations are COPPA and GDPR-K. Depending on where your app and its users are based, you may have to make sure your kid’s app is compliant to one or both of these. The Children’s Online Privacy Protection Act (COPPA) of 1998, pertains to any smart device that collects information from children younger than 13. This information can include the child’s name, address, phone number, contact information, social security number, photograph/video/audio file, geolocation, or any online information tracked and combined with an identifier. To comply with COPPA, any website or application that collects this information must:

  • provide a clear privacy policy in an easy to locate place on their website
  • obtain prior consent from minor users’ parents to track their data
  • give parents the option to have their children’s data deleted at any time and stop future data collection
  • only collect what data is necessary for the purpose of the online activity, and delete it once it has served its purpose

Of course, in recent years, technology and our relationship with it has evolved at mind-boggling speeds. To keep up, the FTC has had to update COPPA considerably, to clarify to apps and websites what is and isn’t compliant behavior.

girl with braids on phone


Apps based in the EU fall under the purview of Article 8 of GDPR – commonly known as GDPR-K. It serves a similar purpose to COPPA, but with a few notable differences. First, GDPR-K considers a “minor” to be any user younger than 16. (Although they let individual EU countries determine what age to set Article 8 restrictions on, provided they aren’t younger than 13.) For this cohort of users, their parent or guardian must consent to apps collecting their personal data.

Interestingly, the regulation also states that it is the responsibility of the app or website to “make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.” Apps often find the vagueness of the term “reasonable” troublesome, as it leaves them questioning to what extent they must go to obtain parental consent.

A similar grey area in terms of COPPA’s wording has also proved confusing for certain websites and content creators with a mixed audience – for example, should a YouTuber who reviews videogames for an adult audience fall under COPPA? Should a mobile game with a wide appeal across many age demographics fall under COPPA? While some of the FTC’s updates address these uncertainties, complete compliance remains a minefield for many apps and websites.

Ensure You’re on the Right Side of Data Privacy Laws With OpenBack

OpenBack’s novel approach to push notifications uses mobile edge computing and device-side data. Our default mode, which you can select on our dashboard when setting up your push campaigns, is compliant with COPPA, GDPR, HIPAA, and all other local regional data privacy laws. By leveraging all user data directly on the device, we accomplish two things:

  • Bypass the need to send user data to 3rd-party cloud servers (Firebase for Android, APNS for iOS)
  • Ensure that user retain full ownership over their data

This makes OpenBack the ideal mobile engagement platform for children’s apps and games… or really any app whose user base is made up of minors. Our device-side data leveraging also has diverse benefits in addition to its data privacy compliance. Among these are our guaranteed reliable delivery of notifications, our extensive insights on metrics and measurements of your push campaigns, and much more.

To learn more about how OpenBack can help your app optimize its push notification game, while remaining responsible towards its users and regulation compliant, get in touch with one of our experts.

Leave a Reply

Your email address will not be published.

two × two =

Download our Mobile Marketing Playbook to perfect your user engagement game!


Translate »