Are We Coming Up to a Watershed Moment for Children’s Data Privacy?
In 2020, every human on the planet generated an average of 1.7 MB of data per second. Experts have projected that number to become 463 exabytes of data per person per day by 2025. And as we create these data trails, the big data industry has become more and more invasive in the ways they monetize our personal information (PII). Their practices in collecting and processing children’s data are especially worrisome, with cases of corporations violating COPPA and GDPR-K making headlines on a daily basis. But as device users become more aware of the value of their data – and discerning about who has access to it – tech companies are taking note. Apple has already released its iOS 14.5, which introduces their new App Tracking Transparency feature. And Microsoft has launched their Edge Kids Mode, a web browser that provides a safer internet experience for kids. Is children’s data privacy headed for a watershed moment?
Download OpenBack’s whitepaper outlining our unique approach to data privacy and regulation compliance:
What Local Regulations Specifically Cover Children’s Data Privacy?
Different countries have different approaches to protecting children’s data privacy. But the two main ones are COPPA in the United States and GDPR-K in Europe. Overall, they seek to accomplish the same thing: protecting kids’ data from unethical use by third parties. But they are slightly different in some aspects.
COPPA, which is short for Children’s Online Privacy Protection Act, was passed by Congress in 1998. It applies to any internet or mobile website or application used by children younger than 13. Among other stipulations, organizations to which COPPA applies must:
- Gain parental consent before collecting data from children, and then said data cannot be shared with 3rd parties
- Delete all data of minor users if requested to do so by the parents
Obviously, since COPPA couldn’t possibly have foreseen the sheer scope of the personal data that devices would collect by 2021, the FTC has updated the regulation many times since then.
GDPR-K – or Article 8 of GDPR – is slightly different. For one thing, its scope covers all children younger than 16 years old in the EU. It is illegal to process the data for these users without parental consent, with the onus on the app or website to “make reasonable efforts” to verify that the consent did in fact come from that child’s parent or guardian.
Interestingly, Article 8 provides that
“Member States [of the EU] may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.”
Fines for GDPR-K violations are either 4% of turnover, or 20 million euros, and it opens the door for private lawsuits, as for COPPA violations in the United States.
The Great Paradigm Shift When It Comes to Data Processing
It’s starting to look like there’s a reckoning coming for digital products that have been illicitly processing children’s data. Behemoth corporations like Facebook and TikTok are multiple-time offenders. TikTok has repeatedly failed to adhere to promises to change following legal action, and Facebook’s latest in a long line of children’s data privacy violations has been allowing targeted ads to minors for gambling, smoking, and weight-loss products.
In April 2021, Disney underwent a lawsuit for including data-tracking software on their children’s apps without parents’ knowledge. Ultimately, Disney agreed to remove such software that enables targeted ads from its children’s apps. With this change to the very business model of app monetization, data privacy advocates are hoping this will usher in a change in how children’s data is handled in the industry as a whole.
In some ways, the digital advertising industry has already moved away from its flawed, invasive business model wiht the iOS 14.5 upgrade, as mentioned above. This means apps will have to gaine users’ consent before tracking them for the purpose of sending targeted ads.
How Can You Make Your App COPPA and GDPR-K Compliant?
How do you know if your app falls under COPPA’s or GDPR-K’s purview? For some apps – for example, mobile games like Angry Birds that can appeal to adults as well as kids – it can be tricky to gauge what side of the line you fall on.
Essentially, any mobile app with a mixed audience – even those ostensibly targeted at adults – needs to comply with COPPA or GDPR-K, or else risk hefty fines and other censure. So you will need to ensure that you’re dealing with the data of your minor users privately and ethically. This means removing behavioral ad targeting. Which may be a heavy blow, as that’s a key pillar of the app monetization industry. You will need to audit your adtech providers. You will also have to remove social media plugins, which tend to be danger areas for privacy breaches for children.
How Does OpenBack Ensure That Your App Remains COPPA and GDPR-K Compliant?
The FTC has stated that a push token qualifies as personal data. So even if you check all the boxes in the previous section, if you’re sending push notifications through a third-party platform, that opens you up again to data breaches.
However, OpenBack does things differently from our competitors. Because of our patented hybrid platform that uses mobile edge computing, our default privacy compliant mode means all user data is processed directly on the device. Instead of sending push tokens to a cloud server for processing, data remains on the device and in the user’s possession. It is only used internally, to customize the content and timing of push notifications. It never has to be sent to third parties.
With kids growing up on devices, more parameters are in place to keep them safe and their personal data secure. Integrating OpenBack to deliver push notifications is an important step towards getting your mobile compliant with COPPA, GDPR-K, and other regional data privacy regulations.
Get in touch with one of our experts for a demo of our platform, or to learn more about our privacy compliance features.