Read This Before Developing a Kid's Mobile App
Are you considering launching a mobile application, game, or smart toy? This can be a great way to extend your company's brand and capitalize on the emerging connected play market set to triple over the next 5 years. However, before you begin, make sure you understand the privacy protection laws that exist when engaging with children. This article is a good place to start and if you don't want to go at trying to meet these laws alone, know that you can leverage the playPORTAL platform for instant privacy compliance for your app.
Child privacy laws in the United States
The Children’s Online Privacy Protection Act (COPPA) applies to any commercial website or online service that collects personal information from children under 13 years old. The collection of personal information from a child under 13 without prior parent approval will result in a COPPA violation of over $40,000 per individual violation.
In 2014, Yelp paid a $450,000 fine and in 2018, VTech paid a $650,000 fine to the FTC for improper collection of children’s information without explicit parental consent.
Do You Need To Comply?
COPPA applies to any commercial website or online service directed to children to under 13, but also applies to any general audience website that knowingly collects personal information from children.
The FTC determines whether your website is directed to children based on subject matter, visual or audio content, the age of models used, language, the use of animated characters or child-oriented features. If your app looks like a kid might want to play it or use it, you should abide by COPPA rules to avoid violations.
What is Personally Identifiable Information (PII)?
Personally identifiable information (PII) can be as little as a persistent identifier used to send a push notification, a child's voice recording, or even a child’s username. COPPA classifies a wide range of data as PII. See below for a list.
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or user name that functions as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
Verifiable parental consent must be obtained before any of the above personal information can be collected. Even publishing a child's user name to a public leader board with their high score can be a violation of COPPA.
How do I obtain verifiable parental consent?
COPPA allows a few methods for obtaining verifiable parental consent. You will need to provide the parent with "Direct Notice" before obtaining their consent.
- Providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan (the “print-and-send” method);
- Requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Having the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; or
- Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, provided that you promptly delete the parent’s identification after completing the verification.
Can Kids Log In To Your App?
Assuming you want to engage kids with 21st century features like push notifications, you will definitely need to take PII data on your child users and therefore you will need to obtain verifiable parental consent before letting a child login.
To allow a child to create an account in your app, the only allowed information that can legally be taken from them is their parent's email address. This means you will have to send their parent an email, serve them a direct notice, get them to complete one of the above steps to provide verifiable parental consent for all the data you are collecting, storing and sharing on their child, and then have them create their child's username and password so the child can login.
No Outside Links!!
Children under the age of 13 cannot have outside links in the application. This may be a link to your website from the app. You need to make sure all of these outside links are removed for kids or age gated (see examples here) to ensure only an adult.
User Data Must Be Secure
This should come at no surprise, but if you chose to collect data on kids in your app, you must ensure that the data is secured and any third parties processing the data have knowledge that they are handling children's data and are protecting it with proper safeguards.
It is highly recommended that you hire independent security auditors and perform penetration tests on your servers and app to ensure your user data is being kept safe.
Data Must Be Able To Be Deleted
Parents have the right to revoke their consent at any time. Upon their request, their child's data must be able to be permanently deleted from your servers and app.
Dynepic is here to help!
Does engaging kids in your apps sound like too much trouble? Well we are here to help and our playPORTAL platform makes it fast and easy to comply.
Dynepic's playPORTAL Studio has everything needed for companies to quickly deploy connected applications and smart toys with instant COPPA Compliance. Since the playPORTAL Studio tools are powered by the playPORTAL family network, your app even gets to leverage the playPORTAL parent dashboard and its verifiable parental consent for instant COPPA Compliance. Learn more here.
Have questions or want help developing your first app? Feel free to contact us.
Launched in 2014, Dynepic, Inc. is the creator of playPORTAL, a secure platform that makes developing child privacy-certified apps fast and easy. With cross-platform Software Development Kits (SDKs) backed by a first-ever kid-safe family network, developers can now create apps with instant Children’s Online Privacy Protection Act (COPPA) compliance allowing game-developers, app-developers and toy-makers to focus on making amazing personalized and social connected products that include kids, while playPORTAL handles the data security and privacy compliance. playPORTAL is architected with Dynepic’s portable profile cloud data vault technology, ensuring users are in complete control of any personal information on the platform.