The Children’s Online Privacy Protection Act (COPPA) was enacted in 1998 —a time before Facebook, Twitter, Wi-Fi and mobile apps, when only 14% of kids went on the internet, according to the US National Telecommunications & Information Administration. Fast-forward to 2013, when 25% of kids under three, 66% of eight-year-olds and 95% of kids ages 12 to 17 are online every day.
In an effort to remain relevant in a rapidly evolving digital industry and to protect children under 13, the US Federal Trade Commission has amended its COPPA rules—which came into effect on July 1—to include online services such as social networks, social-sharing plug-ins, mobile apps, online games and advertising networks. It has also expanded its definition of personal information to include photos, video and audio containing a child’s image or voice, screen names, geo-location information, third-party plug-ins and persistent identifiers like cookies, IP addresses and mobile device IDs that can recognize users over time and across websites and online services.
Of course, with increased regulation comes heightened risk of compliance issues for developers, which can be fined up to US$16,000 per violation. In fact, since 2000, there have been more than 20 FTC lawsuits and US$8.4 million in fines. While industry pundits and developers alike recognize the need for updated legislation, many on the app development side are finding it difficult to navigate through the COPPA 2.0 compliance landscape.
“The COPPA amendment presents a variety of challenges to developers and startups, ranging from the logistical to the technical,” says James Landau, marketing lead for San Francisco-based educational app developer MindSnacks. “COPPA creates especially tricky problems for developers of general audience apps, in particular those who place a premium on user experience and interface design. Asking users for their age—and then waiting for parental consent when the user is under 13—raises a host of design and engineering questions that each developer must solve in a way that fits organically into the architecture and aesthetic of their product.” Parental consent is a sticky issue, particularly in mobile, where it’s not easy to verify consent using the turnkey methods available in other online areas.
“In the digital space, we would sometimes collect parents’ email addresses, but in the mobile space, it’s not allowed as a way to start the consent mechanism because phone numbers aren’t accepted in the way that email addresses are,” says Linnette Attai, founder of New York-based youth media and marketing compliance consultancy PlayWell. “I haven’t seen anyone develop a great tool for parental consent out of an app and into the online space. Mobile developers are now changing the dynamics of their product rather than collecting parental consent.”
Indeed, when developing kid-targeted app Kids Vocab, MindSnacks put a lot of effort into becoming COPPA-compliant. “First and foremost, this app does not collect personally identifiable information, and because of that, we’re not required by COPPA to obtain parental permission—nor could we since we have no way of contacting either the parent or the child,” says Landau. “There are extremely rare-edge cases where a child plays one of our apps and then contacts us via our customer support channels. For those instances, we’re implementing a series of COPPA-compliant protocols that delete the child’s PII unless the parent provides permission.”
COPPA 2.0 also raises some interesting issues around data collection and the need for transparency and ethical boundaries when developing kids apps. Landau says it’s important to remember that data collection falls into two different categories—personally identifiable information that allows marketers to contact users with personalized content and offers, and engagement data that provides information about how users interact with an app.
“We gather information about how long and frequently users play certain games and how many words they master, which helps us improve both the quality of the user experience, as well as the efficacy of our educational games,” he says. “This information tends to be anonymized and can be collected, in the case of children’s apps, without the use of personally identifiable information.”
New York-based Cupcake Digital president Carmen Fernandez says data collection creates a complicated marketing challenge when it comes to determining the best way to distribute and market apps.
“There are a lot of engines out there, like STKs and pixels that can be embedded to collect data and make your marketing efforts more effective but are not COPPA-compliant,” she says. “The biggest challenge is working with third-party partners that respect and embrace COPPA and will not put us in a position to inadvertently collect information that we did not intend to collect, even though we are held accountable.”
From a transparency perspective, developers say apps need to provide the same level of product information that the rest of the kids industry does in order help parents make informed decisions.
“Just as a toy package on a shelf tells parents a little more about what they’re getting, the government is asking the mobile industry to act in the same way,” says Attai. “We need to consider that when it comes to cognitive abilities, kids are not little adults. They are incredibly tech-savvy when it comes to adopting new platforms, but that doesn’t mean they are equipped to handle it emotionally. We have a responsibility to protect [them] from the very marketing we are putting out, which is a balancing act.”