How COPPA Affects App Developers

The app ecosystem is growing at a fantastic rate, and with that growth has come an increase in concerns for privacy – especially when it comes to kids. If you do a cursory search in any app marketplace, you’ll see an unprecedented amount of apps that are aimed towards children; “unprecedented” because more kids are connected to the online world now than at any other time in history, and that number is only predicted to go higher. However, while kids account for a healthy portion of the market’s growth, they don’t necessarily always look out for their best interests. Many apps are invasive, asking for more information than they need, and kids are especially vulnerable to this. That’s where COPPA comes in.

The story of COPPA

COPPA, an acronym that stands for Children’s Online Privacy Protection Act, is an ongoing bill pushed by the FTC to protect kids and their digital activities, whether that includes apps, websites, social networks, etc. This act was originally set forth in 1998 and hasn’t been updated until this year, so obviously there was some catch-up work to be done. The original COPPA wording didn’t anticipate the incredible growth of the app market, neither did it predict that third party companies would be actively taking advantage of information collected and shared from minors using apps and websites. Amendments to the act, which are set to go into effect July of 2013, basically strengthen privacy protections for kids, giving parents more control over what information is being collected and gathered.

COPPA makes it very clear what actually counts as kids’ personal identifying information, and also makes it more difficult for companies, websites, and app developers to track kids across the Web, across apps, and across devices.

Some companies (most notably, Facebook) aren’t too thrilled about the new renovations to COPPA. They argue that these changes could stifle new innovation and could possibly even infringe on free speech. However, the new COPPA amendments include much more protection in place for children, and make it easier than ever for companies to follow rules that will guard the privacy of minors while keeping business organizations on the right side of the law as well.

What COPPA means for developers

In order to figure out how COPPA will affect you as a developer, it’s imperative to see what amendments were added to this act. Some of the more sweeping changes include the following:

-          Apps and websites cannot collect photos, videos, or geo-location data from children under the age of 13 without parental consent.

-          Data cannot be shared with third parties unless the third parties are “capable of maintaining the confidentiality, security, and integrity of such information”

-          Certain tracking processes have to be approved via parental consent. This includes cookies and other information that can be used to track activities across websites, apps, and devices: usernames, IP addresses, and device IDs. However, this information can be used without parental permission if the data is used for internalized contextual advertisements.

-          Interactive features, like social networks, are not prohibited within apps unless these third party applications are caught collecting and sharing information illegally.

-          Parents are now able to provide companies with their consent via several different ways, including electronically scanned consent forms, videos, use of government IDs, and even payment systems, but all of these have to meet a certain level of criteria in order to qualify.

Many apps are actually in active violation of child privacy laws because they target ads to kids using their personal information gathered inappropriately or illegally. If the FTC discovers that an app is targeting kids without parental consent, developers could get in hot water. The market is still so new and growing so fast. Kids’ privacy policies have to be part of that growth, and developers need to ensure that they are staying on top of the latest in privacy developments.

Why all these changes now?

The FTC recently took a survey of 400 different apps residing on various app marketplaces, and tested them for basic child privacy violations. The results were shocking:

  • About 80 percent of apps don’t disclose privacy policies in the app or on a website.
  • 59 percent of apps transmit information from the device to the app developer or more often to a third party such as an ad network or analytics company.
  • 58 percent of apps contain advertising, but only 15 percent disclose that to app users.
  • 22 percent of apps reviewed have social media links with only 9 percent sharing that fact.
  • 17 percent allowed in-app purchases within their app - source

This survey, along with privacy watchdog organizations and consumer input, served as the major influencers behind changing COPPA and getting it current with the times:

“The majority of respondents in the survey (90%) expressed support for COPPA's basic requirement that online companies seeking to collect personal information from young children must first obtain permission from parents. In addition, the survey found significantly high levels of support for safeguards to protect children from many of the data collection and marketing practices that are frequently used to target them in today's digital media environment. “- source


How kids’ information is used in apps and online

Products geared towards kids are a billion dollar business. Apps and websites geared towards children actually use more tracking data than any other website:

“The (Wall Street) Journal examined 50 sites popular with U.S. teens and children to see what tracking tools they installed on a test computer. As a group, the sites placed 4,123 "cookies," "beacons" and other pieces of tracking technology. That is 30% more than were found in an analysis of the 50 most popular U.S. sites overall, which are generally aimed at adults.” - source


Do you know how much information is being collected from your child in that simple app or game they’re playing online? You might be surprised. Most websites and apps – including social networks and search engines – have some kind of policy somewhere that distinctly prohibits kids under the age of thirteen from using their services, not necessarily because of what’s on the website itself, but how that app or website collects and uses their data while they’re using it.

All websites and all apps gather up a truly astonishing amount of information about their users. This could include usernames, device IDs, and geo-location data, as well as addresses, home phone numbers, and lists of friends. This information isn’t necessarily damaging in and of itself, but when you take a user’s collated information across devices, apps, and websites, you can come up with a pretty extensive user profile that can then be used to serve up hyper-targeted ads, or figure out personal information that could be used against them (think credit history). COPPA makes it illegal to gather kids’ information, but frankly, it’s just too easy to get around, and with the advent of social networks, more information than ever is being freely distributed.

Most users – not just children – are way too laid back when it comes to sharing personal data via apps and websites. We figure that one bit here and one bit there isn’t going to do any harm. However, it’s the comprehensive overall collection of data across apps and websites and devices that can be potentially very intrusive that should really scare us. And this is even truer for children, who aren’t exactly known for common sense when it comes to giving up personal data.

Parents vs. developers?

While the broader COPPA protections are definitely useful, there are still loopholes. For example, while Facebook’s rules ostensibly prohibit kids under the age of 13 from creating an account, there are still many kids who have active accounts on the social network – and they won’t delete a profile simply because a parent has asked them to. App stores and app download platforms don’t have to do anything to make sure that apps for sale there are adhering to COPPA; however, that doesn’t mean that the FTC can’t necessarily go in there after apps that are distributed and violating child privacy laws. Most notably in recent times, a Sponge Bob app created by Nickolodeon was removed from the Apple Store after child privacy advocates made an official complaint that the app was collecting email addresses and other information without parental consent.

The bottom line is this: kids are going to figure out how to get around privacy protections, even when they’re there for their own good. It’s not up to the app store, the website, the app developer, or the FTC to make sure that kids are protected – although they all do definitely play a part. Ultimately, it’s up to the parents to make sure that their kids are making good choices when using apps. While broad protections such as COPPA are necessary, they can’t cover every scenario.

What do you think? If you’re a developer, how do you feel about the new privacy protections COPPA puts into play? How do you feel about apps and kids’ privacy – is it the parents’ ultimate responsibility, or should it be completely built in? Share with us in the comments section.







For more complete information about compiler optimizations, see our Optimization Notice.