Developers making apps for children under 13 continue to explore how best to comply with the new COPPA rule while still remaining at the forefront of innovation. We at ACT have been receiving all sorts of questions from developers about various aspects of the new rules. More often than not, developers are asking, “Can I use analytics or other third party services? If so, what service?”
Although analytics and many third party services are allowed under the “internal operations” exemption in the new COPPA rule, this does not provide blanket protection to developers. There are specific requirements that a third-party service provider must meet for its product to be COPPA compliant. If your chosen third-party service does not comply with COPPA, you need to find another provider that offers a compliant version. This may be a challenging task until more companies implement better safeguards for data collected from those under 13.
As you begin identifying third-party COPPA-compliant services to include in your apps, we’ve put together some tips to help you make informed decisions about which partners to choose.
Am I really liable for everything in my app?
Yes, the FTC has outlined a strict liability standard for apps: If you use any third-party services, you are liable for the information they collect and what they do with it.
You are liable for everything they collect. When you choose to include the SDK/API/service in your app it’s essential that you know exactly how your partners treat the information they receive through your app. For example: Do they collect any personally identifiable information? What do they do with it after they have it? Do they store it? Do they sell it? Do they integrate it with all of their other data to do research?
I chose my third party partners years ago and everything seemed fine. Can I just forget about it?
What is PII ?
PII is Personally Identifiable Information. Under the rules of COPPA, you and your partners may not collect the following data from a child younger than 13 years old without verifiable parental consent:
- A first and last name;
- A home or other physical address including street name and name of city or town;
- Online contact information such as email address or any other substantially similar identifier that permits direct contact with a person online;
- A screen or user name where it functions in the same manner as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services. The persistent identifier includes, but is not limited to, a customer number held in a cookie, an IP address, a processor or device serial number, or unique device identifier;
- A photo, video, or audio file that contains a child’s image or voice.
How do I get crash reports and maintain the integrity of my app without things like persistent identifiers?
The FTC has allowed the collection of persistent identifiers (as defined above) if it is necessary to support the internal operations of the app. You may not use this collected information for any other purpose. Collection for the support for the internal operations of the app means those activities necessary to:
- Maintain or analyze the functioning of the app
- Perform network communications
- Authenticate users of, or personalize the content on, the app
- Serve contextual advertising on the app or cap the frequency of advertising
- Protect the security or integrity of the user or app
- Ensure legal compliance
- Fulfill a request of a child
Again, you may not use the PII collected for any other purpose other than those listed above.
How do I determine which 3rd party services I can use to support my app?
So, if there’s a risk that my 3rd party partner does anything with the data besides serve a purpose outlined in the “internal operations” listed above, I need to get parental consent?
Yes, you need to obtain verifiable parental consent. The word “verifiable” is very important here, and has a specific meaning: The FTC outlines several acceptable methods for obtaining parental consent in FAQ #60. They’re also encouraging innovation in this space and accepting proposals for approval of new methods for obtaining verifiable parental consent. We’ll cover this and other possible opportunities for innovation around COPPA in an upcoming blog post.
There are other 3rd party providers that have indicated their product may be used in a COPPA-compliant manner. Once we hear from them, we will update this post. If you are working with an unlisted provider, contact the company to ask if their service may be used in a COPPA-compliant manner.
Will there ever be concrete answers on this topic?
We hope so! Follow us on Twitter and be sure to sign up for our mailing list for updates on 3rd party partners and other topics.