App Developers and COPPA: A Review of the FTC’s Six Step Compliance Plan
|Richard Harris in Mobile Guidelines Wednesday, August 7, 2013|
On July 1, 2013, the FTC’s Child Online Privacy Protection Policy (COPPA) went into affect, changing forever the landscape for app developers whose apps have users 13 and under.
The FTC stance seems to be that they will rigorously enforce the act, which means that app developers with users in the US need to ensure they are in compliance, if COPPA applies to their app.
In our current August 2013 of App Developer Magazine, Attorney Adam Grant, a partner with Alpert, Barr & Grant, who provides an overview of the CHOPPA in relation to how it impacts app developers. The article is available here: https://appdevelopermagazine.com/magazine/Aug13.
In the article Adam refers to a step-by-step guide titled “Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, ” which was created by the FTC to help developers comply with COPPA
Included here is a review of the steps and our thoughts as app developers on the guidelines.
Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13
This section provides instructions on how to decide if COPPA applies to your app and associated website. This one sentence actually encompasses a number of complicated topics briefly discussed here.
Online Service – We know what a website is but what about an “Online Service”? This term can represent a number of different things and is defined in the guide as, “mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads); internet-enabled gaming platforms; plug-ins; advertising networks; internet-enabled location-based services; voice-over internet protocol services.”
Directed to children under 13 – This is the big elephant in the room because its definition lies at the heart of the regulation. Unfortunately, it is not something that can be specifically and definitively defined. The FTC guideline provides these instructions, “The FTC looks at a variety of factors to see if a site or service is directed to children under 13, including the subject matter of the site or service, visual and audio content, the use of animated characters or other child-oriented activities and incentives, the age of models, the presence of child celebrities or celebrities who appeal to kids, ads on the site or service that are directed to children, and other reliable evidence about the age of the actual or intended audience.” These various definitions are an entire article into itself and one we will delve into at a later date.
Personal information – There is no ambiguity here, the FTC provides specific definitions. Personal information is as follows, “full name; home or other physical address, including street name and city or town; online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier; screen name or user name where it functions as online contact information; telephone number; Social Security number; a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier; a photo, video, or audio file containing a child’s image or voice; geolocation information sufficient to identify a street name and city or town; or other information about the child or parent that is collected from the child and is combined with one of these identifiers.”
Collect – The guide instructs that under COPPA, you are collecting information if you, “request, prompt, or encourage the submission of information, even if it’s optional; let information be made publicly available (for example, with an open chat or posting function) unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records; or passively track a child online.”
Additionally, you are responsible for information collected by any partners or service providers, from ad networks to other services, as defined in the guide as, “If another company collects personal information through your child-directed site or service — through an ad network or plug-in, for example — you’re responsible for complying with COPPA. If you have actual knowledge that you’re collecting personal information directly from users of a child-directed site or service, you’re responsible for complying with COPPA, too.”
You also must provide a “clear and prominent” link on your homepage, and anywhere you or a third party collects information.
The policy must be “clear and easy to read” and must include the following, “a list of all operators collecting personal information; a description of the personal information collected and how it’s used; and a description of parental rights.”
Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids
In my opinion, this step is wide open to interpretation on how it is implemented, especially the question “how are you actually going to notify parents directly?”
And if you make any “material change to the practices parents previously agreed to” then you have to directly send parents an updated notice on the changes.
Step 4: Get Parents’ Verifiable Consent Before Collecting Information from Their Kids
In describing this step, the Compliance Plan instructions say, “COPPA leaves it up to you…” however does give examples of acceptable methods to collect consent including, “sign a consent form and send it back to you via fax, mail, or electronic scan: use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder; call a toll-free number staffed by trained personnel; connect to trained personnel via a video conference; or provide a copy of a form of government issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process.”
In this step the FTC instructions go on to explain, “If you will use a child’s personal information only for internal purposes and won’t disclose it, you may use a method known as ‘email plus.’ Under that method, send an email to the parent and have them respond with their consent. Then you must send a confirmation to the parent via email, letter, or phone call. If you use email plus, you must let the parent know they can revoke their consent anytime.”
As you read this you might be saying, “wow, none of that is simple and easily automated…” Obviously one of the overwhelming benefits of being an app developer and using associated app markets is automation which is, in its essence, the beauty of having an app in the market. It’s a conundrum that is way beyond the scope of this article and one that you’ll have to figure out yourself - how obtaining the consent best fits your individual business model and resources.
Step 5: Honor Parents’ Ongoing Rights with Respect to Information Collected from Their Kids
Step 5 discusses how to approach a parents “Ongoing Rights” and the obligations this responsibility entails. The intent seems to be to ensure that there is a mechanism in place to keep open a communication channel with parents.
This section instructs, “If a parent asks, you must: give them a way to review the personal information collected from their child; give them a way to revoke their consent and refuse the further use or collection of personal information from their child; and delete their child’s personal information.”
Instructions in Step 5 also include the steps to be taken to make sure that communications are with the actual parent and “the method you use to give parents access to information collected from their kids isn’t unduly burdensome on the parent…”
Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information
This is a short section but is a really big deal.
This entire paragraph represents the advice given in this section: “COPPA requires you to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Minimize what you collect in the first place. Take reasonable steps to release personal information only to service providers and third parties capable of maintaining its confidentiality, security, and integrity. Get assurances they’ll live up to those responsibilities. Hold on to personal information only as long as is reasonably necessary for the purpose for which it was collected. Securely dispose of it once you no longer have a legitimate reason for retaining it.”
So the who, what, where, how, when and why of how you actually protect the personal information for children 13 and under is wide open – it must be “reasonable.” What is reasonable? Well, my advice would be you better have a well written, comprehensive plan in place that is available to everyone in your organization. And you better have, on file, the practices of any third parties as they relate to COPPA. And the system better work well in practice and you should check it constantly. If the FTC comes calling, you want to be bullet proof that you followed the law.
The entire Six-Step Compliance Plan is available at http://www.business.ftc.gov/documents/bus84-childrens-online-privacy-protection-rule-six-step-compliance-plan-your-business. The site also provides links to other resources to help companies determine the best way for compliance.
Getting Serious About COPPA
If you are affected by COPPA, you need to take the how you approach the policy seriously, and make sure that you are following the law. If you’d like to tell us how you approached complying with COPPA, please email us.
Read more: http://www.business.ftc.gov/documents/bus84-childr...