The year 2019 was a time of reckoning for the industry of children’s apps. In February, ByteDance, the parent company of TikTok, was hit with a $5.7 million fine from the Federal Trade Commission (FTC) for illegally collecting names, email addresses, pictures, and the geographic locations of children under 13 in violation of the Children’s Online Privacy Protection Act (COPPA).
The TikTok fine set a new record, but that was soon broken in September when Google was fined $170 million for violating the same privacy law via its YouTube platform.
As a result, the country’s two largest app marketplaces—Apple’s App Store and Google Play store—have imposed new guidelines on developers meant to protect the privacy of children. Apple’s regulations have been of considerable concern to developers as they significantly limit the use of external analytics software and advertising networks.
App developers are now trying to figure out how to comply with these guidelines while also maintaining their ad-driven business models. We’re going to take some time to dig into the new rules of the app platforms, and discuss how to stay compliant with these regulations.
It starts with COPPA
Apple and Google’s new rules were created to keep them and any developers selling through their marketplaces in compliance with the Children’s Online Privacy Protection Act (COPPA).
Enforced by the FTC, COPPA was signed into law in 2000, and was most recently updated in 2013. Broadly explained, COPPA requires websites and online services that are directed at children to:
- Post clear privacy policies around data collection practices for children under the age of 13.
- Obtain verifiable parental consent prior to data collection, and provide a means for the parent or guardian to review data that is collected.
- Take reasonable data governance measures to protect the security and integrity of a child’s personal information and only share with parties that can do the same.
Who is subject to COPPA?
- Operators of online services explicitly directed and marketed to children under 13.
- Operators with general audience who know that children are likely to use their app or service (e.g., online gaming platforms).
- Operators that are collecting information from another service that is directed at children (e.g., plug-ins, advertising networks, location services).
What is personally identifying information (PII) under COPPA?
- Individually identifying information: first and last name, physical address, online contact information (email), screen name or user name, phone, Social Security Number, photo/video/audio of child, geolocation.
- Persistent identifier that can recognize a user over time using cookies: IP address, device ID.
Why are app marketplaces getting serious now?
Before its record YouTube fine, Google had already been subject to a November 2018 FTC complaint jointly filed by 22 public health and consumer groups. The coalition contended that Google was not taking PII data security seriously and featured supposed kid-friendly apps in the Google Play store that were in obvious violation of federal law.
They specifically pointed out that many of the apps were engaging in the following:
- Enabling geolocation services without notice.
- Sending personal information to ad networks that explicitly state that their services should not be used with children’s apps.
- Pressuring children into making in-app purchases.
- Serving “adult” ads for alcohol and gambling.
- Enabling device identifiers without explaining the purpose.
To be clear, app developers have always been subject to COPPA, but app marketplaces have been slow to keep up with monitoring the business practices of kids’ apps. The FTC does not have the resources to go after each developer, so it has chosen to go after marketplaces and push them to create standards for compliance.
Google’s New Guidelines
Google’s new guidelines were published in May 2019 and are a direct response to the previously mentioned FTC complaint.
In the Google Play console, all developers must now complete a “target audience and content” section where they will have to specify the demographics of their app’s target audience.
Google then will check the validity of these statements by reviewing an app’s marketing materials.
In addition, children’s apps with ads can only serve ads from networks that have been certified to be compliant with Google’s Designed for Families program.
Apple’s New Guidelines
Apple’s new guidelines for children’s apps set off alarm bells when they were first announced in June 2019. The App Store Review Guidelines effectively banned all children’s apps from using any third party analytics or advertising platforms. It also banned any transmission of children’s PII to third parties. This would have effectively killed the business model of many ad-supported apps. Many developers were very vocal about how these rules changes would devastate their businesses.
In September, however, the company had softened its stance. The updated guidelines state that by March 3, 2020, all children’s apps in the Apple App Store will need to adhere to the following:
- Third-party analytics tools may be used if no child’s PII or device information is transmitted to another party.
- Developers may serve contextual ads from third-party platforms if the ad serving platforms have publicly documented practices and have human reviews of ads.
- Developers should not use phrases like “for kids,” or “for children,” in app metadata for any app that is outside of the kids category.
What does this mean for my business?
Even with a softened stance, Apple’s new guidelines do present a challenge for some mobile app developers. Apple and Google’s requirement that developers only use pre-approved ad serving platforms may in the short run limit the services that developers have available to them. Restrictions on analytics tools may make it harder for developers to learn about their audience and create innovative and relevant products for them.
Some fear that this is the end of the free ad-supported model of children’s apps. But even the most ardent data privacy advocates would probably not want to go to that extreme, as it’s not only detrimental for developers, but also for children and their parents.
While we are in a new and unfamiliar territory for developers, these standards are not impossible to meet. There are great private deployment options that allow you to maintain control of your data flow and have total governance over what gets outsourced.
If you’re looking for compliant PII data integration as an alternative to third-party data infrastructure, we should talk. Reach out to us anytime at firstname.lastname@example.org.