We’ve posted about the update in Apple’s App Review Guidelines which mainly brought some big changes for developers that create apps directed to children aged 13 years and younger. These changes are due to the fact that COPPA is out in a revised version since July 2013 (Children’s Online Privacy Protection Act dating back to 1998).
This post is highlighting some of the things you need to think about when you want to add your app to Apple’s App Store [a) Apple’s App Store Review Guidelines b) COPPA in general c) What’s personal information d) iubenda’s help].
- Mostly app developers may enjoy this very comprehensive guide on how to get on to the path to COPPA compliance.
I’d like to stress that iubenda is doing everything possible or reasonable to help developers and designers like you to become privacy regulation compliant, but that using iubenda is not always enough in terms of what you have to do or sometimes not do. This applies to your apps and COPPA.
Apple App Store and COPPA
As reported, Apple has updated their terms for their App Store admission and added the following regarding children under 13 years of age:
17.3 Apps may ask for date of birth (or use other age-gating mechanisms) only for the purpose of complying with applicable children’s privacy statutes, but must include some useful functionality or entertainment value regardless of the user’s age
17.4 Apps that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, persistent identifiers, the ability to chat, or other personal data) from a minor must comply with applicable children’s privacy statutes.
24.1. Apps primarily intended for use by kids under 13 must include a privacy policy.
24.2. Apps primarily intended for use by kids under 13 may not include behavioral advertising (e.g. the advertiser may not serve ads based on the user’s activity within the App), and any contextual ads presented in the App must be appropriate for kids.
24.3. Apps primarily intended for use by kids under 13 must get parental permission or use a parental gate before allowing the user to link out of the app or engage in commerce.
24.4. Apps in the Kids Category must be made specifically for kids ages 5 and under, ages 6-8, or ages 9-11.
24.1 Means that you need to include a privacy policy at all costs when you develop your app primarily for children under the age of 13. This, regardless of you actually collecting personal data by these children.
Notice how Apple wants you to pick the age range? Make sure you follow all of Apple’s and COPPA’s requirements.
What else are you supposed to do or to not do at all?
COPPA Rules in General
There are some general rules you need to follow when covered by the COPPA (quoted from the FTC COPPA FAQ):
- Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- Provide parents access to their child’s personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child’s personal information;
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
What is personal information in COPPA 2013?
Personal Information under COPPA 2013
Another change that COPPA brings in its 2013 form is the broader definition of “personal information”. Until now the term “personal information” included such categories as first and last name, a home or physical address, an email address, a phone number etc. The amended Rule defines personal information to include:
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or user name that functions as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
If you collect any of the information above, COPPA will be applied to your app. Don’t forget however, that if you don’t collect any personal information, you are still required to say that in a privacy policy according to Apple’s new app acceptance requirements.
iubenda and COPPA
iubenda has worked the information you have to provide parents with into a clause we call “The Service is directed to children under the age of 13”. Add that clause to your privacy policy. While iubenda helps you craft beautiful and meaningful privacy policies, you need to understand that this isn’t the end of the path to compliance. There are a few things that only you can do like (the source was a mailing to companies that made apps for children)
- You must give notice and get parental consent for personal information collected
on your applications from third parties, such as ad networks, unless an exception
applies - You must take reasonable steps to release children’s personal information only to
companies that are capable of keeping it secure and confidential. - You must meet new data retention and deletion requirements.
If you have any questions, we are happy to take them and they will be addressed in our upcoming, more helpful guide. If not feel free to go ahead and generate your app’s privacy policy with us.
Further helpful links: