Creating Apps for Children in the Age of COPPA

So, you have a great idea for an app for children, or perhaps an app that children may use? If any of your servers or headquarters are based in the U.S, or even if your young clientele are U.S based, you need to familiarize yourself with the Children’s Online Privacy Protection Act (COPPA) and make sure that you are in compliance.

What is COPPA?

COPPA is a U.S Federal Government act that protects children’s privacy on the internet. The act was originally enacted in 1998, with an amendment updating the act in 2012. Although opinions may differ whether this is the most effective, or constitutional, way to save our children from online harm, the law is designed to put control of children’s privacy in the hands of their parents. Whether you agree with the provisions or not, noncompliance carries a hefty fine and some apps have been removed from stores due to noncompliance.

In a nutshell, COPPA tells you, the entrepreneur, that you cannot collect, use or disclose children’s personal information without parental approval. Even if you do get parental approval, you must only collect the information that you need to manage your business, protect the information, and delete it as soon as reasonably possible. You also cannot engage a third party that does not fulfill these practices and does not engage in reasonable protection of the data they collect.

Who Does the Law Protect?

The law protects children under the age of 13 who reside anywhere in the world. For example, if you are a U.S based firm targeting French children, or a foreign-based firm targeting U.S children, the law applies to you, too.

When Exactly Does the Law Apply to You?

The law applies to you if:

  • You are an internet operator offering online materials that target children and you collect, use or disclose personal information.
  • You are an online service targeting children and share information with a third party that collects, uses or discloses personal information.
  • You are a plug-in or advertising platform, which connects to a site that targets children.
  • You are an online service that does not specifically target children but you know that you have users under the age of 13 and collect, use or disclose personal information (or a third party does through your app). With an emphasis on the fact that you know they are under 13.
  • You are a commercial entity (however, the United States Supreme Court has already ruled that non-profit organizations can also be subject to the law).

While your app-based venture might not consider itself an “online operator”, COPPA includes websites, mobile apps, plug-ins, advertising networks, location-based services, VOIP services, apps or plug-ins that deliver behavior-targeted ads. In other words, your application certainly falls under COPPA.       

What Exactly Are You Not Allowed To Do?דניאל2

You are not allowed to collect children’s personal information without parental permission. This information includes:

  • full name
  • home or other physical address
  • online contact information (email, skype name, etc.)
  • screen or user name
  • social security or identity number
  • telephone number
  • persistent identifier, such as an IP address
  • picture, video or audio file of a child’s image or voice
  • geolocation information

Although it might seem like a great way to engage your customers, you may not condition children’s participation based on their disclosure of more information.

What Personal Information Can You Collect?

If you are collecting persistent identifiers for your internal operations without any other personal information, or if you only collect email addresses which are immediately altered internally (for password reminders), you can collect this information without parental consent.

How Do I Remain In Compliance?

  1. Post a clear and easily accessible privacy policy. Parents should not have to look for the policy, and it is your job to make the policy easy to read, comprehensive and easy to access.דניאל3
  2. If you change policies, make sure parents are aware of the changes and agree to the update.
  3. Provide an easy-to-access parental consent process. If you are going to disclose a child’s personal information to third parties or allow children to make information publicly available (such as through social networking sites) then you must be reasonably certain that you have received consent from the parent with the best use of available technology. Here are some ways:
  • Ask parents for a signed consent form returned by snail mail, fax or scan.
  • Verify the parents’ consent using an online payment (credit or debit card) system that provides notification of each transaction.
  • Have parents call a toll free telephone number or video conference with trained personnel.
  • Request government issued identification checked against a database – and promptly deleted after verification.

If you are only collecting information for internal purposes, you can use any of the above methods, or you can use “email plus” technique. “Email plus” involves sending an email to the parent and requesting consent, which can be received in one of two ways. Request a phone, fax or mailing address, followed up with confirmation call, fax or letter. Alternatively, after a reasonable time delay, send another message to the online contact address of the parent to confirm consent. This second message should contain all the information included in original email.

  1. Make it easy for parents to review the personal information that you are collecting and approve, manage or prohibit which information is given.
  2. Institute responsible policies for protecting the security and confidentiality of any information you do collect, and only releasing the information to parties that practice equally responsible policies.
  3. Make sure that you are only requesting information necessary to do business.
  4. Periodically monitor the processes of third parties with which you do business to ensure that they maintain the standard of information security that you require.
  5. Get rid of user information as soon as possible in a way that maintains its safety and protects it against unauthorized access.
  6. If you are not running a site for children, but you know children are using your site, you may want to prohibit use for children under 13 if you are not interested in investing in the safeguards to comply with the law.


Kids are online. 38% of two-year-olds are using iPads, and 56% of children between the ages of 8-12 own smartphones. There is no doubt that children are a large and intriguing market, and are potential end-users of your app. While working with COPPA does require safeguards regarding data mining, and will potentially add to your cost of doing business, when you run an app that caters to children, the law requires that you take responsibility.

The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.

By | 2017-05-30T23:37:06+00:00 May 15th, 2016|Articles, Featured Article, Internet Law, Start-ups|0 Comments

About the Author:

Daniel Klein
Law & Business student at IDC Herzliya. In his free time, he enjoys reading and playing the piano.