Children apps: 6 simple rules before the release of children app

COPPA and GDPR requirements for the children data protection

No application can be developed and released without addressing the issues of users' data protection. When it comes to creating an app for children, the importance of data protection issues becomes more urgent. Such apps are subject to strict requirements in the field of data protection, which requires additional resources from developers.

In a few articles, we will explain the requirements the legislation in the field of children data protection, specifically GDPR (applicable in the European Union) and COPPA (applicable in the US), as well as the App Store and Google Play requirements for children apps.

Who is subject to the children data protection requirements?

The rules on processing children's personal data mostly apply to apps, websites, platforms and services intended for use by children. However, they also apply to cases where a developer is aware that children are using its service, even if children are not the majority of users. This means that even if there is a small proportion of children among all the users, children data protection regulation must be complied with.

What is the age at which a person is no longer considered a child?

The specific age up to which a user is considered a child may vary depending on the applicable law. In the US, such age is 13, while in the EU it is 16.

It is important to note: within the EU, each Member State has the right to amend the age at which a person is considered a child. For example, in Cyprus, the age is set at 14.

So, actually to the rules and guidelines that a mobile game developer should consider before releasing a kid-friendly app.

Rule №1. Check the text of your Privacy Policy to make sure it contains the necessary information

The company's key document regarding the processing of personal data is the Privacy Policy. According to the COPPA, Privacy Policy to the children app must contain the following information:

  1. a list of the personal data you process about the child and why you need such data,
  2. how this personal data is collected and why,
  3. all third parties to whom you transfer personal data and for what purposes,
  4. instructions for the parent on how they can access, change or delete the child's personal data,
  5. instructions for withdrawing parental consent to the processing of the child's personal data.

Rule №2. Customize the Privacy Policy so that it can be understood by children

The purpose of the requirement is to make children aware of how their personal data will be used. Use child-friendly language to explain difficult terms so that even the youngest user can understand.

In order to explain to children what personal data they share, use visual graphics and illustrations. For example, through drawings showing characters passing personal data to each other.

Rule №3. Obtain verifiable parental consent to process the children's personal data

Among all the requirements related to the children data protection, the most difficult one is obtaining the consent of a parent to process personal data about his or her child.

Under the COPPA, such a parental consent must be verifiable. Whilst the method of obtaining consent is left to the discretion of the developer, COPPA emphasizes the importance of taking a reasonable approach to selecting such a method, taking into account available technology, to provide assurance that the person providing consent is indeed the child's parent.

The US regulator has identified several acceptable methods of obtaining verifiable parental consent: 

  • providing a consent form to be signed by the parent and returned via US mail, fax, or electronic scan (the “print-and-send” method);
  • requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder
  • having the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference;
  • requiring a parent to answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer;
  • etc.

The GDPR also requires parental consent to process children’s personal data, but GDPR does not require that this consent be verifiable.

At the same time, most European apps and websites targeting children adhere to verifiable parental consent principles similar to COPPA. This shows that such companies take the protection of children's personal data very seriously and take extra steps to do so.

To determine whether parental consent is required, you can ask the user's age when they launch the app. If the age is less than 13 (in the US) or less than 16 (in the EU), provide a choice of one of the preferred methods for obtaining parental consent.

Rule №4. Give parents a choice about sharing children’s personal data

COPPA requires that parents have the ability to choose whether their children's personal data will be shared with third parties. And even if parents refuse to share their children’s personal data with third parties, the app must still provide its functionality to that child.

To implement this requirement, you can provide functionality that will allow parents to make a decision whether to transfer personal data by clicking 'Yes' or 'No' buttons. 

Rule №5. Provide parents with specific rights regarding the children’s personal data (right to access, to rectification , to erasure, as well as to withdraw consent to processing)

The purpose of this requirement is to give parents real control over the management of their children’s personal data and to provide them with instructions on how to exercise such control. If the functionality of the app is intended to be shared between parents and children, the simplest solution is to include the control settings in the “parent profile”.

However, it is more challenging to set up the implementation of these rights when the app is only used by children. In this case, after obtaining consent, you can send guidelines for exercising the rights to the parent's email address.

Rule №6. Ensure the security of the children’s personal data

This applies not only to personal data about children, but to personal data in general. However, the level of protection for children’s personal data must be particularly high: information about the children must be kept for a minimum time and to ensure technical protection of personal data must be taken additional measures.

The above-mentioned measures are basic and apply to every children app without exception, but we have not listed all the requirements related to children’s personal data.

In the following article, we will discuss the requirements connected with the children’s personal data of the most popular apps stores.
 


Dear journalists, the use of materials from REVERA website in publications is possible only after our written permission. 

For approval of materials please contact e-mail: i.antonova@revera.legal or Telegram: https://t.me/PR_revera