To prepare for the launch of KNOW What’s Inside, a kids’ app program for privacy best practices, I’ve been looking at a lot of apps and privacy policies. There seem to be common areas where developers are unclear about COPPA (Children’s Online Privacy Protection Act), and I want to share these observations to help with July 1st compliance efforts.
Many developers are still leaning on their website privacy policies instead of privacy statements specific to mobile apps.
I’m noticing that developers either don’t have privacy policies, or if they do, their policies do not adequately describe how data is used in their apps. Many policies are written for websites, and not for mobile apps. Apps have their own set of dynamic features that use data, and these features need to be addressed in policies so consumers can learn what to expect from the app. Also, writing the policy helps developers think through their data framework in context of the regulation. For information about what to include in a privacy policy, see COPPA FAQ section C, and as a best practice, the KNOW What’s Inside program description.
“Collecting Personal Information” has multiple meanings.
I often read clauses in privacy policies that say, “we do not collect any personal information”, where the developer then thinks COPPA compliance does not apply. Our traditional understanding of “collecting personal information” meant type-in-your-name-and-address-and-email-on-this-website-so-I-can-store-it-on-my-server. But the updated COPPA definition of “collecting personal information” means something more like collect-use-or-disclose-digital-data-even-if-that-data-is-a-number-without-a-name-attached (and even if that data is collected by some other company!) Even if you don’t have users doing a bunch of data entry in your app, please be aware of features or services in your app that are data-rich. Sections A.2 and A.3 of the FAQs summarize this quite well.
When designing apps for kids, YOU are responsible for the privacy practices of all services included in your app.
Farther down in the privacy policy I might read something like: “This app may include links to other online services, and we are not responsible for the privacy practices of those other services”. Given that the definition of Operator has been updated, these might not be the kind of assumptions we want to make. Check out the description of “Operator” in Section A.5 of the FAQ: “Modify the definition of “operator” to make clear that the Rule covers an operator of a child-directed site or service where it integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors.” Simply put, if you integrate services that aren’t COPPA compliant, then you aren’t either. This handy post from ACT4Apps helps developers evaluate the COPPA compliance of a 3rd party service.
Once you feel like you are ready to tackle COPPA, come see us at Moms With Apps – we have a great program waiting for you!