Legal Requirements for App Games for Kids

Developing an app comes with a long list of legal requirements, but if your app targets kids, then you have an additional list of considerations on your plate.

Kids' apps that collect personal data fall typically under the jurisdiction of two laws: the Children's Online Privacy Protection Act (COPPA) of 1998 and the General Data Protection Regulation (GDPR) of 2018.

These laws apply differently depending on each users' country of residence, but both include stringent rules for the protection of the data of children under the age of consent.

Is your app targeted towards kids or is it a gaming app that appeals to young users? If so, keep reading to learn more about what you need to do to protect your app and its users.

Apps for Kids are Popular

If you don't think kids use apps, think again. Kids not only love apps but bring in massive revenue, including $110 million worldwide in 2017 alone.

Although most of us recognize that both children and their data deserve special protection, studies revealed that the majority of kid-targeted apps violated the U.S. privacy law that specifically protects kids' data online (the Children's Online Privacy Protection Act (COPPA)) in 2018.

COPPA says that you can't collect children's data without permission from their parents or guardians and provides guidance on what you can and can't do with their data once you have it.

Major COPPA violations found by researchers include:

• Sharing contact or location information without consent
• Sharing personal information without security measures
• Sharing persistent identifiers for prohibited ad targeting (and other purposes)
• Ignoring contractual obligations to protect children's privacy

Some app makers say, "Hey, this doesn't apply to us. We don't market to kids, and we can't help it if kids use our app." (COPPA applies to websites and apps directed at children.)

Those developers, however, have a poor understanding of who COPPA does and doesn't apply to. If you know that children use your app, then you must comply with COPPA, even if they don't make up the vast majority of your users.

What is more, Google and Apple, the two largest app stores, are increasingly taking steps to enforce COPPA compliance among developers submitting apps to their marketplace. If you want to keep your app online, then you need to meet the app store's requirements.

COPPA only applies to children in the United States, which means it's only relevant if your apps are in US-based app stores. However, if your app is in the US app store and elsewhere in European stores, then the GDPR also applies.

The GDPR is a data protection initiative aimed at encouraging transparency and accountability among data processors. It adds special protections for children, including the need to create a Privacy Policy that your youngest users understand.

It also protects more children. It applies to children under 16 while COPPA is only for children under 13 years old. Additionally, it allows EU member states to set their own age of consent, which may be as low as 13.

Is Your App Targeted at Children?

In the context of COPPA, children are individuals under 13 years old. The rule states that you technically market to children if your app uses subject matter or visual content that includes:

• Animated characters (or other child-oriented visuals)
• Child celebrities
• Celebrities who appeal to children (Disney Channel stars, etc.)
• Music or audio content that appeals to children

You should review the FTC's advice within rule 16 C.F.R. 312.2 if you're unsure where you stand.

Again, even if you don't include child-friendly features or content, just the knowledge that children use your app means you fall under the law.

YouTube's app is a good example of why the FTC's rules matter more than your perception of your app.

YouTube says that its service isn't for children under 13. This would normally protect you on an app or site that doesn't explicitly cater to children, such as a shopping app or a productivity app. However, while YouTube does include millions of hours of content that children wouldn't appreciate, it is also full of cartoons, toy ads, and celebrities popular with young children.

Moreover, 80 percent of children aged 6 to 12 in the US use Youtube. So whether YouTube execs like it or not, children use it and FTC rules apply.

As a result, YouTube's argument that it doesn't explicitly cater to children doesn't necessarily hold water under FTC regulations. It doesn't matter if the company deployed YouTube for Kids to keep children away from the dangerous content found on its main site. Critics say it still has an obligation to be compliant with relevant laws.

Building a Kids App vs. an Adult App

In reality, there aren't too many technical differences between building a kids app versus a general app.

As a responsible developer, you should lead with security by design - not security as a feature - and always include a Privacy Policy that outlines:

• What data you collect
• How you collect data
• Your legal bases for collecting data
• How you store data
• Whether you share data
• When you delete data

These considerations are important for all apps, but they are particularly important when you work with children's data.

The FTC also suggests that developers who collect children's information:

• Nominate someone to be responsible for security
• Audit and inventory the data you collect and store
• Acknowledge the differences between platforms
• Add security features that support built-in platform security
• Never store passwords in plaintext
• Use encryption
• Protect your servers

What requirements are different when creating apps for kids?

There are two things:

First, there's a need to obtain consent before collecting any data from children. Next, you'll be required to include some specific clauses in your Privacy Policy.

COPPA and Article 8 of the GDPR effectively have the same requirements: you need verifiable parental consent before you can collect - not process, collect - data from children. The GDPR sets the age at 16 (but individual states may lower the age to 13 or in between) and COPPA only covers children under 13.

You also need special Privacy Policy clauses, including a clear description of the opt-ins and how to opt-out, as well as a description of parental rights. And if your app is available in European app stores, then you need to provide these in kid-friendly language to meet GDPR requirements.

Getting Parental Consent for Data Processing

To process the data of children, you need their parents' or guardians' consent. And you need to verify that consent. The mechanism for verification under the GDPR is surprisingly more flexible than COPPA.

If you have created other apps or sites to be compliant with the GDPR, you know that consent standards aren't what they were ten - or even two - years ago. You can't assume consent. You need to actively ask for it, record it, and then provide mechanisms for data subjects to withdraw it.

The same is true when you process children's data.

It is common to use a credit card transaction to verify consent to guarantee the person providing consent is an adult. However, there's a difference in that the GDPR relies on data minimization, and thus, it discourages app developers from needlessly collecting credit card details from parents.

You should only be collecting data like credit card details or personal IDs when the sensitivity of the subject requires it.

However, the GDPR isn't prescriptive at all, so you can rely on the COPPA rules for verifying parental consent if you choose. Just be sure that you protect what you do use using the appropriate technologies and safeguards.

So, what are the rules for verifiable parental consent according to the FTC?

The rules state that you need to collect consent before collecting personal information. And you can use reasonable and available technology to do so. The FTC provides some examples, including:

• Using a signed form (returned vis mail, scan or fax)
• Creating a monetary transaction (credit, debit, etc.)
• Requiring the parent to call a number operated by trained personnel
• Using a video-conference in lieu of a telephone call
• Using government-issued IDs and checking them against database (you must delete it immediately after verification)

These are required for most transactions, but if you only use the data internally, then you can use the FTC-approved "email plus" mechanism. This simply means emailing the parent's provided email address, using a consent mechanism, and requiring them to use a confirmation verification step in return, such as including a phone number where you can reach them.

All this needs to be built into your app upon listing it. These additional requirements also explain why the FTC recommends nominating a security officer as you may collect sensitive information even if your app doesn't require it for functionality.

Examples of Parental Consent Mechanisms from Popular Kids Apps

What do these mechanisms look like in the real world?

You can build them into your app's infrastructure organically but still do so in a way that prevents kids from handing over any data before their parents consent to it.

Note: All these app developers have headquarters outside the United States, so FTC requirements don't necessarily apply. However, they do comply with COPPA.

Lego Life (for Android)

The Lego Life game markets itself as a safe social media space for kids and earned a listing in the Google Play store's family section. Lego Life allows kids to download it and choose an avatar without providing any data.

It differs from other apps because it doesn't require parental consent immediately. Kids can access the main page with no problem to select an avatar and enter a user name:

However, Lego does provide a safety pop-up on the main screen geared towards kids with a cute eye-catching character called "Captain Safety":

However, as soon as kids want to log-in or perform any action that requires them to provide data, Lego automatically redirects them out of the app and to the parental verification system.

You'll notice that the redirect is very kid-friendly. It specifically says "Go get a parent" and requires a parent in order to finish creating the account:

However, it doesn't rely on the first mechanism alone to authenticate the child's age. Once you tap "I'm a parent," you are sent to an authentication page that uses the parent's email address to verify their age:

You can see how this is a good system that lets kids open the app but requires a parent to intervene before an account can officially be created and stored.

Disney Princess Magic Quest

Disney Princess Magic Quest (Gameloft) uses Disney princesses to attract children to its game, and you can find it in the Google Play Family section.

It uses a single authentication page, but it doesn't bar children under the age of consent from accessing the app:

However, it also doesn't collect any identifying information, and the Privacy Policy says that Gameloft will not collect geolocation information from apps where a child is under the age of consent and will only display contextual advertising (not behavioral):

Hello Kitty Nail Salon

The Hello Kitty Nail Salon game app takes a different approach entirely. Because the app allows in-app purchases, it issues a warning to parents once the app loads. It also warns parents about advertising and acknowledges that it does not inappropriately use behavioral advertising.

However, the game requires parents to use the settings to block in-app purchases either through the device settings or through the game settings:

There is also a second layer of security on the game settings. To access the function, you need to be able to read and follow the type of prompt below:

This stops kids under a certain age from racking up in-app purchases, but it won't stop kids who can read unless you have the correct device settings on your phone.

Why doesn't the app screen users?

The answer is in the Privacy Policy:

The app developer complies with COPPA, and it treats all users of "Child Directed Apps" (like Hello Kitty Nail Salon) as children. As a result, it doesn't screen users nor does it offer registration because it doesn't collect data.

Budge only screens for users among its general audience apps where it collects data.

Special Privacy Policy Clauses Needed for Kids Apps

To make sure your Privacy Policy complies with both the GDPR and COPPA, you need to ensure your Privacy Policy is clear and conspicuously posted before the user enters the app and through an accessible link that they can visit subsequently.

You Privacy Policy must include:

• What personal information you collect
• How you use it
• Whether you disclose the data

These are standard Privacy Policy clauses that all contracts need to have regardless of whether you operate in the US, the EU, or globally.

However, a Privacy Policy for a kids app must also include:

• Parental rights/access to data
• Procedural notices

Here's an example from Facebook's Messenger Kids app's Privacy Policy. It includes this clause that lets parents know how they can manage or delete information Facebook may have about their children:

Facebook tells parents that they can manage or delete their child's information by deleting the Messenger Kids account and it makes it clear what does and doesn't get deleted. Removing the account gets rid of activity, contact, and device information as well as registration information. However, the messages sent to other users remain active. There's no way to delete this data and other users can still see it.

Another example comes from the YouTube Kids app. The Privacy Notice dictates what a parent can access and control in their children's accounts. For example, you can clear their history or even pause it and you can also unlink your Google Account:

A second access example comes from Nick Jr., Nickelodeon's young child product. According to its Privacy Policy, parents can use a physical form to ask for and review all personal information collected. They can also ask for the information to be deleted or for Nick Jr. to stop collecting data:

Walt Disney uses a similar tactic and allows parents to access, change, or delete their children's information either through logging into the child's account or through contacting guest services by email:

By providing multiple methods for parents to control information about their children, these companies are making it easy for parents to step in and make important decisions that children themselves may not be ready to make.

App Store Requirements for Kids' App Sections

App stores have requirements for developers who market apps for kids on their platforms. Apple and Google also ask developers to keep kids in mind when developing apps. Apple, for one, acknowledges the role of parental controls and the need for personal responsibility on behalf of parents, but it requests that developers help Apple in protecting children, too.

If you want to list your app in the Kids Category of the Apple App Store (and you do if your app is for kids), then you must:

• Keep links and purchases behind a parental gate
• Comply with applicable privacy laws (COPPA, GDPR, etc.)
• Not send personally identifiable or device data to third parties
• Use third-party analytics or advertising

Your use of third-party analytics or advertising is limited to very specific circumstances where no child's data is collected or shared.

If you require age rating, then you can only use birthdate or parental contact information when required by COPPA or the GDPR.

The Google Play store requires much of the same. You must ensure that you comply with COPPA and the GDPR. Google also provides a helpful list of common violations among applications that apply for its Families program:

• Glamorizing the use of alcohol or drugs
• Using simulated gambling
• Adding inappropriate, violent content
• Showing mature ads inappropriate for children
• Promoting the app in the Families store but including adults-only content

Google actually has a Designed for Families Program for apps that are designed specifically for children:

Make sure to adhere to these app store requirements if you wish to have your app distributed and not removed for noncompliance.

Does Your Children's App Comply with the Law?

If you fall under the jurisdiction of COPPA or the GDPR, then you must take special precautions before collecting any data.

You are not allowed to collect the data of any child under 13 (COPPA) without first getting verified permission from their parent or guardian. This isn't as simple as asking them to click a button confirming they are over 18 years old. You need to follow the FTC's prescribed methods of verification to make sure that you don't inadvertently violate the law.

The best way to go is to follow the FTC's prescriptive requirements while also adhering to the GDPR's data minimization principles. Don't collect data you don't need - particularly from children - and be clear about what data you do have, what you do with it, and how to delete it.

Remember that both Apple and Google are now increasingly on the hunt for apps that violate the law. So it's in your best interest to make sure you are GDPR and COPPA compliant before submitting your app to either platform in the first place.