01 February 2020
Apps targeted specifically at children, particularly educational apps, are becoming more and more common. But creating apps for children is different from creating apps for adults in a number of ways.
From differences in design and UI decisions to legal requirements you need to keep in mind, creating apps for children is a whole new ballgame.
There are laws around marketing to children, keeping children's information, and forming contracts with children (i.e. getting parental permission), so it's important to keep on top of what you need to comply with.
In the US, the children's privacy law is called the Children's Online Privacy Protection Act 1998 (COPPA).
We'll look at what COPPA and similar laws in other countries require, how to make sure you meet your legal obligations when you design mobile apps for kids, and what not to do.
Children's access to technology is becoming increasingly prevalent, even for very small children. 58% of kids 8-12 years old have smartphones, and 78% of children 13-17 years old. 61% of three-year-olds and 38% of two-year-olds are using iPads, for between 1 hour a week and 1 hour a day.
This means that it's becoming increasingly likely that a child will be the user behind the mobile screen using your app.
Many apps for children are pitched as being educational, such as Spelling Bug Hangman, and Zap Zap Math. Apps like these may be used both at home and at school, which means that children have numerous opportunities to access them and enter their information.
Other apps are games or are related to movies, such as Frozen Free Fall featuring characters from the movie Frozen, or School of Dragons: How To Train Your Dragon, related to the How To Train Your Dragon movies.
User experience and design companies are already cropping up with targeted tutorials for how to design apps for children. Suggestions include larger font sizes, age-targeted content, and childproof navigation interfaces.
Now let's take a look at some of the laws in place for these types of apps.
COPPA is a law that was brought into place in 1998, to protect the privacy of children under 13 years of age. It applies to US businesses, or anyone collecting the personal information of children residing in the US.
You must comply with COPPA if your website or app's content is aimed at kids under 13, and you collect personal information from them, or if you let other parties do that collection.
You must also comply if, even though your website or app is targeted at a general audience, you know that kids under 13 use it and that you collect personal information from them.
"Personal information" for the purposes of the COPPA act can include:
Essentially, anything that can identify the child using your app can be considered "personal information" for the purposes of COPPA.
The act specifies:
In the UK, there is no dedicated law for children's online privacy. Under the Data Protection Act 1998, however, data collection and data processing must be "fair".
The Information Commissioner's Office released a Good Practice Note titled "Collecting personal information using websites", which states:
Websites that collect information from children must have stronger safeguards in place to make sure any processing is fair.
You should recognize that children generally have a lower level of understanding than adults, and so notices explaining the way you will use their information should be appropriate to their level, and should not exploit any lack of understanding.
The language of the explanation should be clear and appropriate to the age group the website is aimed at.
If you ask a child to provide personal information you need consent from a parent or guardian unless it is reasonable to believe the child clearly understands what is involved and they are capable of making an informed decision.
Another guide to collecting personal information online from the Information Commissioner's Office also states:
Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly.
Some form of parental consent would normally be required before collecting personal data from children under 12.
You will need to look at the appropriate form for obtaining consent based on any risk posed to the child. You may even decide to obtain parental consent for children aged over 12 where there is a greater risk. This has to be determined on a case by case basis.
This means that in the UK, the key is to assess what risks your app poses to the child in terms of collecting and storing their personal information, as well as looking at how much they understand of what exactly they are disclosing, and why.
In many cases, particularly for very young children, it may be best to assume that they cannot comprehend the risks of sharing their information at all, which may mean you don't collect anything.
In Canada, the relevant legislation is the The Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA does not directly cover the privacy of children online, but various principles from PIPEDA can be used to inform website owners and service operators of what they need to keep in mind.
The key thing to remember under PIPEDA, as stated by the Office of the Privacy Commissioner is that:
Consent under PIPEDA will only be valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose, and consequences of the collection, use or disclosure of the personal information to which they are consenting.
While the Act does not differentiate between adults, on the one hand, and youth on the other, the Office of the Privacy Commissioner of Canada (OPC) has consistently viewed personal information relating to youth and children as being of particular sensitivity, especially the younger they are, and that any collection, use or disclosure of such information must be done with this in mind (if at all).
Given the relatively high threshold of what is required under PIPEDA, most children will not meet the consent requirements, and personal information should not be collected from them wherever possible. If you must collect information from young children, ensure that you get parental consent.
The Office of the Privacy Commissioner also notes some tips for how to comply, which I will discuss below.
Given the rise of children's educational apps and games, if you are trying to get on board this bandwagon it's important to do it right.
You should also include the requirements specified by COPPA, as we looked at in the section above.
Next, ensure that you get parental permission before you collect the personal information of children. Assuming that your users are children, you need to make sure that the language you use is simple and clearly explains to the child that a parent's permission is needed.
To give parents more options, you could give parents the opportunity to consent to the collection and use of the child's information for the app's purposes only, but stop that information being shared with third parties (or allow parents to consent to both). Make sure parents have access to the child's information so that they can review or delete it.
You can see that they explicitly state that they do not collect any personal data about anyone using their kid's apps, including any information about the device being used. As they don't collect any personal information from children, they don't need parental consent. Despite this, they include a clear email address at the bottom for parents to contact.
Take a look at the example from the Angry Birds app below:
Finally, remember to avoid collecting information from children wherever possible, and be aware of inadvertent collection such as text-entry fields: many children will enter their real name as a username when given the opportunity.
Creating apps for children can be a fun and worthwhile experience, particularly if you are contributing to something important like their education. However, you need to be aware of what you're required to do by law to protect children's privacy when they use your app.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.