Privacy guidelines for apps for children

Apps targeted specifically at children, particularly educational apps, are becoming more and more common. But creating apps for children is different from creating apps for adults in a number of ways.

From differences in design and UI decisions to legal requirements you need to keep in mind, creating apps for children is a whole new ballgame.

There are laws around marketing to children, keeping children's information, and forming contracts with children (i.e. getting parental permission), so it's important to keep on top of what you need to comply with.

In the US, the children's privacy law is called the Children's Online Privacy Protection Act 1998 (COPPA).

We'll look at what COPPA and similar laws in other countries require, how to make sure you meet your legal obligations when you design mobile apps for kids, and what not to do.

The rise of apps for children

Children's access to technology is becoming increasingly prevalent, even for very small children. 58% of kids 8-12 years old have smartphones, and 78% of children 13-17 years old. 61% of three-year-olds and 38% of two-year-olds are using iPads, for between 1 hour a week and 1 hour a day.

This means that it's becoming increasingly likely that a child will be the user behind the mobile screen using your app.

Many apps for children are pitched as being educational, such as Spelling Bug Hangman, and Zap Zap Math. Apps like these may be used both at home and at school, which means that children have numerous opportunities to access them and enter their information.

Other apps are games or are related to movies, such as Frozen Free Fall featuring characters from the movie Frozen, or School of Dragons: How To Train Your Dragon, related to the How To Train Your Dragon movies.

User experience and design companies are already cropping up with targeted tutorials for how to design apps for children. Suggestions include larger font sizes, age-targeted content, and childproof navigation interfaces.

Now let's take a look at some of the laws in place for these types of apps.

COPPA and other children's privacy laws

In the US

COPPA is a law that was brought into place in 1998, to protect the privacy of children under 13 years of age. It applies to US businesses, or anyone collecting the personal information of children residing in the US.

You must comply with COPPA if your website or app's content is aimed at kids under 13, and you collect personal information from them, or if you let other parties do that collection.

You must also comply if, even though your website or app is targeted at a general audience, you know that kids under 13 use it and that you collect personal information from them.

"Personal information" for the purposes of the COPPA act can include:

• First and last name
• Email address
• Telephone number
• Physical address
• Instant messenger usernames
• Geolocation information

Essentially, anything that can identify the child using your app can be considered "personal information" for the purposes of COPPA.

The act specifies:

• Your business must get parental consent when you collect or use any personal information of young people using your website or service
• Your website, service, or app must have a Privacy Policy
• The Privacy Policy must contain:
• The name, address, phone number, and email of anyone collecting or maintaining the personal information; or
• The contact information for who will handle inquiries from parents; and
• A description of what information is collected from children
• Whether children are able to make their information publicly available through the website or service
• How personal information is used
• How that personal information information may be shared or disclosed
• A statement that the parent can review or delete the child's personal information and refuse further collection or use (and the procedure for the parent to do so)
• The ways in which you (the business) can get consent from a parent or guardian.
• What responsibilities you have in relation to children's privacy and safety online.

United Kingdom

In the UK, there is no dedicated law for children's online privacy. Under the Data Protection Act 1998, however, data collection and data processing must be "fair".

The Information Commissioner's Office released a Good Practice Note titled "Collecting personal information using websites", which states:

Websites that collect information from children must have stronger safeguards in place to make sure any processing is fair.

You should recognize that children generally have a lower level of understanding than adults, and so notices explaining the way you will use their information should be appropriate to their level, and should not exploit any lack of understanding.

The language of the explanation should be clear and appropriate to the age group the website is aimed at.

If you ask a child to provide personal information you need consent from a parent or guardian unless it is reasonable to believe the child clearly understands what is involved and they are capable of making an informed decision.

Another guide to collecting personal information online from the Information Commissioner's Office also states:

Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly.

Some form of parental consent would normally be required before collecting personal data from children under 12.

You will need to look at the appropriate form for obtaining consent based on any risk posed to the child. You may even decide to obtain parental consent for children aged over 12 where there is a greater risk. This has to be determined on a case by case basis.

This means that in the UK, the key is to assess what risks your app poses to the child in terms of collecting and storing their personal information, as well as looking at how much they understand of what exactly they are disclosing, and why.

In many cases, particularly for very young children, it may be best to assume that they cannot comprehend the risks of sharing their information at all, which may mean you don't collect anything.

In Canada

In Canada, the relevant legislation is the The Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA does not directly cover the privacy of children online, but various principles from PIPEDA can be used to inform website owners and service operators of what they need to keep in mind.

The key thing to remember under PIPEDA, as stated by the Office of the Privacy Commissioner is that:

Consent under PIPEDA will only be valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose, and consequences of the collection, use or disclosure of the personal information to which they are consenting.

While the Act does not differentiate between adults, on the one hand, and youth on the other, the Office of the Privacy Commissioner of Canada (OPC) has consistently viewed personal information relating to youth and children as being of particular sensitivity, especially the younger they are, and that any collection, use or disclosure of such information must be done with this in mind (if at all).

Given the relatively high threshold of what is required under PIPEDA, most children will not meet the consent requirements, and personal information should not be collected from them wherever possible. If you must collect information from young children, ensure that you get parental consent.

The Office of the Privacy Commissioner also notes some tips for how to comply, which I will discuss below.

How to comply

Given the rise of children's educational apps and games, if you are trying to get on board this bandwagon it's important to do it right.

The first step in complying with COPPA and other privacy laws is to set up a good Privacy Policy. Your Privacy Policy should cover how you deal with children's personal information, and explain what you collect and why.

You should also include the requirements specified by COPPA, as we looked at in the section above.

Next, ensure that you get parental permission before you collect the personal information of children. Assuming that your users are children, you need to make sure that the language you use is simple and clearly explains to the child that a parent's permission is needed.

To give parents more options, you could give parents the opportunity to consent to the collection and use of the child's information for the app's purposes only, but stop that information being shared with third parties (or allow parents to consent to both). Make sure parents have access to the child's information so that they can review or delete it.

Here's an example of a Privacy Policy for a kids application from Bonsaisoft, for their apps for kids:

You can see that they explicitly state that they do not collect any personal data about anyone using their kid's apps, including any information about the device being used. As they don't collect any personal information from children, they don't need parental consent. Despite this, they include a clear email address at the bottom for parents to contact.

The Privacy Policy of TechSpaghetti Kids below is also similar - they explicitly state what information they collect (none from kids, but they may collect information from parents and teachers).

However, the TechSpaghetti's legal agreement doesn't provide contact information, and both Bonsaisoft's and Techspagetti's policies should ideally go into more detail about whether their apps use cookies.

One way that you can ensure that your Privacy Policy is brought to the attention of parents is to display a link to your Privacy Policy on the app download information screen before the app is downloaded and used.

Take a look at the example from the Angry Birds app below:

You can see that the app creators have included a link to the Privacy Policy of Rovio in the information text on the Apple Store. This can highlight the Privacy Policy to parents before they purchase the app for their children. When your Privacy Policy is agreed to, ensure that it is clear exactly who is agreeing.

For instance, you could have two check boxes, one stating "I am over 13 years old and agree to the Privacy Policy and Terms of Use", and the other stating "I am the parent and/or guardian of the app user, and I agree to the Privacy Policy and Terms of Use".

Finally, remember to avoid collecting information from children wherever possible, and be aware of inadvertent collection such as text-entry fields: many children will enter their real name as a username when given the opportunity.

Creating apps for children can be a fun and worthwhile experience, particularly if you are contributing to something important like their education. However, you need to be aware of what you're required to do by law to protect children's privacy when they use your app.

Include a clear, thorough Privacy Policy, and ensure that it is brought to the attention of parents. Get their consent before collecting any personal information of children, and avoid collecting personal information at all where possible.