Around the world, stay-at-home orders have led to a dramatic increase in kids consuming digital content, everything from casual games to esports to educational apps to social video.
This creates a whole category of new data privacy and compliance risks for developers, just at a time when politicians, regulators and activists are focused more than ever on safeguarding kids online. Popular platforms like Zoom have been caught completely off guard by the influx of children.
The press is leaning in as well, scrambling to review the most popular services to provide safety guides and recommendations to millions of parents suddenly dealing with a tsunami of screentime in their homes.
The time for developers to think about kids’ privacy and safety is now.
Looking at the last two months (February and March 2020), on our Kids Web Services platform (powering parental COPPA/GDPR-K consent for apps and services used by under-13s), we saw a 50% surge in the volume of new under-13 registrations. The most new user registrations come from the countries which most recently implemented school lockdown policies.
However, if we look at countries like the US, Brazil and the UK—where schools have mostly been closed for the last month—we see an important new trend emerging. In these regions, parental verification growth exceeds new user registration growth, i.e. there is a clear trend of parents getting more involved in (and consenting to) the games and services their children are accessing.
As families are spending a historically unique amount of time at home together, parents are more likely to pay greater attention to what their kids are doing online. This, in turn, makes it more likely for them to give consent for their kids’ favourite games and services.
Country | % Increase in u13 registrations | % Increase in parent verifications |
India | 80% | 47% |
Mexico | 60% | 59% |
Brazil | 35% | 80% |
USA | 25% | 40% |
UK | 10% | 15% |
COPPA says that developers may consider themselves mixed-audience (as opposed to child-directed) if kids are not their primary audience. They must then identify their under-13s and avoid collecting any personal data except with parental consent. The same approach is required by GDPR-K in Europe, CCPA in California, and other new data privacy laws for any digital service likely to be accessed by kids under the age of digital consent, which is 16 in the EU and a growing number of other jurisdictions.
So how do we retrofit data privacy compliance in practice?
First, know that regulators are often more concerned with your demonstrable, thoughtful efforts to be compliant rather than perfection in compliance.
Second, signaling goes a long way—acknowledge your kids’ audience in your onboarding process and your privacy policy. Be transparent about everything.
If you’re genuinely a mixed-audience site or app, e.g. you develop for adults but lots of kids are using your service, then use an age gate to separate the two audiences.
Then audit what personal data you’re collecting from users to determine whether (a) you can create an experience for kids that doesn’t collect it, or (b) what personal data permissions you need to obtain from parents.
In short: if you collect a full name, contact information, location, or make use of any technical identifiers like IP addresses or device IDs (or allow partners to use them); or if you allow kids to freely enter usernames, chat or upload content; then you must obtain verified parental consent.
Here are the most common gotchas we see tripping up developers as they work out what they may or may not do with kids under COPPA or GDPR-K:
- Age gates must be neutral, e.g. don’t suggest to users how old they need to be to use your service or access certain features. If you allow users to pick a birthdate or age from a flywheel be sure it defaults to an age under 13, so that you’re not encouraging lying. The age gate must come BEFORE you collect any personal data and that includes technical persistent identifiers such as device IDs or IP addresses.
- Registration—if you allow users to create their own usernames, you must instruct them to avoid using real names or existing social media handles, and apply moderation to ensure their usernames don’t include personal data. Don’t ask kids to provide a full name or phone number or email, unless you have a very clear legal argument under—for example—COPPA’s ‘one-time contact’, or ‘multiple-contact’ exception.
- Geolocation—never collect lat/long or a full IP address in order to locate a kid user. You can still track users by country or city, but always truncate IP addresses at source to prevent specific geolocation of children.
- If your service allows users to upload content, or publish free text in a chat or in a public forum like a feed or wall, then you must pre-moderate that content to strip out any personally identifying information. This includes faces of kids, names of schools or pictures of school uniforms, contact information including other social media handles, etc. Note that under COPPA the definition of “collect” includes both children giving personal information to you (as in during registration) AND any personal data they share with the public through your service, as in a chat room, forum or wall post.
- You may collect behavioral data and product usage data for purposes of improving your product, but you must be sure to depersonalise it, use aggregated or cohort-based data where possible, and don’t share any unique identifiers of users with third parties (like analytics providers) unless you have very explicit contractual assurances they won’t use it for anything other than to support your internal operations.
- If your service allows links to other websites, then be sure to message child users about being safe online before they leave your app. In some cases you may want to disable all external links (Apple requires this for primarily child-directed apps), or you may want to make use of a so-called parental gate to ensure an adult is aware.
If you’ve audited your service and realise that it simply wouldn’t be functional or at best a very poor experience unless you make use of some personal data, then you must implement a process for obtaining parental consent to the standard defined under COPPA and GDPR-K. This is known as verified parental consent, or VPC.
VPC needn’t impact your registration funnel too dramatically, provided you consider progressive permissions. Check out our mini-guide here, and reach out if you’d like to learn more about how our Kids Web Services platform can automate the whole process for you.
For more information on what it takes to comply with kids’ data privacy laws, visit our Kidaware portal. There you can also schedule some time with one of our Kidaware consultants for advice specific to your content experience.
Max Bleyleben is Managing Director and Chief Privacy Officer at SuperAwesome.