What is the COPPA Guidance for Apps?
The owners, or “operators,” must clearly explain the mobile apps’ information practices, provide direct notice to parents about those practices and obtain parental consent before collecting the child’s personal information. These obligations apply to mobile app companies when third parties such as ad networks or plug-ins collect personal information through their mobile apps.The latest revision to COPPA Frequently Asked Questions (“FAQs”) allows for new ways to seek parental consent, including credit card verification, and gives app makers new mechanisms for consent without being classified as an operator.
Under COPPA, password entry alone does not qualify as VPC. The FAQ suggests that password entry in combination with such measures as authentication questions may provide sufficient assurance that the person entering the password is the child's parent.
The revised guidance also suggests that since provision of credit card information alone is not VPC, provision of credit card information without a transaction may be part of verifiable consent when used in combination with such measures as security questions, or verification of government identification.
Importantly, the updated guidance modified the ability of operators to rely upon and use consent obtained with the help of app stores. It clarified that app stores are not “operators” subject to COPPA if they are simply making a child-directed app available to the public.
App stores or platforms that are providing a verifiable consent mechanism for developers to use will not be held liable for COPPA violations for failing to investigate an app developer’s privacy practices. They will, however, be held accountable for compliance under Section 5 of the FTC Act that enforces violations for unfair and deceptive practices. It is important that such app stores or platforms do not misrepresent the level of oversight they are providing.
App developers are still responsible for providing parents with direct notice of its information collection practices before consent is provided. They are responsible with ensuring that the third party obtains consent in accordance with COPPA requirements. Specifically, parental consent must be obtained “in a way that is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”
For more information, see here: https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa
These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works. This may not be the most recent version. The U.S. Government may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.