Regulations like COPPA, GDPR-K, and the UK’s Children’s Code were designed to foster secure digital environments for kids. However, they’ve also placed a massive burden on digital advertisers. Here’s what you need to know to stay COPPA compliant, GDPR-K compliant, and Children’s Code compliant; and how app intelligence can help.
(NOTE: This article is not meant to be interpreted as legal advice. Readers should consult with their legal counsel before enacting any COPPA-, GDPR-K-, or Children’s Code-related measures.)
Data privacy is a big deal, especially when it comes to protecting children. So, unsurprisingly, the United States, United Kingdom, and European Union have begun to take steps to create more secure digital environments for kids and teens.
Perhaps the most notable of these initiatives is the European Union’s landmark General Data Protection Regulation (GDPR) enacted in 2018. However, GDPR was by no means the first such regulation. 20 years prior, the United States passed the Children's Online Privacy Protection Act (COPPA), requiring digital and online service providers to take steps to protect children's privacy.
Of course, today's environment is substantially more online than it was in 1998; and this has made compliance with regulations like COPPA and GDPR an increasingly thorny issue. Indeed, according to the Federal Trade Commission (FTC), falling out of line with COPPA can cost violators up to $43,280 in civil penalties per violation.
This is a number that YouTube is all too familiar with. Back in 2019, the online video sharing giant was slapped with a massive $170 million fine by the FTC for COPPA violations, including tracking the viewing history of minors to facilitate targeted advertising.
And YouTube isn't the only company to attract the FTC’s ire. The ad tech industry, for instance, regularly finds itself on the business end of a COPPA investigation.
With this in mind, this article offers a brief overview of three like-minded policies designed to protect childrens’ online privacy — COPPA, GDPR-K, and the UK’s Children’s Code. While we don’t provide a comprehensive analysis, we do touch on the basics, including what the policies require and the parties responsible for complying with them.
To jump to a particular spot, click the links below:
- What Is COPPA (Children's Online Privacy Protection Act)?
- Who Needs to Comply With COPPA?
- What Is GDPR-K (Art. 8 GDPR)?
- Who Needs to Comply With GDPR-K?
- What Is the United Kingdom’s Children’s Code (Age Appropriate Design Code)?
- Who Needs to Comply With the Children’s Code?
- How App Intelligence Can Help You Stay COPPA, GRPR-K, and the UK Children's Code Compliant
What is COPPA (Children's Online Privacy Protection Act)?
COPPA is short for Children's Online Privacy Protection Act of 1998. It’s a federal law in the United States that imposes specific requirements on website operators and other digital and online service providers to protect the privacy of children under the age of 13. COPPA took effect in April of 2000 and is managed by the Federal Trade Commission (FTC).
COPPA stipulates that sites and mobile apps must require verifiable parental consent before collecting or using any personal information of users under the age of 13. In addition, it outlines…
- When and how to seek verifiable consent from a parent or guardian.
- Privacy policy requirements, including the requirement that the policy itself be posted anywhere data is collected.
- The legal responsibilities attached to the operator, including information on the types and methods of marketing that are prohibited when targeting children under the age of 13.
Who Needs to Comply With COPPA?
The FTC’s COPPA FAQs page outlines three types of operators covered by the policy. They stipulate that COPPA applies to…
- Operators of commercial websites and online services (including mobile apps and IoT devices) directed to children under 13 that collect, use, or disclose personal information from children.
- Operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
- Websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
What is GDPR-K (Art. 8 GDPR)?
The European Union’s General Data Protection Regulation (GDPR) was designed to protect people’s rights regarding their data. Enacted in 2018, GDPR is one of the toughest privacy and security laws in the world. Moreover, while it was drafted and passed by the European Union (EU), it imposes obligations onto organizations globally, so long as they target or collect data related to EU citizens and residents inside the EU.
However, for the sake of this article, let’s focus on Article 8 of GDPR. Colloquially known as GDPR-K, Article 8 is essentially the EU’s version of COPPA. It covers “conditions applicable to child's consent in relation to information society services.”
GDPR-K requires apps or sites directed at children under the age of 16 (or younger, depending on the EU country) to obtain verifiable parental consent before collecting any personal information about the child. Moreover, it states the controller “shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the child, taking into consideration available technology.”
Who Needs to Comply With GDPR-K?
GDPR-K applies to any company or organization offering ‘information society services’ directly to a child. According to GDPR, an ‘information society service’ refers to any service “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”
Now, in case legalese isn’t your native tongue, the GDPR glossary includes a helpful exegesis on the text. From what we gather, it essentially just means “anyone offering an online service.”
What is the United Kingdom’s Children’s Code (Age Appropriate Design Code)?
Last, but certainly not least, the United Kingdom’s Children’s Code. Officially known as the Age Appropriate Design Code, it’s a data protection standard for online services (including apps, online games, and web and social media sites) likely to be accessed by children under the age of 18.
The Children’s Code contains 15 standards formulated to ensure that online services are complying with their obligations under data protection law to protect children’s data online. This includes…
- Mapping what personal data they collect from UK children.
- Checking the age of the people who visit their website, download their app, or play their game.
- Switching off geolocation services that track where in the world their visitors are.
- Not using nudge techniques that encourage children to provide personal data.
- Providing a high level of privacy by default.
Who Needs to Comply With the UK Children’s Code?
The Children’s Code is very similar to GDPR-K. Here’s how the United Kingdom’s Information Commissioner’s Office (ICO) phrases it on their site: “The code applies to information society services likely to be accessed by children. The definition of an information society service is ‘any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.’”
Sounds pretty familiar, right?
Fortunately, the ICO goes into a little more detail than their EU counterparts, noting that the Children’s Code applies to most for-profit online services. This includes apps, programs, search engines, social media platforms, online messaging or internet-based voice telephony services, online marketplaces, content streaming services, online games, news or educational websites, any websites offering other goods or services to users over the internet, and electronic services for controlling connected toys and other connected devices.
Moreover, the ICO stipulates that any online service likely to be accessed by children under the age of 18, even if not directly aimed at them, is probably covered by the code and should take the necessary precautions to conform with its requirements.
How App Intelligence Can Help You Stay COPPA, GDPR-K and UK Children’s Code Compliant
The digital world is notoriously difficult to regulate. So, unsurprisingly, COPPA, GDPR-K, and the Children’s Code are vital topics for many companies worldwide. Fortunately, mobile app intelligence solutions like ours at 42matters can help organizations stay compliant.
For example, Ad Tech businesses can use our solutions to…
- Identify child-directed mobile apps and games, flag them for review or exclude them from media buys and publisher networks.
- Validate supply-side partners by determining whether they’re correctly classifying apps as child-directed.
- Analyze an app’s intended audience as declared by the app's owner, privacy policy, and permissions to create informed COPPA safeguards.
- Search app privacy policies for COPPA, GDPR-K & UK Children’s Code terms.
- Enhance your exclusion lists by adding apps with child-directed keywords, apps that have been unpublished from app stores, and more.
(NOTE: We want to reiterate that this article is not meant to be interpreted as legal advice. Readers should consult with their legal counsel before enacting any COPPA-, GDPR-K-, or Children’s Code-related measures.)
