Rules 4 Kids

COPPA applies to you:

1. If your app is for kids under the age of 13 and you collect personal information from them.
2. If your app is for kids under the age of 13 and you partner with a third party that collects personal information from them.
3. If you know that kids under the age of 13 are using your app, even if your app isn't in the kids category or was created for a general audience.

In the United States, under COPPA and the KIDS CATEGORY guidelines, any user under the age of 13 is considered a child.

• It is a common misconception that an app intended for any age is not subject to COPPA.
• COPPA will always apply if you know any kids are using your app. Even if it isn't specifically made for them.

COPPA also applies to you if your app will collect personal information.

• Under COPPA, that means many different types of data. Think beyond social security numbers, names, and addresses.
• Personal data includes anything that could expose the user, like geolocation information robust enough to allow a bad actor to find a user's street name.
• Personal data also includes persistent or unique identifiers, like IP addresses or online identifiers used to contact or track the user.

The Federal Trade Commission (FTC) provides guidance with a 6-step compliance plan:

1. Establish you are subject to COPPA
2. Write a COPPA-compliant privacy policy that's easy to access
3. Notify parents directly about data collection practices
4. Get verifiable consent
5. Respect parents' ongoing rights
6. Protect children's data

To ensure your privacy policy is COPPA-compliant, include:

• What personal data you collect, how you collect it, and how you use it
• Contact information for all third parties that collect data
• Parents' and children's rights under the relevant and applicable laws, such as COPPA
• A description of parents' rights, including their right to:
  • Review their child's information you have collected
  • Ask you to delete any collected information
  • Prevent you from collecting or using more data
  • Deny your request to share collected data with third parties

Use these five best practices from attorney Whitney Merill:

1. Utilize the COPPA Safe Harbor programs approved by the FTC
2. If a Safe Harbor program isn't for you, refer to the FTC's guidance around protecting data
3. If you're doing business in other countries, understand how they define “children” and “personal data” and what laws you're subject to
4. Ensure your partners compliance with all regulations
5. If you're subject to GDPR, find a Data Protection Officer(DPO) to work with

When you have specific questions about your product, get advice from a lawyer that you trust.

As the laws change and develop around kids' data, the terms and policies of app stores will evolve to meet those changes. Pay attention to the platforms and when they adjust their policies. Ask yourself: is it the result of a change in laws or guidance?

Every platform's first rule is legal compliance with all applicable laws.

Use these twelve rules from Abby Adams to navigate app stores and bring products to market:

1. Always assume your user is a child
2. Consider compliance early and often, and be prepared to find a legal partner when necessary
3. Acquaint yourself with the app stores' Terms of Service including Apple App store, Google Play, and the Amazon App store ; pay attention to any updates
4. Avoid collecting, using, and sharing personally identifiable information (PII)
5. Get parental consent to collect any child's personal data
6. Always disclose what data you are using and how you are using it in your privacy policy
7. Do not transmit a child's data to third parties
8. Avoid third-party analytics and advertising
9. Reconsider allowing social interactions or user-generated content
10. Make a continued effort to earn - and keep - parents' trust
11. Be proactive in your communication with the app stores
12. Return to the resources and information in the Rules 4 Kids Course when you are unsure of how to proceed