We asked if you designed apps that can be used by kids...and we have some worrisome results to share … but also some useful advice.
We reached out to developers recently ahead of the Federal Trade Commission (“FTC”) public workshop on October 7, 2019, called “The Future of the COPPA Rule: An FTC Workshop.” The event, which the Developers Alliance attended, was meant to explore whether to update the Children’s Online Privacy Protection Act (COPPA). With all the COPPA talk recently, we wanted to hear your thoughts.
A quick refresher: COPPA is a US law passed by Congress in 1998 and effective April 2000. It was intended to give parents and guardians more control and visibility over who was interacting with their children online, and what information was being shared. COPPA imposes specific requirements on operators of websites or online services directed to children under 13 years of age. Additionally, it imposes requirements on operators of any websites or online services that know that they are collecting personal information online from a child under age 13 — whether they intended to or not.
In light of the workshop, we sent around a survey to our membership and dev friends and asked for opinions on the rule. Though our sample is limited, nearly all of the responses were from individuals who indicated that they code for at least part of their job. Some had strong feelings, while others were ambivalent. Looking at the results holistically, the majority of respondents were impacted by COPPA and would be directly impacted by any change to the law. A large majority of survey respondents indicated that they designed apps for kids, and an even bigger portion said that it is entirely foreseeable that kids could be using the apps that they create.
The issues indicated by the survey?
Only a small group of respondents indicated that they were familiar with COPPA. Additionally, slightly less than half of the group believed they were impacted by COPPA rules. This same group stated in their response that their apps are or could be used by kids. We have now hit the conundrum.
Our results showed that at least part of the dev community may be underestimating the reach of COPPA. Furthermore, based on comments and chats with members, it is likely this is a consistent theme across the industry. These results aren’t good for anyone.
I hate to be the bearer of bad news, but for a dev designing apps for kids, you ARE impacted by COPPA. If you design an app that a kid could foreseeably use, you MAY be impacted by some of the new COPPA rules the FTC is considering.
What happened to the last company that thought they didn’t need to comply with COPPA? They owed the FTC a $170 million fine for illegally collecting personal information from children without their parents’ consent. Don’t have $170 million to spare? Me either.
We’d recommend that anyone building apps that appeal to kids take a look at the COPPA rules, lest you end up in the next news article we’re sharing. Once you’ve determined whether you fall in its scope or not, check the FTC’s website to make sure you’re taking the appropriate measures to be in compliance.
Our feedback to the FTC, echoed by one Developers Alliance member in our survey, is that laws like COPPA often skew towards larger companies who have a larger team, and lawyers or consultants to alert them to what the law is, and by extension, what being in compliance with COPPA actually means. Compliance with COPPA takes time and resources. Unfortunately smaller companies can seldom afford the resources it takes to reach compliance, or worse still, to become aware that compliance is necessary. Given how many devs work either independently or for small companies —and likely don’t have the money, people, or resources to easily spot compliance issues (let alone resolve them)— there’s a danger that some apps designed for or used by kids may not be fully COPPA compliant. Not exactly what the FTC wants to hear, I’m sure.
Most devs who reached out to us to talk about their experiences with COPPA gave feedback to the extent of “it creates more work” and “we had to implement an age gating system to be compliant.” Correct, and correct. In Congress’s defense here, that is why the rule was established—because the kiddos admittedly take more work to be protected. However, you have to know if it’s a kiddo if you’re going to protect them.
The survey and subsequent follow up did give us some great ideas that we plan to add to the Developers Alliance submission for comments on COPPA that the FTC is requesting, due October 23, 2019. A few respondents requested that the rules be simplified so that they were easier to execute. A handful went rogue and requested COPPA be overhauled entirety. (While we get the law is a pain, the likelihood of that one happening at this point is unlikely guys, sorry to say.)
Given the amount of chatter on data privacy these days, the General Data Protection Regulation (“GDPR”) naturally came up in our results as well. This, of course, brings up an interesting point. COPPA is meant to protect kids' data and online footprint, however, how will COPPA’s stream of evolving regulation intertwine with other data privacy legislation? Laws such as GDPR and the soon-to-be-enforced California Consumer Privacy Act (“CCPA”) create a variety of standards, some which may be contradictory, or open to varying interpretations at the least.
It should go without saying (but we will anyways) that simplification of data privacy regimes is critically important for developers. Fifty different domestic app versions for each state law, a European Union app version, and an age and location gate for everyone else (is your head spinning yet?) is not a viable solution. It is no wonder that one survey respondent suggested the onus should be on the app store, not the developers, to appropriately age gate apps.
Developers want clear rules and easy-to-follow guidelines on how to follow the law, so they can spend less time on puzzling through compliance and more time doing their actual jobs — developing innovative and exciting software. Developers, we don’t blame you. You shouldn’t need a fleet of attorneys and policy folks explaining to you what an extremely long and ever-evolving bill is and how it will impact you month to month.
Regardless of how COPPA revisions go, something developers all seem to agree on is that we want to protect kids without hurting the ecosystem of kids' content. COPPA is meant to protect kids, not limit them to a tiny pool of “age-approved” games.
If you or your company is impacted by COPPA or any of its rule revisions, or would like to offer further insight on your experiences with this rule or the issues covered in it, please do not hesitate to reach out to our Policy & Developer Relations Manager, Sarah Richard, using the form below.