Legal Alerts / 12 Jun 2013

Legal Alert – Children’s Online Privacy Protection Act Rule and Mobile Apps

I. Introduction

In December 2012, the Federal Trade Commission (FTC) issued the amended Children’s Online Privacy Protection Act (“COPPA”) Rule (the “Rule”), which will go into effect on July 1, 2013. The amended Rule expands the coverage of COPPA to include third party service providers and modifies the definitions of the terms of COPPA to broaden its scope. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under the age of 13 that collect, use, or disclose personal information from children, and operators of general audience Web sites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.  The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children, such as advertising networks.


In making the determination of whether a mobile app is directed to children, the FTC considers:

  • The mobile app’s subject matter:
  • Visual content;
  • Use of animated characters or child-oriented activities and incentives, music or other audio content;
  • The age of models;
  • The presence of child celebrities, or celebrities who appeal to children;
  • The language or other characteristics of the website or online service, such as a mobile app;
  • As well as whether advertising promoting or appearing on the website or online service is directed to children.The FTC will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.If a mobile game app falls under the criteria set forth above, it will be determined to be a mobile app directed to children and the provider of the mobile app will either need to collect parents’ online contact information to provide direct notice about its personal information use and disclosure practices for the purposes of obtaining parents’ verifiable consent to the collection of a child’s personal information, or direct child visitors to content that does not involve the collection, use, or disclosure of personal information.


As a general rule, a child-directed app must treat all visitors as children and may not screen users for age. However, an exception to the general rule exists if a child-directed site also targets parents and teenagers. If the requirements of the exception are met, then the app may age-screen users to only provide COPPA protections to children under the age of 13. An app developer may fall under this exception if the mobile app: (1) does not collect personal information from any visitor prior to collecting age information and (2) prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under 13 without first complying with the notice and parental consent provisions.

If it is determined that the mobile app fits the definition of an online service directed to children, even if children are not the primary target audience, the app provider cannot use the age screen to block children under 13 from using the app. The age screen can only be used to differentiate between children and non-children and this differentiation can be used to offer different activities or functions depending on which category the users fall into.

Once it has been determined, through the use of an age screen, that some users are children, the app provider has two options:

1. Collect parents’ online contact information to provide direct notice in order to obtain parents’ consent to the app provider’s information collection, use and disclosure practices; or
2. Direct visitors under the age of 13 to content that does not involve the collection, use, or disclosure of personal information.


As of July 1, 2013, the definition of “personal information” will include:

  • First and last name;
  • A home or other physical address including street name and name of a city or town;
  • Online contact information;
  • A screen or user name that functions as online contact information;
  • A telephone number;
  • A social security number;
  • A persistent identifier, such as a cookie, that can be used to recognize a user over time and across different Web sites or online services;
  • A photograph, video, or audio file, where such file contains a child’s image or voice;
  • Geo-location information sufficient to identify street name and name of a city or town; or
  • Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

If a mobile app is used to collect any of this information, it will be subject to the requirements of COPPA.


A provider of a mobile app that is not directed to children is required to comply with the terms of COPPA if the provider has actual knowledge that children under the age of 13 are using the app. The Rule does not define the term “actual knowledge” but the FTC has said that an operator has actual knowledge of a user’s age if the app asks for and receives information from the user that allows it to determine the person’s age. The FTC’s enforcement action against Artist Arena illustrates the type of behavior that will constitute “actual knowledge” under COPPA. The FTC prosecuted Artist Arena as an operator of a general audience website that had actual knowledge that it was collecting personal information from children under the age of 13. In this case “actual knowledge” was established because each site asked users to enter a birth date upon entering the site. Questions that allow an app provider to determine the age of a user (for example the level of schooling, grade, or the like) will be determined to provide “actual knowledge” if the answers reveal that the user is under the age of 13.


(i)  Privacy Policy

Under the Rule, the online notice must state the following three categories of information:

1. The name, address, telephone number, and email address of all operators collecting or maintaining “personal information”(as described above) through the site or service (or, after listing all such operators, provide the contact information for one that will handle all inquiries from parents);
2. A description of the types of personal information the operator collects from children, including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and
3. That the parent can review or have deleted the child’s personal information and refuse to permit its further collection or use, and state the procedures for doing so. See 16 C.F.R. § 312.4(d) (“notice on the Web site or online service”).

The Rule requires that the operator post a clearly and prominently labeled link to the online privacy policy on the home or landing page or screen of the website or online service, and at each area of the site or service where personal information is collected from children.  The privacy policy does not need to be included at the point of purchase or download.

(ii) Direct Notice to Parents

The Rule requires that the mobile app provider send parents a direct notice prior to the collection of any personal information from the child.

The Rule states that, “Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.” These approved methods include:

  • Providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan;
  • Requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
  • Having the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; or
  • Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, provided that the provider promptly deletes the parent’s identification after completing the verification.

If the mobile app provider is going to use children’s personal information only for internal purposes without disclosing the information to third parties or making it publicly available, then the provider can use any of the above methods or the provider can use the “email plus” method of parental consent. “Email plus” allows the provider to request that the parent indicate consent in a return email message.  To properly use the email plus method, the provider must take an additional confirming step after receiving the parent’s message.  The confirming step may be:

1. Requesting in the provider’s initial message to the parent that the parent include a phone or fax number or mailing address in the reply message, so that the provider can follow up with a confirming phone call, fax or letter to the parent; or
2. After a reasonable time delay, sending another message via the parent’s online contact information to confirm consent.  The message should include all the original information contained in the direct notice and information on how the parent can revoke the consent.


In the case of mobile apps that are determined to be directed to children, app providers that also target teenagers and adults have the option to either:

1. Create an age-screen mechanism that will distinguish between children under 13 and other users; or
2. Treat all users as children and either require parental consent and notice or stop the collection, use, or disclosure of personal information.

If the mobile app provider chooses to age-screen users and the age-screen mechanism determines that there are children under 13 using the app, then the app provider has the option to:

1. Collect parents’ online contact information to provide direct notice in order to obtain parents’ consent to your information collection, use and disclosure practices; or
2. Direct visitors under the age of 13 to content that does not involve the collection, use, or disclosure of personal information.

If the mobile app is determined to be directed to children and does not target teenagers and adults, then the app provider will be prohibited from age screening users and will have to:

1. Give notice and get parental consent for personal information collected on its apps from third parties, such as ad networks, unless an exception applies.
2. Take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential.
3. Meet new data retention and deletion requirements.

If the mobile app is not determined to be directed to children, the app provider can employ an age-screen device and block users that are under the age of 13 from using the app.

VIII. Penalties for COPPA Violations

Violations of the Rule may be subject to civil penalties of up to $ 16,000 per violation.  A “violation” generally means a child’s personal information collected in violation of the COPPA and therefore the amount of civil penalties can be quite significant indeed.  For example, just recently Path, Inc. was ordered to pay civil penalties in the amount of $800,000, in part because of COPPA violations. Usually companies subject to these civil penalties are also ordered to create a comprehensive privacy program and are required to carry out a third-party performed biennial assessment of the privacy program for a period of 20 years and to report on the assessments to the FTC.

Additional information

Attorneys-At-Law Borenius LLP (U.S. New York)

Share on LinkedInTweet about this on TwitterShare on Facebook