COPPA and Push Notifications
This article is for App Developers who are developing Mobile Apps (IOS or Android) for Kids in US and trying to understand COPPA’s guidance around Push Notifications.
Quick Intro
COPPA stands for Children’s Online Privacy Protection Rule set by Federal Trade Commission (FTC) — part of US Federal Government.
It was enacted in 1998 to protect privacy of kids 13 years and younger who are using Internet. As father of a 4 year-old I really like that there is something to protect privacy of my child when he uses Internet. Note that COPPA does not dictate what websites/content your child sees on Internet (that’s for the parent to decide), it only lays down how the owner of the website may collect personal information about your child and how it can be used to contact your child.
Here’s the actual definition of the rule from FTC website:
“COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.”
Context
My company has created a Kids Podcast App — Leela Kids (Free IOS/Android).
Based on kid’s age and topic of interest, we find the best episodes for your kid to listen to across a wide variety of kid-safe podcasts.
The issue we faced was around how to interpret Push Notifications guideline from COPPA. Here’s what the FTC’s COPPA FAQ (last updated on March 20, 2015) says about Push Notifications:
9. I have a child-directed app and want to send push notifications. Do I need to get parental consent?
The information you collect from the child’s device used to send push notifications is online contact information — it permits you to contact the user outside the confines of your app — and is therefore personal information under the Rule. To the extent the child has specifically requested push notifications, however, you may be able to rely on the “multiple-contact” exception to verifiable parental consent, for which you must also collect a parent’s online contact information and provide parents with direct notice of your information practices and an opportunity to opt-out. See FAQ H.2. Importantly, in order to fit within this exception, your push notifications must be reasonably related to the content of your app. If you want to combine this online contact information with other personal information collected from the child, you cannot rely on this exception and must provide parents with direct notice and obtain verifiable parental consent prior to sending push notifications to the child.
First and foremost, above FAQ clearly indicates that obtaining information from the user to send Push Notifications is considered “personal information”. As an app developer, my immediate reaction was “Whaaaaaaaat?” — how can that be considered personal information. But then I thought more… as part of remote notifications setup, the mobile app platform (IOS or Android) provides your App Server with a persistent identifier — this identifier is used to direct the Push Notifications from the App Server to the user phone. This persistent identifier actually can be thought of as “personal information”. Fair enough.
COPPA dictates that before collecting any personal information about the child, App needs to obtain verifiable parental consent i.e., parent has to give the consent first, before App can collect that information from the user. (I personally think this is a sensible approach)
However, as an App Developer, it would be a nightmare to get that verification as part of requesting Push Notification permission from the end user.
However (yes another However), above FAQ notes the “multiple contact” exception which gives a way out but only if Push Notification content is “related to the content of the app” i.e., parents only need to give their email address as part of agreeing to receive Push Notifications instead of giving an explicit consent for Push Notifications. If the parent has already provided email earlier, then this could work. Otherwise asking for email as part of Push Notification is a bad user experience in my mind.
In summary, Push Notifications and COPPA don’t sit well together.
But there’s a way out — above applies only for Remote Push Notifications and not Local Push Notifications (because for local push notifications, the App Server does not need to know the persistent identifier). Aha!!!
Here’s how we finally implemented in our App:
Quick Background: We don’t collect any emails etc. in our app beforehand so we don’t have any information about our end users. Our app assigns each app installation a random user-id which is communicated back to our server. If the user updates the app version, the user-id remains the same. However, if the user deletes and re-installs our app, they will get a new user-id.
We present user with a Push Notification request (without asking for any email). When the user agrees to receiving Push Notifications, we let our backend server know about the user’s decision.
Our server then sends notification content through regular Server-App connection. App processes that information and schedules it as local notifications (On IOS look for UNNotificationRequest; detailed discussion here). For Android look for Notification object; detailed discussion/user guide here).
It makes the overall process of sending/showing notifications somewhat complicated and indirect but we figured out this was the best solution keeping in mind both the law and user experience.
Curious to know if you have a better solution.
