Usually, developing a mobile app comes with a long list of legal requirements, but if your app is aimed at children, the list gets even longer.
Children's programs that collect personal data are usually subject to privacy laws. For example, in the US it is the Children's Online Privacy Protection Act (COPPA) of 1998, in Europe it is the General Data Protection Regulation (GDPR) of 2018. These laws apply differently depending on each user's country of residence, but both include strict child protection rules.
The development of applications for children is a trend that is growing at an unprecedented rate today. Children are more and more interested in online games, and application owners are getting more and more profit from children's users. At the same time, many apps aimed at children violate privacy laws.
The Privacy Act says you can't collect data about children without their parents or guardians' permission and gives guidance on what you can and can't do with their data once you get it.
The main violations are:
· Sharing contact or location information without consent.
· Sharing personal information without security measures.
· Sharing persistent identifiers for prohibited ad targeting (and other purposes).
· Ignoring contractual obligations to protect children's privacy.
Some app makers say: It doesn't apply to us. We don't sell to children, and we can't help it if children use our app." However, these developers should be aware that if children use your application, then you must comply with the rules for handling children's personal data, even if children do not make up the vast majority of your users.
Google and Apple, the two biggest app stores, are increasingly taking steps to enforce privacy laws among developers who put apps on their marketplaces. If you want your app to stay online, you need to meet app store requirements.
Any privacy law is a data protection initiative aimed at encouraging transparency and accountability between data processors. It adds special safeguards for children, including the need to create a privacy policy that your youngest users can understand.
In fact, there aren't many technical differences between creating an app for kids and a regular app.
As a responsible developer, you should be guided by security principles, not security as a feature, and always include a Privacy Policy that states:
• What data you collect.
• How you collect data.
• Your legal basis for data collection.
• How you store data.
• Do you share data.
• When you delete data.
These points are important for all programs, but they are especially important when you are working with children's data.
Developers who collect children's information must:
• Designate someone responsible for security.
• Audit and inventory the data you collect and store.
• Recognize the difference between platforms.
• Add security features that support the platform's built-in security.
• Never store passwords publicly.
• Use encryption.
• Protect servers.
First, consent must be obtained before collecting any data from children. Next, you will need to include some specific provisions in your Privacy Policy.
You will also need specific provisions of the Privacy Policy, including a clear description of opt-out and opt-out methods, as well as a description of parental rights. And if your app is available in European app stores, then you need to provide it in a child-friendly language to comply with GDPR requirements.
If you've built other GDPR-compliant apps or sites, you know that consent standards are changing. You cannot accept consent now. You must actively request it, record it, and then provide mechanisms for data subjects to retrieve it. It's the same when you process children's data.
To process data about children, you need the consent of their parents or guardians. And you need to verify that consent.
Let's take for example the Lego Life program (for Android)
The Lego Life game is positioned as a safe social media space for children. Lego Life allows kids to download it and choose an avatar without providing any data. This app differs from other apps in that it does not require immediate parental consent. Children can easily go to the main page, choose an avatar, and enter a username.
However, Lego's home screen displays a pop-up that says "Captain's Safety," aimed at kids: As soon as kids want to log in or perform any action, which requires them to provide data, Lego automatically redirects them from the app to the parental control system.
After you click "I'm a parent," you'll be taken to an authentication page that uses the parent's email address to verify age.
Such a system allows children to open an app, but requires a parent to intervene before an account can be officially created and saved.
Special privacy provisions are required for applications for children
Traditionally, the Policy should include:
• What personal information you collect?
• How you use it.
• Do you disclose data?
These are the standard provisions of the Privacy Policy. However, the Children's Program Policy should also include:
• Parental rights/data access,
• Procedural messages
For example, Facebook Messenger Kids' privacy policy includes a section that lets parents learn how they can manage and remove their children's information from Facebook.
Facebook tells parents that they can manage or remove their child by deleting their Messenger Kids account, and makes it clear what gets deleted and what doesn't. Deleting an account deletes activity, contact, and device information, as well as registration information.
By giving parents multiple ways to control their children's information, the company makes it easy for parents to step in and make important decisions that children can't make.
Apple and Google also ask developers to keep children in mind when developing programs. Apple, for its part, recognizes the role of parental controls and the need for personal responsibility on behalf of parents but asks developers to also help Apple protect children.
If you want to list your app in the "Kids" category in the Apple App Store (and if you do this if your app is intended for children), then you must:
• Keep links and purchases under parental control.
• Comply with applicable privacy laws.
• Do not send personal data or device data to third parties.
Google Play Store requires the same. Additionally, Google provides a helpful list of common violations among apps applying for the Families program:
• Glamorous use of alcohol or drugs.
• Use of gambling simulations.
• Adding inappropriate, violent content.
• Display ads for adults.
The best way is to follow the GDPR data minimization principles. Don't collect data you don't need - especially from children - and be clear about what data you have, what you do with it and how to delete it.
Remember that both Apple and Google are now increasingly looking for programs that violate the law. Therefore, it is in your best interest to ensure that you meet privacy standards before submitting your application to any platform.
If you have any questions about the legal requirements for hosting applications, please contact Avitar.
Subscribe to our channels on social networks:
Contact us:
business@avitar.legal
Serhii Floreskul
,
Violetta Loseva
,
