Are Popular Apps for Children COPPA Compliant?

By Tanunnut Suebsang

October 1, 2021

Apps are a part of our daily lives. However, convenience may come at the cost of online safety. While this is unfortunate, it is not uncommon. This in turn impacts vulnerable groups, one of the most vulnerable being children. Research conducted by Savanta shows that 84% of parents are worried about their child’s online safety. In an earlier article on online data protection for minors, we elaborate more about why children are extremely vulnerable. Fortunately, one way the law has our backs is through the implementation of privacy policies. Currently, The Children’s Online Privacy Protection Act (COPPA), which is based in the US, is the only privacy policy directly associated with children. COPPA keeps companies in check about their online services if they are related to children under the age of 13 residing in the US. 

Guidelines

Using the guidelines detailed in “A Guide to Privacy Policies for Minors,” by the Federal Trade Commission (FTC) and Common Sense Media’s Privacy Program this article will analyze three popular children’s apps targeted for Americans aged 4 and up.

  • Clarity: Easy for everyone to understand.
  • Transparency and data use: What the data collected includes and reasons for collecting the data.
  • Data sharing: Mostly related to third parties and what they do with the shared data.
  • Parental rights: Notifying parents about their data collection practices and giving parents the right to review/edit their child’s personal information.
  • Reasonable collection: Companies will minimally collect data.

YouTube Kids

YouTube is undeniably a popular app, over 2.3 billion people access YouTube once a month. However, due to its wide variety of content, there are concerns about young children using it. To combat this, YouTube developed YouTube Kids, a subsidiary branded as “a safer online experience for kids.”

  • Clarity
    • Language is consistent with other company’s privacy policies, and also includes a section specifically addressing children. However, compared to the others, its structure may be hard to follow due to lack of formatting, like headings or bulleted lists.
  • Transparency and Data Use
    • What is collected: device types and settings, device Internet protocol (IP) address, log information, unique application numbers, unique identifiers and app activity. If you choose to sign in, it will also collect your Google account’s personal information.
    • How data is used: “internal operational purposes” to personalize content, and provide contextual advertising.
    • Pros:
      • Lists date last updated and company’s contact information.
      • Provides notice of changes and comes in multiple languages.
      • Does not require signing in.
      • If you clear the watch and search history, your data will not be stored.
      • Interest-based advertising or remarketing is not allowed.
    • Cons:
      • Notice of changes are only provided “whenever reasonably possible.”
      • Examples provided only cover a portion of what information they collect.
      • IP address enables YouTube to collect geolocation data.
  • Data Sharing
    • Shared information: If given parental consent, individual user information may be shared to third parties. Legally, if there is a reasonably necessary reason, they may disclose user information. For external processing, user information may be shared amongst affiliates or trusted businesses.
    • How data is used: analytics, legal reasons, and external processing.
    • Pros:
      • Collection purposes are listed.
      • External processing sharing will go through appropriate confidentiality and security measures.
      • Children cannot share personal information with third parties.
    • Cons:
      • Data collection is used for analytics.
      • Unclear whether users personal information is collected by third parties.
      • Unclear how long data is stored by third parties.
      • Unclear what will be done if there is misuse of information.
  • Parental Rights
    • Parents have the control of consent to share to third parties.
    • Parents can review their child’s personal information and edit it.
    • Parental access to watch and search history, and ability to clear it.
    • Keep in mind: it is unclear if parents can customize their child’s preferences in a signed out state.
  • Reasonable Collection
    • Data collection is limited to what the product requires and can be deleted.

Overall review: YouTube Kids complies with COPPA in regards to parental verification and being comprehensive. However, there are also a lot of unclarified uses of data from Google itself and third parties.

Messenger Kids

Generally, most social media messaging platforms are not meant for younger children. One way younger children can participate in instant messaging is through Messenger Kids. Messenger Kids is a subsidiary of Facebook, which boasts more than 7 million monthly active users. 

  • Clarity
    • Messenger Kids uses plain language seen amongst most privacy policies and is visually formatted in a way that creates clear structure.
  • Transparency and Data Use
    • What is collected: user account details, usage analytics, contacts, surveys, message content, and user device information.
    • How data is used: enabling communication, personalizing content, enhancing app services, communicating with both parents and children, and improving security and safety.
    • Pros:
      • Lists date last updated and company’s contact information.
      • Provides notice of changes and requires parental review.
      • Policy comes in multiple languages.
      • Data will be deleted when no longer necessary to provide services or if the account is deleted.
    • Cons:
      • IP address allows Messenger to collect geolocation data.
      • Unclear what personal information is not collected.
  • Data Sharing
    • Shared information: user’s contacts, parents/guardians, user’s contacts’ parents/guardians, Messenger’s vendors and service providers, Facebook companies, new owners and law enforcement has access to the collected data.
    • How data is used: enabling communication, parental access and other app services, technical support and customer services, cross-service communication support and legal cooperation.
    • Pros:
      • Indicates which third parties have access to user data as well as their purposes.
      • Data is not sold to third parties.
      • Data can be deleted from a third party if there is misuse.
    • Cons:
      • Data collection is used for analytics.
      • Unclear advertising policies.
      • Categories of third parties are stated but are not named, and thus those companies privacy policies are unknown.
  • Parental Rights
    • Parents can review privacy policy updates and determine continued use.
    • The “parent dashboard” allows parents to edit their child’s profile, control communication, edit their contact list, what personal information their child shares and other permissions.
    • Ability to report suspicious activity and be notified if the child reports it.
    • Keep in mind: even if accounts are deleted, any messages sent or received by the child will still be accessible to other users who can share it through downloads or screenshots.
  • Reasonable Collection
    • Facebook specifies that they “store information until it is no longer necessary to provide our services, or until your child’s account is deleted, whichever comes first.”

Overall review: Messenger Kids complies with COPPA in regards to transparency and parental rights. However, third party information related to advertising and names of companies are not explicitly mentioned.

Elmo Loves ABCs

Education is an important part of child development, and there have been many apps made to educate children. One of which is Elmo Loves ABCs, one of the apps developed by the popular Sesame Street franchise. Since it was established, Sesame Street has been seen by over 80 million Americans. With this app, children can learn about the alphabet through videos, colors, etc. 

  • Clarity
    • Elmo Loves ABCs privacy policy falls under the “Sesame Workshop” privacy policy. The privacy policy uses plain language and has a clear structure based on visual formatting.
  • Transparency and Data Use
    • What is collected: personal information (optional) and anonymous information automatically collected from cookies–information that a website/app transfers onto a system’s device.
    • How data is used: supporting the internal operations of the platform.
    • Pros:
      • Lists date last updated and company’s contact information.
      • Notices of change or data breach are provided.
      • Personal information submission is mostly optional. Otherwise, apps will explain for what reasons information is being collected.
      • No behavioral advertising on platforms.
      • Personal information is not made publicly available.
    • Cons:
      • IP address allows Sesame Workshop to collect geolocation data.
      • If users chose to opt out of cookies then some app services may not work.
      • Security measures do not guarantee information will be deleted
  • Data Sharing
    • Shared information: third-party analytical tools have access to information, law enforcement, business transfers and other service providers.
    • How data is used: managing internal operations and analytics.
    • Pros:
      • There are contractual limits on third-party data use.
    • Cons:
      • Data collection is used for analytics.
      • Third party platforms may be linked and once users go to the links, Sesame Workshop is not responsible for users personal information.
  • Parental Rights
    • Parents will be asked for consent when personal information is requested.
    • Parents can contact Sesame Workshop to review, update or delete personal information and select that no more personal information be collected.
    • Keep in mind: parents need to be wary of anything that falls within an exception of COPPA.
  • Reasonable Collection
    • Compared to the other apps, Sesame Workshop is unclear about how long they store user data and if the user’s data is deleted after they delete the app.

Overall review: Sesame Workshop complies with COPPA basic needs, such as ads and data use. However, their data sharing and storing section is less clear than other policies.

While COPPA is a standard that companies should adhere to, it is not able to prevent all malicious data collection. Privacy policies, as seen above, can be unclear. Additionally, our previous article details more incident cases and the shortcomings of COPPA. While COPPA does have room for improvement, companies should also consider implementing humanID. humanID is a one click anonymous single sign-on (SSO) which creates a unique identifier through SMS and does not store any personally identifiable information. While humanID does not serve as a substitute for adhering to COPPA, it can serve as an additional security measure for a safe online experience.

Submit a Comment

Optional: Notify me of follow-up comments by email. Requires for your email to be stored by the site admin