10 Things EVERY Developer Should Know Before July 1st

Understanding the rules

1. Did you read it

This seems obvious, but have you read the revised rule yet? It might look big and scary at first, but it’s not rocket surgery — anyone who can develop their own application can grasp the content of the revised COPPA Rule.

2. Does the rule apply to you?

Ask yourself this question: Am I operating a child-directed website or service, or do I have actual knowledge that I’m collecting, using, or disclosing personal information from a child under 13 years of age? If you have any doubt, the smart bet is to assume COPPA applies to you and read on.

3. Do you collect personal information?

According to the COPPA Rule, “Personal information is individually identifiable information about an individual collected online.” Sure, this definition is tautological, but the rule provides clarification by listing 10 kinds of personal information in the definitions of §312.2. The general idea is that personal information is any information that can be matched to a single person. Phone numbers and email addresses are obvious examples, but it’s worth going through the whole list to determine if you collect personal information, as the definition has expanded.

4. What do you collect?

It’s time to compile an exhaustive list of all the information you collect. Remember that feature you built, but never used? Make sure it isn’t still collecting information. Figuring out what you collect is perhaps the most important part of your own COPPA audit. Leave no stone unturned. After all, there’s still time to clean up your act before July 1.

5. What do you need to collect?

Now that you know what you collect, it’s time to understand why you collect it.

It’s useful to divide all the information you collect into two categories: information for the support of internal operations (defined in §312.2) and information that is disclosed to third parties. If it’s for the support of internal operations (e.g. collecting data to optimize product features) make sure you’re using the data and storing it securely. If you don’t use it, stop collecting it. If the information is disclosed to third parties, ask yourself why you’re disclosing that data in the first place. In the general interest of protecting children’s privacy, disclosure of this data should be carefully and rigorously scrutinized.

Disclosure

The primary goal of COPPA is “to place parents in control over what information is collected from their young children online.” In order to accomplish this task, it’s important for developers to think carefully about how they communicate with parents and what they communicate to parents in order to meet this goal.

6. Do you have a privacy policy?

The first step in effectively communicating with parents is to have a well-written privacy policy. This can seem like a daunting task to non-lawyers, but there are plenty of good resources to help you out.

Here are a few tools to help you get started:

• Generate Privacy Policy.com
• Better Business Bureau Start With Trust
• Rocket Lawyer

We also recommend looking at the privacy policies of developers who are doing similar work or offering similar services. What’s more important than perfect legalese is honesty and transparency.

7. How are you going to provide notice of your privacy practices?

Congratulations, you now have your very own privacy policy! Now, how are you going to tell parents about your data collection, use, and disclosure practices? The California Attorney General provides some really good guidance in Privacy on the Go: Recommendations for the Mobile Ecosystem — and as always, reread the rule.

8. Have you read the FAQ?

I’m willing to bet that you probably have questions at this point. The good news is that you’re not alone. In May the FTC released a set of FAQs to address the most common and vexing questions they had received in the months since the amended rule was released. The good news is that you’ll probably find some clarification to your questions, but be prepared to add some items to your to-do list as well.

Iteration

Developers are certainly not strangers to constant product iterations and you should get used to thinking of your privacy-related activities the same way. Children’s privacy is very important, and if you take your obligation seriously, it will require constant refinement.

9. Have you considered getting a second opinion?

Even if you consider yourself a technology and privacy guru, it’s always nice to have someone else tell you that you’ve gotten it right. There are lots of companies out there that offer a range of consulting and certification services and you can always ask your attorney. With lots of choices, make sure that you identify someone who fits your needs. The prospect of finding yourself on the wrong side of the law and the FTC is scary, but especially for small developers, it’s worth thinking about whether you’re committing too many resources to certify your compliance when you’re already following all the rules.

You might find it useful to look into the Kidsafe Seal. The KidSAFE Seal Program awards websites and technologies the “KidSAFE Seal” if they are in compliance with the five “core safety rules”:

1) Safely-designed chat and community features (if any exist)
2) Rules and educational info about online safety
3) Procedures for handling safety issues and complaints
4) Parental controls over child’s account
5) Age-appropriate content, advertising, and marketing

Other resources include COPPA Safe Harbor Programs. The following FTC-approved safe harbor programs provide businesses with the ability to self-regulate when it comes to COPPA compliance:

• Truste
• Privo
• ESRB
• Aristotle
• CARU

10. What’s next?

Not only should you constantly iterate on your own, but you’ve just gotten a second opinion from an expert. And experts, by their very nature, earn their keep by having opinions and suggestions, so it’s probably time to return to an earlier step and resume the process.