Kids’ privacy rules kick in July 1: what it means for the app industry

Mobile app makers that target children may not be ready for new privacy rules, which go into effect on Monday and can impose penalties of up to $16,000 per violation. The rules update a federal law known as COPPA, and require kids’ app makers to get parents’ permission before collecting even the most basic data — a challenging situation for many app makers that supply apps for free and use data to attract advertisers.
According to a new Wall Street Journal investigation into dozens of popular kids’ apps, many of the apps are still collecting data from children directly or via third parties like ad networks or analytics companies such as Flurry.
To avoid violating the COPPA rules, many of the app makers may have to unplug these services by Monday. The other alternative is to comply with a strict permission regime that require a parent to authorize a child joining a social network, or sharing data like first and last name, street name or photographs. The rules also require kid-targeted apps and websites to post privacy policies.
The updated rules coincide with concern over “bait apps” (which can induce kids into spending hundreds of dollars on items like digital fish — leading Apple(s aapl) to pay a legal settlement) and over app makers who encourage kids to share information like their email address or location. One of the most egregious violations occurred last year when social network Path scraped the address books of more than 3,000 children under 13, and collected their photos, precise location and written “thoughts.” The FTC responded by fining Path $800,000.
While the COPPA rules to protect children’s privacy have been around since 1998, the FTC issued an amended rule in December to increase their scope and specifically target app makers. A guide to the update explains “that¬†younger children are particularly vulnerable to overreaching by marketers” and makes clear that COPPA now covers app “plug-ins” that suck data from the app as well as ad networks.
While the rules about collecting data from children are clear-cut, there are gray areas over which apps or websites are affected by them. What, for instance, is an app targeted to children? According to the FTC, the agency will consider things like visual content, the use of animated characters and the presence of child celebrities.
The rules may be popular with parents, but some in the tech community have complained they will hurt business and provide fodder for opportunistic privacy groups and their lawyers.
Apps and websites that are primarily geared at teens and adults will not be affected by the new rules, even if those under 13 do sign on to their sites. In the case of children who lie about their age to get on a site like Facebook(s fb), the company will be held liable only if they had actual knowledge that the user is not 13.
Correction: an earlier version of this story stated that the updated rule was passed by Congress; the FTC issued the new rule.