Melissa Juan – Director of Mobile Product Management | TRUSTe
The recent changes to the COPPA (Children’s Online Privacy Protection Act) rule put out by the FTC, attempts in part to address the confusion on who is really responsible for COPPA compliance, given that most digital properties are comprised of content or ads served by third parties. According to the amended rule the onus is on the operator to comply. Operators in this case, are companies that offer online services directed towards children or directly collect personal information from children. Operators are typically first parties that include brands or publishers, but to complicate that statement further the COPPA changes state:
“…the definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service.”
This means third parties are indeed responsible, provided that they have “actual knowledge”. There are two cases where third parties can obtain this knowledge. One way is for the publisher to directly communicate the nature of their online service to all its partners and vendors. Another way is for a representative from the third party to deem the site and/or app child directed after observing messaging, images and other artifacts that would appeal to just children. In the mobile gaming world, there can be some blurred lines with the second method.
This comes from the Open RTB Specification, which is a protocol for communicating between the players of the ad ecosystem – SSPs, DSPs, ad networks, ad exchanges and data platforms. In the spec is a user object, which contains information about the end user of a device or desktop that can be passed over to a third party content provider, or advertiser and the like. It helps them determine what should be displayed in relation to the end user. By passing another piece of information, for example a COPPA flag (i.e. COPPA=Y in the buyerID field) stating that the embedding site is compliant to the rule, third parties can choose more appropriate content making a better experience for young audiences. Using existing ad tags to receive this signal also creates efficient bidding in the exchange due to more accurate targeting.
In the case of mobile apps, understanding the end user of a device can be more challenging. We live in a digital age, where children are more tapped into technology then ever before and devices are ubiquitous in day-to-day life. Children may not own their own smartphones or tablets, but the vast majority of apps and media are targeted for young users’ consumption. A friend told me that her son (who confessed that he loved the iPad more than his father) downloaded a seemingly harmless game. She noticed that inappropriate ad images were being displayed so she immediately removed it from her device. Something the app developer could do is pass the COPPA signal via an existing SDK, i.e. an SSP SDK. This mechanism is specific to native mobile apps and also already used for online behavioral advertising practices. At the time the app is initiated, it could transmit a signal to the third parties in the ad exchange.
Another avenue that app developers can take to ensure they’re COPPA compliance is communicated is in the form of app monitoring and assessment. These types of services audit the activity of the app including any data collection and transmission to third parties, as well as external calls made by the app. This type of assessment can ensure compliance of self-regulatory governance such as COPPA and CalOPPA and create an insightful report, which can be used as a tool to communicate to all partnering companies who may collect and pass data from children using the app. Each time an update is made to the app, the monitoring service can run a report and alert first parties to communicate to partners of COPPA compliance to send appropriate content and ads.
SDK work flow
TRUSTe also brings TRUSTed apps to the mobile industry, offering services that analyze app data collection practices, third party sharing for contractual provisions and data governance policies. An enterprise version of this service additionally evaluates security and malware scanning of the app. Raising the COPPA flag doesn’t require any heavy engineering or additional load to your site and/or app. TRUSTe can provide the technology solutions to make it happen today. It simply makes for a better, safer environment for all kids.