Ensuring COPPA Compliance in Mobile Applications
COPPA (Children's Online Privacy Protection Act) — US law protecting children under 13. If app targets child audience or "knows" about users under 13, FTC requires: no behavioral ads, no personal data collection without verified parental consent, no third-party data transfers.
App Store and Google Play themselves require COPPA compliance when setting "4+" / "Everyone" rating. But App Review doesn't check real technical implementation — it's developer risk.
What's Forbidden Without Verified Parental Consent
- Collecting child's name, address, email, phone, geolocation
- Behavioral ads (AdMob, Meta Audience Network)
- Transferring Advertising ID (GAID / IDFA) — even for analytics
- Publishing child's content (photos, text, audio) in any form
- Notifications aimed at retaining child in app
Technical Implementation
Disabling Ad SDKs
Google Mobile Ads SDK supports child-directed treatment:
val requestConfiguration = RequestConfiguration.Builder()
.setTagForChildDirectedTreatment(RequestConfiguration.TAG_FOR_CHILD_DIRECTED_TREATMENT_TRUE)
.setTagForUnderAgeOfConsent(RequestConfiguration.TAG_FOR_UNDER_AGE_OF_CONSENT_TRUE)
.build()
MobileAds.setRequestConfiguration(requestConfiguration)
After this flag AdMob doesn't show behavioral ads and doesn't collect personal data for profiling. Similarly for Meta Audience Network: AudienceNetworkAds.setDataProcessingOptions(new String[]{"LDU"}, 1, 1000).
Important: set these flags before first ad request, not after.
Age-Gated Content and Age Verification
COPPA doesn't require perfect verification — "reasonable efforts" suffice. Standard implementation:
- On registration ask for birth date
- If age < 13 — require parent email
- Send parent email with data collection description and confirmation link
- Until confirmation — no data collection except parent email
FTC recognizes "email-plus" method acceptable for most apps. For high-risk (communication apps, content publication) — stricter verification via credit card or videochat needed.
func handleAgeVerification(birthDate: Date) {
let age = Calendar.current.dateComponents([.year], from: birthDate, to: Date()).year ?? 0
if age < 13 {
// Show parental consent screen
showParentalConsentScreen()
// Block all analytics SDKs
analyticsManager.setChildMode(true)
} else if age < 16 {
// GDPR child protection (EU)
consentManager.requireParentalConsentForEU()
}
}
Data Minimization
In child mode app collects only what's absolutely necessary to work:
- Persistent ID for progress sync — only after parental consent
- Analytics — aggregated only, no User ID
- Crash reports — without any user identifiers
Firebase Analytics in child mode: Analytics.setUserId(nil) and disable all custom events with PII.
Parent Notification and Deletion Rights
Parent has right to:
- Get information about child's collected data
- Request data deletion
- Revoke consent
In app: feedback form with "I'm a parent" indication, verification (repeat email to parent address) and request processing within 45 days.
Google Play Families Policy
Google added own requirements on top of COPPA — Google Play Families Policy. For child-targeted apps:
- All ad networks must be from Pre-approved list
- Can't use in-app purchases without explicit parental controls
- Can't collect data outside app
- Can't request system permissions not necessary for core function
AdMob with TAG_FOR_CHILD_DIRECTED_TREATMENT_TRUE on approved list. Meta Audience Network — not, can't use in kids' apps even with right flags.
Timeline
Basic COPPA implementation (SDK disable, age-gate, email-based parental consent): 2–4 days. Full compliance with Families Policy audit, parent DSAR workflow and docs: 1–2 weeks.