Many developers began holding their breath when changes to COPPA, the federal rule related to children’s online privacy, went into effect in July. Pretty much every app catering to children under 13 was in violation of the law, complained people across the software industry, and it was only a matter of time before the federal government would start handing down big fines.
Four months later, developers are still waiting to exhale. The Federal Trade Commission, which enforces the law, says it has not gone after anyone for violating its new provisions, but this doesn’t mean that everyone suddenly figured it out. Many developers are still at a loss: not only are they not complying with the law, they don’t even really know how to do so.
Companies in this situation aren’t dying to talk. No one wants to openly acknowledge a failure of compliance with rules, and there’s little to be gained by criticizing an effort to protect children’s privacy. Ask about other people’s apps, however, and people are more forthcoming. ”The universal characteristic of these developers that we work with is that they are even further behind than the FTC thinks,” says Matt McDonnell of Famigo, which operates a rating service for children’s apps.
A major sticking point is the counterintuitive requirement that developers actually collect more information about the users whose privacy is at stake. In the past, many developers of kids’ apps just wouldn’t collect any information on their users. But now companies have to determine which of their users are under 13 and get their parents to sign off on their privacy policies. This is basically impossible, says Tim Sparapani, head of governmental relations for the advocacy group App Developers Alliance.
Roy Smith disagrees. On Tuesday he launches AgeCheq, a product for developer who don’t have a good way to get verified parental permission on their own. With a few lines of code from AgeCheq that developers can add to their apps, parents can see exactly what information is being shared and give their permission to do so. Until a parent has signed off, an app using AgeCheq simply won’t work.
The process is a reminder that it’s not that easy to verify someone’s identity online. The first time a parent verifies his identity on a new device, he has two choices: fill out an actual paper form with identifying information, sign it, and mail it or fax it to AgeCheq; or pay $10 to run through a series of questions similar to those that you have to answer when requesting a credit report. Once AgeCheq is satisfied that the parent is real, it assigns parental password. Then, for each app using the verification code, the parent can enter the password and activate the app for a child—unlocking as well maybe six merciful minutes of peace and quiet before the child gets bored.
Even this elaborate process might fall short of the law. Once kids figure out how to game this system, the outmaneuvered developers would be liable for interacting with them without parental consent. Still, says Sparapani, it’s the best solution anyone has come up with. ”Using AgeCheq you have gotten as close to verifiable identity as possible,” he says. “But there is no certitude there.”
Smith has applied for Safe Harbor status with the FTC—the agency’s acknowledgement that a particular system is an honest attempt to be in compliance with the law. There are currently no systems that the agency has said meet this standard for parental disclosure. A public comment period for two other systems—Imperium and kidSAFE—ended Monday.
AgeCheq isn’t charging developers who use it. Ironically, the company’s business model is based on collecting user data—stripped of personally identifiable information, Smith insists. If the product catches on, this data could be valuable: having information about how every children’s app is used is something developers would pay for. ”We are going to know an awful lot of information about what games kids of a certain age are playing,” says Smith.
Of course, that requires app developers to start trying to comply with the changes to the law. The best way for that to happen, says Smith? A few hefty fines. ”My fear while I was creating this over the last six months was that someone was going to get fined and I wasn’t going to be ready,” he says. “Now I’m ready for someone to get spanked.”
