Raising the COPPA flag for third parties

Melissa Juan – Director of Mobile Product Management | TRUSTe

The recent changes to the COPPA (Children’s Online Privacy Protection Act) rule put out by the FTC, attempts in part to address the confusion on who is really responsible for COPPA compliance, given that most digital properties are comprised of content or ads served by third parties.  According to the amended rule the onus is on the operator to comply.  Operators in this case, are companies that offer online services directed towards children or directly collect personal information from children.  Operators are typically first parties that include brands or publishers, but to complicate that statement further the COPPA changes state:

“…the definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service.”

This means third parties are indeed responsible, provided that they have “actual knowledge”.  There are two cases where third parties can obtain this knowledge.  One way is for the publisher to directly communicate the nature of their online service to all its partners and vendors.  Another way is for a representative from the third party to deem the site and/or app child directed after observing messaging, images and other artifacts that would appeal to just children.  In the mobile gaming world, there can be some blurred lines with the second method.

A developed flagging system to signal third parties would be much more scalable for the industry, rather than manually scanning sites and apps to discover if they’re child directed.  There are a few technologies already in place to enable first parties to communicate to third parties of whom their content and advertisements are being served to.  One mechanism of getting this knowledge isn’t any different than how they’re getting information to serve targeted ads and content to consumers via a JavaScript ad tag.

This comes from the Open RTB Specification, which is a protocol for communicating between the players of the ad ecosystem – SSPs, DSPs, ad networks, ad exchanges and data platforms.  In the spec is a user object, which contains information about the end user of a device or desktop that can be passed over to a third party content provider, or advertiser and the like.  It helps them determine what should be displayed in relation to the end user.  By passing another piece of information, for example a COPPA flag  (i.e. COPPA=Y in the buyerID field) stating that the embedding site is compliant to the rule, third parties can choose more appropriate content making a better experience for young audiences.   Using existing ad tags to receive this signal also creates efficient bidding in the exchange due to more accurate targeting.

In the case of mobile apps, understanding the end user of a device can be more challenging.  We live in a digital age, where children are more tapped into technology then ever before and devices are ubiquitous in day-to-day life.  Children may not own their own smartphones or tablets, but the vast majority of apps and media are targeted for young users’ consumption.  A friend told me that her son (who confessed that he loved the iPad more than his father) downloaded a seemingly harmless game.  She noticed that inappropriate ad images were being displayed so she immediately removed it from her device.  Something the app developer could do is pass the COPPA signal via an existing SDK, i.e. an SSP SDK.  This mechanism is specific to native mobile apps and also already used for online behavioral advertising practices.  At the time the app is initiated, it could transmit a signal to the third parties in the ad exchange.

Another avenue that app developers can take to ensure they’re COPPA compliance is communicated  is in the form of app monitoring and assessment.  These types of services audit the activity of the app including any data collection and transmission to third parties, as well as external calls made by the app.  This type of assessment can ensure compliance of self-regulatory governance such as COPPA and CalOPPA and create an insightful report, which can be used as a tool to communicate to all partnering companies who may collect and pass data from children using the app.  Each time an update is made to the app, the monitoring service can run a report and alert first parties to communicate to partners of COPPA compliance to send appropriate content and ads.

SDK work flow

Technology exists today for both the web and more importantly on mobile devices where children are the most vulnerable.  TRUSTe, the leader in global Data Privacy Management solutions, creates these technologies to allow for innovation and progress to continue and for self-regulatory mandates to be met by the industry for the consumer.  The TRUSTed Ads solution for display, mobile web and mobile app ads provides the mechanisms needed for involved parties in OBA to communicate end user opt-out preferences.  The preference reading JavaScript tag and SDK used to communicate consumer choice in online behavioral advertising can easily retrieve COPPA signals and propagate them to the industry.

TRUSTe also brings TRUSTed apps to the mobile industry, offering services that analyze app data collection practices, third party sharing for contractual provisions and data governance policies.  An enterprise version of this service additionally evaluates security and malware scanning of the app.   Raising the COPPA flag doesn’t require any heavy engineering or additional load to your site and/or app.  TRUSTe can provide the technology solutions to make it happen today.  It simply makes for a better, safer environment for all kids.