Protecting privacy when developing apps targeted at children

Friday, August 19, 2022

Protecting privacy is an important part of being in business, and is one of many things to factor in when developing a mobile app.

Privacy protection is especially important if your app will collect personal information from children, in which case there are additional requirements and precautions you will need to consider.

On top of your obligations under the Privacy Act 2020, both the Apple App Store and GooglePlay Store impose further requirements to protect children’s information if you are developing an app that will be marketed towards children. 

You must ensure that your developer is across the requirements for your app as it is being developed.  These requirements include complying with the relevant privacy laws in all the countries in which your app will be available, which can be a complex and onerous task if your app is going to be available worldwide. 

While New Zealand has strong privacy protection legislation, elsewhere, such as in the European Union, the requirements are more stringent.  

What should your business be doing?

If your business is developing an app targeted at children, or if you have an app for children but have not given privacy compliance detailed attention, you should seek specialist advice to make sure you are complying with your privacy obligations. 

It is no longer enough to simply publish a privacy policy that says the words required by the App Stores. You must turn your mind to how that policy will be implemented in your business or organisation, and who will oversee its implementation to make sure you are not simply paying lip-service to requirements you cannot meet in practice.

If you are developing an app targeted at children, there are some steps to work through early on:

  1. Consider whether you need to target your app to children – if not, don’t.
  2. Consider what personal information you will collect from children, and why you are collecting it.
  3. Consider whether any personal information can be reasonably obtained from a child without the prior consent of a parent or guardian (most likely not, and so you should factor in obtaining parent or guardian consent at the outset).
  4. Prepare a compliant privacy policy (sometimes also called a privacy notice or statement) which:
    • provides clear guidance about what personal information you are collecting from children and why; and
    • describes what you will be using children’s personal information for, and how.

Remember that you must not collect more personal information than is required for the purpose/s you have communicated at the time of collection (as is also the case for information belonging to adults). 

  1. You then must consider the systems in place in your business to monitor the effectiveness of your privacy compliance, so that your processes can be reviewed and improved, including:
    • how will your business manage the collection of personal information?
    • who will be responsible for ensuring up to date compliance with the applicable privacy laws in each country your app is available?
    • what security safeguards protections will you have in place to reduce the likelihood of a privacy breach, and what will your response plan look like if one does occur?

What are the rules – Apple App Store?

When designing an app that will either be in the “Kids Category” of the Apple App Store or which will collect, transmit, or have the capability to share personal information from a minor (noting that the age of majority may differ in different locations, so what one country considers a child may not be the same as another), you must have a privacy policy that complies with all applicable children’s privacy laws.

This means you need to turn your mind to the privacy laws of each country in which your app will be made available, which can be a significant undertaking especially if your app is intended to be available worldwide.

Apps in the Kids Category cannot transmit personally identifiable information or device information to third parties. These apps should not have the capability of sharing personal information.

Once you have listed your app in the Kids Category, you will need to continue to comply with all applicable privacy laws. Subsequently removing your app from the Kids Category does not alleviate your obligations to protect children’s privacy.

What are the rules – GooglePlay Store?

The GooglePlay Store requires you to disclose the collection of any “personal and sensitive information” from children via the app. Sensitive information includes, but is not limited to, authentication information, microphone and camera sensor data, Android ID, and usage data. There are also restrictions on what information relating to children your app can request and transmit, for example location permission cannot be requested, collected, used, or transmitted by an app targeted solely at children.

The GooglePlay store also requires your app to be compliant with both the U.S Children’s Online Privacy and Protection Act and the European Union General Data Protection Regulations as well as any other applicable laws or regulations. Again, achieving this level of international compliance can be an onerous and complex task.

What happens if your app does not comply?

The Act sets out 13 information privacy principles that govern how your business or organisation should handle personal information, and this is the baseline for your privacy obligations in New Zealand.

If you breach the Act, including any of the privacy principles, the individual affected can make a complaint to the Privacy Commissioner that their privacy has been interfered with. The Privacy Commissioner can investigate the complaint and may attempt to facilitate a resolution. However, both the Privacy Commissioner and the individual affected can refer the case to the Human Rights Review Tribunal.

The Tribunal can award compensation for breaches of the Act, which can range from $5,000 to upwards of $50,000, and the Tribunal has even awarded compensation of more than $168,000 for a particularly serious breach. 

Understanding the consequences of failing to comply with the Act is relevant because the Privacy Commissioner, and in turn the Tribunal, will be far less sympathetic to breaches involving the personal information of children.  If you will be handling children’s personal information, it is vital that you comply with your obligations under the Act. 

If your app will be available worldwide, you will need specific advice about the rules in the relevant jurisdictions, so that you do not fall foul of international privacy laws.

These privacy compliance considerations are applicable to any business that handles personal information, but particularly critical when looking to market to and/or interact with children in a way which involves handling their personal information.

The potential penalties for any privacy breach involving children’s personal information will be harsher given the vulnerability of children and the associated expectation that you will afford their personal information a higher degree of protection. If you are handling children’s personal information, you must ensure that your business has robust systems and processes in place to protect children’s privacy.

To ensure that you’re complying with your privacy obligations, please contact a privacy specialist in our Data Protection and Privacy team

 

Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.

Share this publication