Chasing millions of installs is not the sole measure of success – how long users spend in your app and how often they come back is equally important. Push notifications are one of the most effective ways of increasing an app’s user engagement and retention rates.
Push notifications can be tricky to implement when building apps that are targeted at kids, since signing users up to receive push notifications often involves the collection of personal information:
“The information you collect from the child’s device used to send push notifications is online contact information – it permits you to contact the user outside the confines of your app – and is therefore personal information under the [COPPA] Rule.” – FTC
You should only send push notifications to kids if their parent or guardian has consented to this…but what does this really mean?
Verifiable consent vs opt-out
Because most vendors collect personal information in order to send push notifications, the FTC requires you to seek verifiable parental consent (VPC):
“…provide parents with direct notice and obtain verifiable parental consent prior to sending push notifications to the child.” – FTC
Obtaining VPC creates an extra hurdle which can significantly reduce your conversion rates. Even so there is a way to implement push notifications using a much leaner ‘opt-out’ consent flow:
“You may be able to rely on the “multiple-contact” exception to verifiable parental consent, for which you must also collect a parent’s online contact information and provide parents with direct notice of your information practices and an opportunity to opt-out. Importantly, in order to fit within this exception, your push notifications must be reasonably related to the content of your app.” – FTC
Kids Web Services offers such a flow, which you can use in conjunction with the right push notification provider. Parents are given notice (via email) that their child would like to receive push notifications. They may then opt their child out if they so please. If the parent takes no action, their child will remain subscribed to your push notification service.
This KWS-powered flow ensures a good balance between compliance, frictionless UX and higher conversion rates.
Identify the right push notification provider
The FTC explains that in order to utilize the ‘multiple contact exception’ rule, your push notification provider must not collect any other personal information:
“If you want to combine this online contact information with other personal information collected from the child, you cannot rely on this exception and must provide parents with direct notice and obtain verifiable parental consent prior to sending push notifications to the child.”
Therefore, make sure you choose a push notification provider that:
- does not automatically collect personal information from the device, unless the user opts in to push notifications
- does not share personal data across apps
- does not collect a persistent device identifier that can identify the user across apps
- does not automatically combine push notification identifier with other data. If they do, this will require verifiable parental consent.
- supports opt-out of push notifications for users via an API, so that you can stop sending push notifications to users whose parents opt them out
One effective way to find out what information your provider collects is to check their API documentation. Our safe-social engagement platform, PopJam, uses Firebase. Below is the analysis we did to reach this conclusion:
|No auto-collection of personal information from the device|
|Compliant if: Developer prevents Firebase auto-initialization
Actual Practice: Firebase generates an Instance ID, which the Firebase Cloud Messaging (FCM) SDK uses to generate a registration token on app start. Firebase sends it to the backend automatically. This is not ideal.
Further required Actions: To comply with COPPA, the developers need to prevent this auto-initialization, which is supported.
|No data shared across apps|
|Compliant if: Developer sets up only one app for one Project ID on Firebase
Actual Practice: Instance IDs are common to a Project ID on Firebase. As long as each app is a separate project on Firebase, no data is shared across apps.
|Support for user-specific opt-out API|
|Compliant if: Developer deletes the Instance ID when KWS notifies the developer that the user should not be sent any more push notifications.
Actual Practice: There doesn’t seem to be specific documentation around how the developer can opt out of push notifications (other than on the device).
Further required Actions: The developer should utilise Firebase’s server and client-side API to delete an Instance ID, which deletes all associated information with that ID.
|No combining push notification identifier with other PII|
|Compliant if: The developer does not send targeted push notifications to kids, where the targeting is based on kid’s personal information such as their birthday. We will need to enforce this through a contract.
Actual Practice: If the intention is to send targeted push notifications based on the kid’s PII, verifiable parental consent is required Instance IDs are used by Firebase to combine data across Cloud Messaging and Crashlytics but they do not contain any other PII + is local to the app.
|No persistant device identifier|
|Compliant if: The Instance ID is a unique identifier for an app instance. It is unique for all app installs in the world, and is regenerated is the app is reinstalled|
Set up a KWS App
Once you are sure you’ve found a suitable provider, go ahead and set up your KWS app.
If you don’t already have access to a KWS environment; feel free to ask for a free sandbox.
Determine which users are kids
You’ll need to invoke the kid-safe push notification flow (detailed below) just for kids while adults can go through your own standard flow.
To achieve this, pass the user’s date of birth and their country to the Age Gate API. This API will return a flag that signals if the user is indeed defined as a ‘kid’ based on their age and location (e.g ‘isMinor = true).
The User flow (kids)
Now that we know the user is a kid, let’s build out the following kid-safe flow:
- The kid is presented with a native Push Notification subscription dialog. You may trigger this wherever you require within your app—this could be an automated pop-up e.g. after sign-up or if the kid clicks a specific button.
- If the kid accepts, your app then needs to check (using the KWS API) if they already have (parental) permission to receive push notifications.
- If they do, your app may then subscribe them to your push notification service.
- If they don’t already have this permission, trigger a permission request using this KWS API. This will in turn send an automated email to the parent giving them an opportunity to opt their child out.
- The kid can now receive push notifications (for as long as push notifications remain enabled on their device and their parent has not revoked the permission via the parent portal).
You’ve now set up your app to adhere to best practice as defined under COPPA. The great advantage of utilizing KWS for this is that the entire permission request flow is managed by the platform. This includes all notices to the parent and the logging of permissions that they granted.