Push Notifications

KWS can manage any parental consent flow including direct notice for compliant push notifications.

Process Flow:

  1. The kid is presented with a native Push Notification subscription dialog (which is triggered as defined by you).
  2. They can then choose to accept or decline it.
  3. If the kid accepts, your app checks (using the KWS API) if the kid has (parental) permission to receive push notifications.
  4. If the kid has permission, your app then subscribes the kid to your push notification provider (ensure you have a COPPA compliant provider as described below). FYI: at this point you may choose to trigger a permission request, also using the API).
  5. The kid can now receive new push notifications (for as long as push notifications remain enabled on their device and their parent has not revoked permissions).

Note: Your app will need to utilise KWS' web-hooks to ensure that you get notified if a parent opts out. Once you receive this web-hook, you must deregister the user on your push notification provider. This is to ensure that e.g. as soon as permission is revoked by a parent - your push notification provider stops sending push notifications to that kid.

COPPA compliant push notifications

Requests for push notifications in child-directed apps (or where a publisher has actual knowledge that the user is aged under 13) are subject to COPPA. For more information see FTC COPPA FAQs I.9.

According to FTC guidance:

  • If the child requests push notifications, the “multiple contact exception” to parental consent under COPPA may be used.
  • This allows an app to contact the child multiple times, provided the parent has been provided with direct notice and an opportunity to opt out.
  • The push notification must be related to the content of the app (eg, feed updates or @ mentions or other relevant information); it must not be related to other apps or services and may not be purely for marketing purposes.

Identifying a compliant push notification provider

To ensure that your push notification service provider is compliant, you will need to check that:

  1. they do not automatically collect (i.e. send to a backend server) persistent identifiers that can be used to identify a user across apps, such as IP address or device IDs
  2. no personal information (including persistent identifiers) is shared across apps or services
  3. They have an API for ‘opt-out of push notifications for this user’