KWS can manage any parental consent flow including direct notice for compliant push notifications.
- The kid is presented with a native Push Notification subscription dialog (which is triggered as defined by you).
- They can then choose to accept or decline it.
- If the kid accepts, your app checks (using the KWS API) if the kid has (parental) permission to receive push notifications.
- If the kid has permission, your app then subscribes the kid to your push notification provider (ensure you have a COPPA compliant provider as described below). FYI: at this point you may choose to trigger a permission request, also using the API).
- The kid can now receive new push notifications (for as long as push notifications remain enabled on their device and their parent has not revoked permissions).
Note: Your app will need to utilise KWS' web-hooks to ensure that you get notified if a parent opts out. Once you receive this web-hook, you must deregister the user on your push notification provider. This is to ensure that e.g. as soon as permission is revoked by a parent - your push notification provider stops sending push notifications to that kid.
COPPA compliant push notifications
Requests for push notifications in child-directed apps (or where a publisher has actual knowledge that the user is aged under 13) are subject to COPPA. For more information see FTC COPPA FAQs I.9.
According to FTC guidance:
- If the child requests push notifications, the “multiple contact exception” to parental consent under COPPA may be used.
- This allows an app to contact the child multiple times, provided the parent has been provided with direct notice and an opportunity to opt out.
- The push notification must be related to the content of the app (eg, feed updates or @ mentions or other relevant information); it must not be related to other apps or services and may not be purely for marketing purposes.
Identifying a compliant push notification provider
To ensure that your push notification service provider is compliant, you will need to check that:
- they do not automatically collect (i.e. send to a backend server) persistent identifiers that can be used to identify a user across apps, such as IP address or device IDs
- no personal information (including persistent identifiers) is shared across apps or services
- They have an API for ‘opt-out of push notifications for this user’