1. Home
  2. FAQ's
  3. How do I choose a good push notification provider?

How do I choose a good push notification provider?

Always aim to minimize the data that you and your third parties collect from kids. Below is a set of best practices on how to choose a push notification service that you can use for an app targeted at kids:

Ensure your provider:

  • does not automatically collect personal information from the device, unless the user opts in to push notifications
  • does not share personal data across apps
  • does not collect a persistent device identifier that can identify the user across apps
  • does not automatically combine push notification identifier with other data. If they do, this will require verifiable parental consent.
  • supports opt-out of push notifications for users via an API, so that you can stop sending push notifications to users whose parents opt them out

One effective way to find out what information your provider collects is to check their API documentation. Our safe-social engagement platform,  PopJam, uses Firebase. Below is the analysis we did to reach this conclusion:

No auto-collection of personal information from the device
Compliant if: Developer prevents Firebase auto-initialization
Actual Practice: Firebase generates an Instance ID, which the Firebase Cloud Messaging (FCM) SDK uses to generate a registration token on app start. Firebase sends it to the backend automatically. This is not ideal. 
Further required Actions: To comply with COPPA, the developers need to prevent this auto-initialization, which is supported.
No data shared across apps
Compliant if: Developer sets up only one app for one Project ID on Firebase
Actual Practice: Instance IDs are common to a Project ID on Firebase. As long as each app is a separate project on Firebase, no data is shared across apps.
Support for user-specific opt-out API 
Compliant if: Developer deletes the Instance ID when KWS notifies the developer that the user should not be sent any more push notifications.
Actual Practice: There doesn’t seem to be specific documentation around how the developer can opt out of push notifications (other than on the device). 
Further required Actions: The developer should utilise Firebase’s server and client-side API to delete an Instance ID, which deletes all associated information with that ID.
No combining push notification identifier with other PII
Compliant if: The developer does not send targeted push notifications to kids, where the targeting is based on kid’s personal information such as their birthday. We will need to enforce this through a contract.
Actual Practice: If the intention is to send targeted push notifications based on the kid’s PII, verifiable parental consent is required Instance IDs are used by Firebase to combine data across Cloud Messaging and Crashlytics but they do not contain any other PII + is local to the app.
No persistant device identifier
Compliant if: The Instance ID is a unique identifier for an app instance. It is unique for all app installs in the world, and is regenerated if the app is reinstalled

Check out this useful guide on how to implement push notifications in your app in a COPPA compliant manner using Kids Web Services

Updated on 21/08/2020

Was this article helpful?

Related Articles