Always aim to minimize the data that you and your third parties collect from kids. Below is a set of best practices on how to choose a push notification service that you can use for an app targeted at kids:
Ensure your provider:
- does not automatically collect personal information from the device, unless the user opts in to push notifications
- does not share personal data across apps
- does not collect a persistent device identifier that can identify the user across apps
- does not automatically combine push notification identifier with other data. If they do, this will require verifiable parental consent.
- supports opt-out of push notifications for users via an API, so that you can stop sending push notifications to users whose parents opt them out
One effective way to find out what information your provider collects is to check their API documentation. Our safe-social engagement platform, PopJam, uses Firebase. Below is the analysis we did to reach this conclusion:
|No auto-collection of personal information from the device|
|Compliant if: Developer prevents Firebase auto-initialization|
Actual Practice: Firebase generates an Instance ID, which the Firebase Cloud Messaging (FCM) SDK uses to generate a registration token on app start. Firebase sends it to the backend automatically. This is not ideal.
Further required Actions: To comply with COPPA, the developers need to prevent this auto-initialization, which is supported.
|No data shared across apps|
|Compliant if: Developer sets up only one app for one Project ID on Firebase|
Actual Practice: Instance IDs are common to a Project ID on Firebase. As long as each app is a separate project on Firebase, no data is shared across apps.
|Support for user-specific opt-out API|
|Compliant if: Developer deletes the Instance ID when KWS notifies the developer that the user should not be sent any more push notifications.|
Actual Practice: There doesn’t seem to be specific documentation around how the developer can opt out of push notifications (other than on the device).
Further required Actions: The developer should utilise Firebase’s server and client-side API to delete an Instance ID, which deletes all associated information with that ID.
|No combining push notification identifier with other PII|
|Compliant if: The developer does not send targeted push notifications to kids, where the targeting is based on kid’s personal information such as their birthday. We will need to enforce this through a contract.|
Actual Practice: If the intention is to send targeted push notifications based on the kid’s PII, verifiable parental consent is required Instance IDs are used by Firebase to combine data across Cloud Messaging and Crashlytics but they do not contain any other PII + is local to the app.
|No persistant device identifier|
|Compliant if: The Instance ID is a unique identifier for an app instance. It is unique for all app installs in the world, and is regenerated if the app is reinstalled|