Push notifications can be tricky to implement when building apps that are targeted at kids, since signing users up to receive push notifications often involves the collection of personal information:
“The information you collect from the child’s device used to send push notifications is online contact information – it permits you to contact the user outside the confines of your app – and is therefore personal information under the [COPPA] Rule.”FTC
You should only send push notifications to kids if their parent or guardian has consented to this…but what does this really mean?
Verifiable consent vs opt-out
Because most vendors collect personal information in order to send push notifications, the FTC requires you to seek verifiable parental consent (VPC):
“…provide parents with direct notice and obtain verifiable parental consent prior to sending push notifications to the child.”FTC
Obtaining VPC creates an extra hurdle which can significantly reduce your conversion rates. Even-so there is a way to implement push notifications using a much leaner ‘opt-out’ consent flow:
“You may be able to rely on the “multiple-contact” exception to verifiable parental consent, for which you must also collect a parent’s online contact information and provide parents with direct notice of your information practices and an opportunity to opt-out. Importantly, in order to fit within this exception, your push notifications must be reasonably related to the content of your app.”FTC
Kids Web Services offers such a flow, which you can use in conjunction with the right push notification provider. Parents are given notice (via email) that their child would like to receive push notifications. They may then opt their child out if they so please. If the parent takes no action, their child will remain subscribed to your push notification service.
This KWS-powered flow ensures a good balance between compliance, frictionless UX and higher conversion rates.
Identify the right push notification provider
The FTC explains that in order to utilize the ‘multiple contact exception’ rule, your push notification provider must not collect any other personal information:
“If you want to combine this online contact information with other personal information collected from the child, you cannot rely on this exception and must provide parents with direct notice and obtain verifiable parental consent prior to sending push notifications to the child.”
Therefore, make sure you choose a push notification provider that:
- does not automatically collect personal information from the device, unless the user opts in to push notifications
- does not share personal data across apps
- does not collect a persistent device identifier that can identify the user across apps
- does not automatically combine push notification identifier with other data. If they do, this will require verifiable parental consent.
- supports opt-out of push notifications for users via an API, so that you can stop sending push notifications to users whose parents opt them out
Find out more on how to vet your push notification provider here.
Set up a KWS App
Once you are sure you’ve found a suitable provider, go ahead and set up your KWS app.
If you don’t already have access to a KWS environment; feel free to ask for a free sandbox.
Determine which users are kids
You’ll need to invoke the kid-safe push notification flow (detailed below) just for kids while adults can go through your own standard flow.
To achieve this, pass the user’s date of birth and their country to the Age Gate API. This API will return a flag that signals if the user is indeed defined as a ‘kid’ based on their age and location (e.g ‘isMinor = true).
The User flow (kids)
Now that we know the user is a kid, let’s build out the following kid-safe flow:
- Present a push notification dialog
The kid is presented with a native Push Notification subscription dialog. You may trigger this wherever you require within your app—this could be an automated pop-up e.g. after sign-up or if the kid clicks a specific button.
- Subscribe kid to push notification provider
If the kid accepts, your app then needs to check (using the KWS API) if they already have (parental) permission to receive push notifications.
– If they do, your app may then subscribe them to your push notification service.
– If they don’t already have this permission, trigger a permission request using this KWS API. This will, in turn, send an automated email to the parent giving them an opportunity to opt their child out.
- Deliver push notifications
The kid can now receive push notifications (for as long as push notifications remain enabled on their device and their parent has not revoked the permission via the parent portal).
You’ve now set up your app to adhere to best practice as defined under COPPA. The great advantage of utilizing KWS for this is that the entire permission request flow is managed by the platform. This includes all notices to the parent and the logging of permissions that they granted.