Can apps play by the COPPA Rules?

We review current technical and social barriers to COPPA compliance for popular online services aimed at children. We show that complying with COPPA has proven difficult for developers, even when a genuine attempt was made. We investigate reasons for this lack of compliance and identify common causes: specifically, difficulties obtaining verifiable parental control as well as supply mechanisms for parents to understand, review, grant access and monitor collection of their children´s personal data. Unless part of online services, mobile apps do not need to comply with COPPA. We identify 38,842 (out of 635,264) apps which are self-described (by their developers) as suitable for young users. Half of these apps have the ability to collect personal data and only 6% present a privacy policy. Parents often have little to no knowledge or understanding of what data is accessed. Due to Android´s design they must grant all access regardless of permission type or need. Among the self-described apps we find different levels of content rating; these are not a reflection of the content of the app itself but rather the required access to personal data. We present a design for a new framework aimed at helping mobile apps to comply with COPPA. This framework aims to simplify the process for developers by providing appropriate tools and mechanisms to help comply with the COPPA rules while presenting an easily understandable interface for parents to review, navigate, understand and then grant access to their children´s personal data.