COPPA compliance

App publishers need to take particular care when handling data collected from children. Any mobile or CTV app that's designed for children, or that targets users in a region with stringent online child safety laws, needs to abide by governing laws. You're advised to carefully review all requirements and take the necessary steps.

Examples of online child protection laws in different regions include:

To learn more about how Adjust processes users' data, see section 4 of the privacy policy.

Who needs to be COPPA compliant?

If the answer to any of the following questions is yes, you may need to be COPPA compliant:

  • Is your company based in the US, OR
  • Are your app’s users based in the US, OR
  • Is your app targeting children, OR
  • Is your app likely to appeal to children?

For more information, see the FTC COPPA FAQ.

Tip:

The US COPPA law defines children as individuals under the age of 13. In the EU the age is 16, with some exceptions.

Not sure who your app targets? Get more information about identifying your app audience.

How do I use Adjust’s services in a COPPA compliant manner?

When you use the Adjust SDK in COPPA-applicable apps, the Adjust SDK functions are limited to support internal operations in compliance with the COPPA Rule. Persistent identifiers may only be used for activities necessary to:

  • Maintain or analyze the functioning of the app (for example, intellectual property protection, payment and delivery functions, spam protection, optimization, statistical reporting, and debugging).
  • Perform network communications.
  • Authenticate users of, or personalize the content in, the app.
  • Serve contextual advertising in the app or cap the frequency of advertising.
  • Protect the security or integrity of the user or app.
  • Ensure legal or regulatory compliance.
  • Fulfill a request of a child as permitted by other COPPA provisions.
Note:

If data is sent to Adjust via server-to-server integration, it cannot be flagged as child directed.

Setup in SDK

For information about how to implement these settings in the SDK, follow the developer documentation for your platform:

📖 iOS / Android / Unity / React Native / Flutter / Cordova / Cocos-2dx

Setup in Adjust

Note:

As part of the set up process, or within platform settings for existing apps, you're required to confirm if your app targets children under the age of 13 in the United States.

Learn how to mark your app as COPPA-compliant here.

There are some features in Adjust that apps targeting children may not use in certain capacities:

  • Raw data exports: Real-time callbacks and CSV exports can only be used for your own endpoints. You're not allowed to configure these to share with third parties, such as an agency or a different platform.
  • Networks may not add dynamic callbacks to links: You can only use an Adjust link on your owned or earned channels. For example, your Facebook feed, Twitter account, or email account. To remain COPPA compliant, you should only use links without a callback attached. This ensures you can still measure campaigns without sending data to third parties.
  • Audiences: You may not use Adjust's Audiences feature to share data with any third parties.
  • Partners: Blocking data sharing with third parties stops partners from automatically passing back information to publishers and networks.

How can I identify my app audience?

To help identify your app audience, and therefore what steps you need to take to ensure COPPA compliance, use this table.

Warning:

If your app targets children you may NOT use an age gate. This is reserved for apps with a mixed audience.

Category


Definition


What steps you need to take?


Directed to childrenTargets children under 13 as their primary audience. AND
Mixed audienceTargets children under 13, but they are not the primary audience.
  • Establish age screens
AND

  • Ensure you do not collect personal information from users under age 13.
OR

General audienceNeither targets children under 13, nor are they the primary audience.
  • The COPPA Rule does not require operators of general audience apps to investigate the ages of users. However, operators will be held to have acquired actual knowledge of having collected personal information from a child.