Last modified November 22, 2014 by Gordon Glauser

COPPA FAQ

As many of Swrve’s customers are aware, material changes to the Children’s Online Privacy Protection Act (COPPA) came into effect on July 1st 2013.

Swrve’s legal team has done a lot of research into COPPA, the recent changes to the Act and how COPPA affects Swrve customers. This FAQ aims to explain COPPA, detail how it might affect you (if you have a child-directed app) and give you information on how to remain COPPA-compliant.


Does Swrve share data across customers?

No. Other than aggregated, anonymized data, Swrve only shares data across apps from the same developer and only for the purpose below.


Does Swrve share data across apps?

No.

Swrve does use, store and report on aggregated data (for example, we know how many MAUs are being served for a given developer’s apps across our entire system; we know how many MAU are on iOS apps using the Swrve service, and so forth); however, we do not track users from app to app among/across different developers.


What is COPPA?

The Children’s Online Privacy Protection Rule (COPPA) is a US Federal Law aimed at ensuring that parental consent is obtained before personal information is collected from children under 13 years of age.


When does COPPA apply?

COPPA states that it is unlawful for (i) any operator of a Web site or online service directed to children, or (ii) any operator that has actual knowledge that it is collecting or maintaining personal information from a child, to collect personal information from a child in a manner that contravenes COPPA.


Does Swrve require “personal information”, as defined in COPPA, in order to operate?

No. The Swrve Service can operate without collecting any personal information. Swrve customers are in control of what information is sent through to Swrve. The only data that is automatically collected and which cannot be adjusted by our customers is listed above (“Information Collected Automatically”).

If you choose to set up your Swrve Service to collect personal information, then you must ensure that you comply with COPPA, as well as other applicable data protection legislation and regulations. Please be aware that device tokens used to send Push Notifications to users constitute “personal information” for the purposes of COPPA.


Does Swrve use Persistent Identifiers?

The Swrve SDK v3.5 and higher does not collect Persistent Identifiers, such as ID4V or Android/Unity IDs, but rather assigns a default “SwrveID” to each user. The SwrveID is not a Persistent Identifier because it cannot track a user across apps. If a developer uses its own UserID which can track users across that developer’s apps, that may be considered to be a Persistent Identifier.

Swrve integrates with third party attribution partners, such as AppsFlyer, Adjust and Kochava, to identify the ad network source of users of an app.

Older (pre v3.5) versions of Swrve collect ID4V and Android and UnityIDs which would be considered to be “persistent identifiers” under COPPA. If a customer wishes to override this behavior they can supply their own UserID to Swrve.


How are Push Notifications handled?

If you use the Push Notifications feature of Swrve, then you are collecting “online contact information” as defined in COPPA and so would require parental consent (i) if your app is “child-directed”, or (ii) if you know that the user you are contacting is under 13.


Does Swrve collect other Personal Information (as defined in COPPA) from my users?

No.


If I use Swrve, can I be guaranteed that I’m not breaching COPPA?

The Swrve service itself operating independently will not affect COPPA-compliance in any way. We do not independently collect “personal information” and we do segment or take action based on segments independent of what our customers set up themselves. The Swrve service is very powerful and allows customers to segment their users based on all manner of developer-chosen criteria. The customer is in complete control of what segments they create and how they push content to those users. All customers need to be aware of the information they are collecting from users, whether via the Swrve service or not, whether their app is “child-directed”, what segments they create and what action they take based on those segments.


User Privacy Policies

The Swrve Terms of Service require you to have an appropriate privacy policy in place in order to be granted permission from your users to allow Swrve to collect the information necessary or desirable for you to operate the Swrve Service.