Monday, January 14, 2013

COPPAesthetics: form follows function yet again


Earlier in December 2012, The Federal Trade Commission adopted final amendments to the Children’s Online Privacy Protection Rule (COPPA). As you might imagine, any regulation that mixes child safety (nothing is more important right?), the multi-billion dollar Internet economy (nothing is more important than jobs right?), and increased regulation (you fill-in the blank here) is bound to be controversial. The new rule(s) take effect on July 1, 2013 and cover a lot of ground. The COPPA amendments expand:

  • The type of entity that will be regulated by COPPA to include third party service providers like advertising networks but explicitly excludes “platforms” like Google Play or the App Store, 
  • The criteria for the kind of service or app covered to include those that are likely to attract under age 13 users (versus specifically targeting under age 13 users), and 
  • The types of information that will require parental consent (and how/when that consent must be given).
On a separate track, I have long been calling out how the design intent (functional requirements) behind the various analytics technologies out there lead to profound (material) differences in architecture and feature sets (form). For a more technical treatment of this topic, see Application Analytics: what every developer should know.

Debuggers, profilers, web/mobile analytics, and last (but not least ;) application analytics are distinct from one another – and this latest update to COPPA serves as one more stark reminder as to why these distinctions really matter. 

Information that is exempt from COPPA obligations  include data that is used exclusively to “Support internal operations” including “maintaining or analyzing the functioning of app or service.” So, right away we can assume that debuggers and system monitoring software are still in the clear – but these tools do nothing to improve usability, measure adoption, identify user preferences, and – in most cases – cannot even reach out onto consumer devices like mobile phones and tablets.

What’s an app/service provider (what COPPA calls an “operator”) to do?

Today, app/service providers (let’s call them “Owners” for now) have had two options for analytics inside their apps and online services; 

  • “Mobile/web analytics” provided by third parties such as advertising networks (Google) or platforms (let’s call them marketplace providers) such as Apple’s App Store, and 
  • Application analytics provided by third parties such as PreEmptive Solutions. 
Functionally, these two technologies are quite different and are complimentary (see the article listed above) – and another stark difference between these two categories is the preferred business model of their respective vendors.
  • Web/mobile analytics technology and services are offered at no charge (or minimal) with the hook that the analytics provider owns (and can process and monetize) the runtime data generated through their service – it is the data that pays for the service. This is why advertising networks are likely to find themselves identified as “operators” in the eyes of the FTC and, therefore, potentially subject to COPPA regulations. 
  • Application analytics providers license their software and services for a fee and do not harvest client data. App Owners “own their data” just as absolutely as they own their app or online service. This is why application analytics providers, all other things being equal, are unlikely to find themselves under any kind of scrutiny form the FTC. 

...who moved my analytics?

All of this has potentially serious implications for both app/online service providers AND advertising networks. 

Advertising network service providers are likely to simply ban (drop) app owners that may send them COPPA-governed data to avoid risk – and we see this happening already; checkout Flurry’s privacy policy here where they write (in part) 

“Our Customers may not use the Flurry Services in connection with any application labeled or described as a "Kids" or "Children" application and may not use the Flurry Services a) in connection with any application, advertisement or service directed towards children or b) to collect any personal information from children.” 

Application analytics service providers find themselves in a very different position. I need to stress that “application analytics” and “mobile analytics” are not equivalent – the latter will not promote an app or rank an app against competitors. 

Yet, to the extent that measuring user experience, preferences and behavior leads to improved adoption and sales and to the extent that reducing mean-time-to-repair improves operations and increases satisfaction and application value – application analytics will, by design, continue to improve application quality and value in a safe and secure manner - even under increasing regulatory oversight and scrutiny.

No comments: