§What COPPA requires
Source: Children's Online Privacy Protection Act / 16 CFR Part 312 — accessed 2026-05-11.
Jurisdiction. Applies to operators of websites and online services directed to children under 13, and to general-audience operators with actual knowledge that they are collecting personal information from a child under 13. Original Rule effective 2000; amended 2013.
Personal data definition. COPPA's definition of personal information at 16 CFR §312.2 includes first and last name, home or other physical address, online contact information (including email or screen name that permits direct contact), telephone number, social security number, a persistent identifier that can be used to recognise a user over time and across different websites or online services, photographs/videos/ audio containing a child's image or voice, geolocation sufficient to identify street/city, and information concerning the child or parents that is combined with any of the above.
Key requirements relevant to mobile analytics. Operators must provide direct notice to parents and obtain verifiable parental consent (§312.5) before any collection, use, or disclosure of personal information from children under 13. The Rule requires reasonable procedures to ensure the person providing consent is in fact the parent. Limited exceptions exist (e.g., obtaining a one-time email for the purpose of responding to a specific request).
⚑Where mobile analytics typically creates exposure for fitness & wellness apps
A mobile-analytics SDK that assigns a persistent device identifier and ships it with every event collects personal information under COPPA's definition — regardless of whether the SDK separately collects a name or email. The FTC has made clear in enforcement actions that persistent identifiers used to recognise a user over time fall within the rule's scope, and that simply describing an app as 'analytics' does not avoid the verifiable-parental-consent requirement when the app is directed to children.
Fitness apps process step counts, heart-rate readings, sleep stages, weight, BMI, workout types, calorie intake, and frequently the user's age, sex, and menstrual phase. Many integrate with HealthKit (iOS) or Health Connect (Android), which restrict on-device access but say nothing about what flows to an analytics SDK.
Although consumer fitness apps are typically not HIPAA covered entities, their data is special category personal data under GDPR Art. 9 (data concerning health), sensitive personal information under CPRA, and falls within the scope of regulators' interest in children's services when used by under-18s.
▸What Respectlytics's design does (technical facts)
Respectlytics is designed for the product-analytics layer, not the data store. Step counts, heart-rate values, and sleep stages stay in HealthKit / Health Connect, where they have their own privacy model. Respectlytics records whether a feature was used (run_logged, sleep_session_synced) — without the values the user just generated.
Reduces the surface. Removing the surface where the categories covered by COPPA could be collected in the first place narrows what a COPPA review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
What counts as a 'website or online service directed to children'?
§312.2 lists factors the FTC considers: subject matter, visual or audio content, use of animated characters or child-oriented activities and incentives, age of models, language, advertising directed to children, and competent and reliable empirical evidence about audience composition.
If our app is rated 12+ but children use it anyway, are we covered?
If the operator has actual knowledge that it is collecting personal information from a child under 13, COPPA applies even on a general-audience service. The actual-knowledge standard is fact-specific — consult your legal team if you have signals that your audience includes under-13s.
Does using Respectlytics by itself resolve COPPA obligations for our fitness & wellness apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets COPPA's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies COPPA for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.