GDPR & COPPA Checker
Check your app against the GDPR and COPPA requirements that apply to mobile developers.
0 of 23 complete
Progress is saved in your browser.
Lawful Basis & Consent (GDPR)
Data Subject Rights & Governance (GDPR)
Children’s Audience (COPPA & GDPR-K)
Store Policy Alignment
Two privacy regimes catch mobile developers off guard more than any others. GDPR applies the moment you have users in the EU or UK — regardless of where your company sits — and demands a legal basis for every processing purpose, real consent for tracking, data minimization, and working machinery for user rights like access and deletion. COPPA applies when children under 13 in the United States can use your service, and its core demand is verifiable parental consent before collecting personal information from a child.
This checklist turns both regimes into concrete, checkable items for an app team: what your consent flow must do, what your SDKs are allowed to collect, what your data inventory should record, and what has to happen when a user — or a parent — asks for data to be deleted. It is a self-assessment aid, not legal advice; use it to find gaps worth raising with counsel.
How to self-assess GDPR and COPPA compliance
- 1
Answer the scoping questions first: do you have EU/UK users, and can under-13s in the US access your app? These determine which sections apply.
- 2
Work through the GDPR items — lawful basis per purpose, consent implementation, data minimization, retention limits, and your process for access and deletion requests.
- 3
If children are in scope, work the COPPA items: verifiable parental consent, limits on behavioral advertising to children, and your SDKs’ child-directed configuration flags.
- 4
Note every unchecked item as a gap, prioritize the ones involving active data collection, and review the list with a privacy professional.
What GDPR actually requires from an app developer
GDPR is purpose-driven: for each thing you do with personal data — analytics, ads, accounts, support — you need a lawful basis, and for tracking-style purposes that basis is almost always consent, which must be freely given, specific, informed, and as easy to withdraw as to give. Pre-ticked boxes and “by using this app you agree” banners do not qualify. Alongside consent sit the structural duties: collect only what the purpose needs (data minimization), keep it only as long as needed, secure it, and document your processing.
The most operational part is data subject rights (DSRs): users can demand access to their data, correction, deletion, and portability, and you generally must respond within one month. For an app team this means a real pipeline — a way to find every record tied to a user across your database, analytics, and third-party processors, and to delete it on request. Fines are calculated against global revenue (up to 4% or €20M, whichever is higher), but for small developers the more common pain is app store enforcement and processor audits.
COPPA: when children under 13 can use your app
COPPA is triggered by being “directed to children” or by actual knowledge that under-13 users are on your service. Personal information under COPPA includes persistent identifiers — device IDs and advertising IDs count — which means an ad SDK collecting the advertising ID from a child-directed app is a COPPA problem even if you never collect a name or email. Before collecting such data from children you need verifiable parental consent, using recognized methods like payment-card verification or signed consent forms; a simple “are you over 13?” gate does not create consent, though a neutral age screen remains the standard first line of defense.
The practical playbook for child-directed apps: configure every SDK’s child-directed flag (ad networks and analytics providers offer them) so behavioral advertising and identifier collection are disabled, serve contextual ads only, and minimize collection to what the app genuinely needs. Both stores enforce on top of the law — Apple’s Kids category rules restrict third-party ads and analytics, and Google Play’s Families policy requires self-certification — and FTC settlements in the app space have run into the tens and hundreds of millions of dollars.
Frequently asked questions
Does GDPR apply to my app if my company is outside the EU?
Yes, if you offer the app to people in the EU/UK or monitor their behavior — publishing in EU storefronts and running analytics on EU users counts. GDPR’s territorial scope follows the users, not your company’s address.
What counts as personal information under COPPA?
More than names and emails: COPPA explicitly includes persistent identifiers such as device IDs, advertising IDs, and IP addresses, plus photos, voice recordings, and geolocation. An SDK silently reading the advertising ID from a child-directed app collects personal information under COPPA.
Is an age gate enough for COPPA compliance?
A neutral age screen (asking birth date without hinting at the “right” answer) is the accepted way to avoid gaining actual knowledge of under-13 users in a general-audience app. But if your app is directed to children by design — themes, characters, gameplay — an age gate does not exempt you; you need parental consent or genuinely COPPA-safe data practices.
What is verifiable parental consent?
A method reasonably calculated to ensure a parent, not the child, is consenting — the FTC recognizes options like a small credit-card transaction, signed consent forms, government ID checks, and video verification. An unverified email or checkbox is not sufficient on its own for collecting personal information from children.
How fast must I answer a GDPR deletion request?
Within one month of receipt as a rule, extendable by two further months for complex cases if you inform the user in time. The deletion must reach every system holding the user’s data, including your processors — analytics and CRM vendors — not just your own database.
Do the app stores check GDPR and COPPA compliance?
They enforce their own overlapping rules. Apple requires in-app account deletion, restricts data practices in the Kids category, and reviews privacy declarations; Google Play’s Families and User Data policies require self-certification and can remove non-compliant apps. Store compliance is necessary but not sufficient — the legal obligations exist independently.
Turn privacy gaps into a done list
Appalize’s app privacy setup checklist audits your store privacy declarations, policy links, and account-deletion requirements per app, so compliance work is tracked, not guessed.
Related free tools
Privacy Policy Generator
Generate a store-ready privacy policy for your iOS or Android app in minutes.
Age Rating Helper
Walk through Apple’s age rating questionnaire before you answer it for real in App Store Connect.
Data Safety Helper
Prepare Google Play’s Data safety form — collection, sharing, and security practices — without guessing.
Privacy Nutrition Label Helper
Work out your App Store privacy label — tracking, linked, and not-linked data — before you fill in App Store Connect.