Update on Corona and COPPA, Privacy Policies

Update on Corona and COPPA, Privacy Policies

In the last two days we’ve heard that a number of developers (Corona and otherwise) have questions about data collection in their apps and how this relates to COPPA. So this is a great time to do an update post on this and make completely sure all Corona developers know where we stand. We posted about privacy policies back in December, and will also address that here.

I would also recommend that anyone interested in this topic read this blog post by ACT 4 Apps for a general overview and to understand what constitutes Personally Identifiable Information.

I will approach this in 3 sections:

1) Data collected by Corona Labs – We have always been very clear that we collect basic information from Corona-based apps via our “LaunchPad analytics”. The information collected includes:

  • Device type and OS
  • An app identifier – this is a string that identifies the Corona app. It does not include any end user info.
  • App session time and lengths – this is data on the end user’s usage of the app, but not any personal info.
  • IP address – this is the IP address related to the user’s phone connection to the Internet
  • Hashed/anonymized MAC address – this is an identifier of the end user’s device

Please note that we no longer collect UDIDs, although the *anonymized* MAC address does serve as a device identifier. All data collection for analytics purposes needs some type of device identifier, otherwise the data would be almost useless.

VERY IMPORTANTLY, IT HAS ALWAYS BEEN POSSIBLE TO TURN COLLECTION OF THIS DATA OFF. This is documented in several places, but here I will direct you to the Analytics section of our Project Configuration guide.

The way to turn this data collection off is by adding the following code to your app’s config.lua file:

application =
launchPad = false,

Once your app includes that line of code, CORONA LABS DOES NOT COLLECT ANY DATA from your end users’ app sessions.

One final point on this: even in the cases when we do collect this data (i.e., when you have not turned it off), we NEVER share this data with any third parties. The data is only used as a way to give you basic analytics on your apps and by us in aggregate form to get some basic data on the Corona ecosystem.

2) Data collected by 3rd party services – Of course, Corona allows you to use a number of 3rd party services (e.g., ad networks, analytics services, etc.). We cannot control what data those services may or may not collect. It is up to you, the app developer, to make sure you know what data those 3rd parties collect and act accordingly.

If you turn off the Corona “LaunchPad analytics” but still decide to use a 3rd party service, it is possible that you are sending data to those 3rd parties via their libraries/SDKs even if we (Corona Labs) are not collecting any data.

3) Privacy policies – Finally, as we mentioned back in December, we think it is important for all developers to know what data they are using/sending and to have privacy policies that accurately reflect this.

To help with this, we have published a Privacy Policy for App Users that explains what data is being collected, if any, by Corona Labs.

We recommend that your app have a privacy policy that lists any 3rd party services used in your app, and that links back to this Corona Labs policy – this will ensure that you are informing your users of any data that is being collected.

  • Laura
    Posted at 12:53h, 16 May

    Thank you for being so clear on this.

  • Chevol
    Posted at 07:21h, 20 May

    I am having a hard time determining if Flurry is ok to use in a child’s education app. Also I’ve been checking on ad services such as iAds or AdMob. I guess because its relatively new many companies haven’t come out and stated wether they are COPPA compliant yet.

  • Laura
    Posted at 13:06h, 08 June

    The biggest thing when looking at third parties is if they compile data across apps or if they use the data for their own aggregate reports as well as provide the info to you. I’m not positive, but I think Flurry does, and ad networks often create profiles of users across apps. If they do, or if you aren’t sure, then you should assume they are not COPPA compliant and would need parental consent to use those services.

  • Tyler Smith
    Posted at 08:09h, 24 March

    If you’re looking for COPPA compliance solutions, I did a post located depicting our Corona SDK for COPPA compliance here: /blog/2014/07/09/guest-post-agecheq-makes-it-easy-to-be-coppa-compliant/