PRIVO Case Study


Creating a COPPA  & GDPR compliant attribution and analytics solution to support developers and marketers.




Developers of children’s apps need to be competitive. Any marketing budget must be spent with a view to achieving the best return on investment (ROI). Without the ability to perform attribution, developers may be reluctant to build dedicated children’s apps as monetization options are limited. Children at the same time deserve and have a right to experiences that do not impact their privacy rights.

This problem has been further compounded by Apple which announced that iOS14 would no longer support the collection and use of the IDFA (Identifier for Advertiser’s).

The regulatory requirements:

Privacy regulations prohibit profile building and tracking of children. In the US the COPPA does not allow for the collection and sharing of a persistent identifier to track children across the internet and build a profile of them without the highest level of consent, full verifiable parental consent.1 However, the GDPR2 and guidance from the European Union3 state profile building and automated decision making should not involve a child.


Singular built a privacy enhanced attribution service that can support developers and marketers without violating the regulations and impacting children’s privacy. A solution was also needed to ensure third party services, such as attribution, could operate without using the IDFA pending the release of iOS14.5.

Singular took its standard attribution solution and looked at ways to continue to provide the service without sharing personal information (PI). The standard solution sends a persistent identifier in what is called a post back to track the user that has downloaded and installed the app to the ad they came from.

Singular developed methods for attribution campaigns without sharing any personal information. The standard solution would send a persistent identifier in a postback to track the user who has installed the app back to the ad they came from. Singular developed a fully customizable postback system that enables advertisers to choose exactly which information to share, if at all.

The solution is compatible with Non Self Attributing Networks and it allows advertisers to disable postbacks from Singular altogether or send only non-PI postbacks ("yes/no" using a random ID). Some of these networks (especially gaming-oriented channels) can adequately function without these postbacks from Singular.

Singular shared its new solution with PRIVO for assessment to ensure that there was no risk of a child’s data being shared and that the solution met the following COPPA requirement:

Where an operator collects a persistent identifier and no other personal information and such identifier is used for the sole purpose of providing support for the internal operations of the Web site or online service. In such case, there also shall be no obligation to provide notice under §312.4; c.f.r 312.5 (7)

Where support for the internal operations of the Web site or online service means:

(1) Those activities necessary to: (i) Maintain or analyze the functioning of the Web site or online service; (ii) Perform network communications; (iii) Authenticate users of, or personalize the content on, the Web site or online service; (iv) Serve contextual advertising on the Web site or online service or cap the frequency of advertising; c.f.r 312.2

PRIVO also reviewed the solution for compliance with its GDPRkids™ Privacy Assured Program examining the controls in place to support customers with child directed apps to ensure they have a lawful basis for processing the identifiers collected.

Singular has implemented robust controls to ensure compliance including contractual agreements, audits and a rigorous training program for the Singular team.

PRIVO prepared a Privacy Risk and Compliance Assessment and a DPIA (Data Processing Impact Assessment) and determined that the solution posed little or no risk to children if the controls are implemented correctly.

Singular has committed to continued oversight for compliance with COPPA and GDPRkids™ and was awarded its certification in 2020.


Singular is an attribution and analytics solution app marketers use to view marketing performance and ROI. Singular supports marketers to measure campaign effectiveness by attributing app installs, revenue, and other conversions to an ad or marketing effort. It allows marketers to maximize the impact of their ad spend. Visit Singular's website to learn more about their services:

PRIVO is an FTC approved COPPA Safe Harbor. COPPA stands for the Children’s Online Privacy Protection Act. PRIVO’s Kids Privacy Assured solution also includes GDPRkids™ and Student Digital Privacy Programs. The GDPR is the European Union’s General Data Protection Regulation.


For more information contact:

Singular: Susan Kuo, COO

PRIVO: Claire Quinn, CPO & Celeste Rollason, Third Party Program Manager. |

*Case Study Originally Published September, 2021

  1. An operator must give the parent the option to consent to the collection and use of the child's personal information without consenting to disclosure of his or her personal information to third parties. c.f.r. 312.5 (2)
  2. Recital 38 to the GDPR states that: “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.”
  3. The EDPB guidelines on automated individual decision making and profiling states that organisations should, in general, avoid profiling children for marketing purposes, due to their particular vulnerability and susceptibility to behavioural advertising and the ICO’s Children’s Code speaks to the risks of profiling in relation to children but states it should be off by default implying it could take place. Article 22 (2) of the GDPR allows profiling with explicit consent however the EDPB guidelines state that, as a rule, controllers should not rely upon the exceptions in Article 22(2) to justify it.