Did you know there are federal regulations around the online collection of data from children? Did you know they apply to mobile apps and games? Our guest blogger Andrew Smith, Director of Developer Education at AgeCheq, explains the law and what it means to you.

What Is COPPA?

If you write mobile games or apps, you may already know about the Children’s Online Privacy Protection Act, or COPPA. It is a law enforced by the US Federal Trade Commission to prevent online services from collecting personal information from children under 13 without their parents’ permission. It has recently been updated to apply to mobile apps and games, which means that the regulation may apply to you if your software targets an audience that includes children less than 13 years of age.

So What’s the Big Deal?

The updated rule has also expanded the definition of Personally Identifiable Information (PII)—information that developers must not collect from children. Personally Identifiable Information is any data that can be used on its own or in conjunction with other information to identify, contact, or locate a single person, or to identify an individual in context. The law now prevents developers from collecting seemingly harmless information, such as:

• A child’s nickname, screen name, or user id
• Any persistent identifier such as a device id, Google Advertising ID, or IDFV
• All cookies, which are explicitly forbidden in the text of the law

The FTC made this change in response to an experiment carried out by a former FTC technical officer. The experiment showed how several separate, “anonymous” databases could be used to mine the private medical records of individuals.

What Does Complying with COPPA Mean to Me?

Complying with COPPA depends on the audience your game or app targets, and whether it collects information that may be considered to be Personally Identifiable Information or not.  If your game or app simply doesn’t collect any data that might be Personally Identifiable Information, you are in compliance with the law. However, if your game or app does collect this sort of data, or includes third-party software such as an advertising service or analytics package that collects it, your options for compliance depend on the composition of your target audience. 

If your target audience consists only of children under 13, you must assume that all users are under 13 and get verifiable parental consent before collecting any Personally Identifiable Information.  Furthermore, if a parent chooses to revoke their consent, you must delete any Personally Identifiable Information your software collected in the past.

If your target audience does not include children under 13 at all, complying with the law is pretty easy.  You may create an age-gate that asks the user to identify their age (by entering their birth month and year) and then deny access to any user who self-identifies as being under 13 years of age. 

If your app or game doesn’t specifically target children under 13, but children under 13 might use or play it, you may create an age-gate as above, but then restrict (instead of deny) access accordingly; your software may not turn away users who self-identify as being under 13 years of age.  Instead, your game or app must either:

1. Allow the child to participate without collecting any personal data, or
2. Get verifiable parental consent before collecting any Personally Identifiable Information. 

The FTC is the final authority for determining what a game or app’s target audience is. The law states that the Commission will consider competent and reliable empirical evidence regarding audience composition, as well as evidence regarding the intended audience of the site or service. Evidence may include the subject matter of the software, its visual content, the use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the website or online service, or whether advertising that promotes or appears on the website or online service is directed to children.

What’s at Stake?

Mobile games and apps may only collect Personally Identifiable Information from children under 13 once they have disclosed what data they want to collect to an adult and gotten their verifiable permission. Failure to do so can be costly in terms of money, time, and reputation.

There have been fines for hundred of thousands of dollars for violations of the updated version of COPPA. More fines and settlements that require annual privacy audits are rumored to be coming. In addition, the European Union plans to pass a similar set of laws in the fall of 2015, which will force foreign developers to comply as well. Finally, ignoring your duty to protect children is just bad business. No matter how great a game or app is, if it collects a kid’s personal information without a parent’s consent, it won’t be remembered for how innovative, fun, or powerful it was. Instead, it will be remembered as the one that steals children’s personal information.

Find out More

The FTC has online resources to help, including Complying with COPPA: Frequently Asked Questions. You can also find more information at the AgeCheq website. Founded in 2013, AgeCheq helps mobile app and game developers easily comply with COPPA by facilitating relationships between app publishers, ad networks, and parents as required by the law.

-peter (@peterdotgames)