It’s the middle of February, which is a time when many people remember the New Year’s resolutions they made in a haze of Seacrest and champagne and realize that they’ve already subconsciously given up on them without even trying. I mean, really, what was the point of making my annual “spend more time outside” resolution when I knew I had to defeat the increasingly untamed Phogoth for the 17th time so that I could upgrade my Exotic weapons so it would be easier to beat him for the 18th time? (Damn you, Destiny)
While most New Year’s resolutions are better left unmade to begin with, app and game developers almost certainly overlooked one resolution that they all should have made for 2015: to finally get serious about complying with the Children’s Online Privacy Protection Act (COPPA).
Many companies don’t know that an amendment to COPPA was put in place in July 2013 that made tweaks that are especially applicable to mobile developers. While the FTC has given everyone some time to figure it out, it looks like the commission is getting more and more serious about ensuring that companies, and app/game developers in particular, are in compliance.
At its most basic, COPPA is a regulation that prohibits websites and online services (which now include mobile apps) from collecting “personal information” from children 12 and under unless they first notify the child’s parent and get their consent. Because it’s a government regulation, COPPA is surprisingly complicated, especially after its amendment, so this post isn’t designed to spell out everything. I want to highlight two aspects of COPPA that, from my experience, are most commonly misunderstood by mobile developers.
Not just for kids
The first important point to understand is that COPPA doesn’t only apply to kids games. While having an app that specifically targets children 12 and under automatically puts you under COPPA’s grip, you are also obligated to comply with COPPA if you knowingly collect information from children 12 or under, regardless of the target age of your game. You could be releasing the photorealistic game version of the Red Wedding, but if you know one of your players is 12 or under and you collect “personal information” from that user without complying with COPPA’s parental notification/consent requirements, you’ll be in violation of COPPA.
So how do you know someone’s 12 or under? Quite simply: You ask for age information at some point in the registration process. This is a common mistake that many developers make. They have a game that doesn’t obviously target children, so they think they don’t need to worry about COPPA. But then they collect age information during the registration process and unwittingly pull themselves back under COPPA’s shadow. Think it’s not a big deal? Ask Yelp.
Unless you’re prepared to take the significant backend steps required to treat users differently who identify themselves as being 12 or under, you should take a cue from these random stormtroopers and avoid asking for age information.
It’s more than personal now
The second important point comes courtesy of the 2013 amendment to COPPA. Most of us understand “personal information” to be data that’s truly personal such as a name, phone number, or physical or electronic mailing address, which is how the original COPPA regulation defined it. Under the amendment, however, the definition of “personal information” has been expanded to include data that used to be seen as nonpersonal. The most important change is that specific geolocation information (enough to identify a street name and town) and persistent identifiers like device IDs are now seen as personal information for the purposes of COPPA. Therefore, except in limited circumstances (discussed below), if you plan to collect that kind of data through a children’s game or from users you know to be 12 or under, you are obligated to go through the parental consent/notification process.
I don’t need to tell you that the collection of specific geolocation information and persistent identifiers is common practice. Plenty of child-themed games come out without any registration process but still collect device IDs. If those device IDs are shared with third parties, who use them to serve behavioral advertising through the game (for example), the applicable developers are in violation of COPPA. Numerous games and apps also collect specific geolocation information. While asking for permission in a popup is good practice, it doesn’t protect you if you’re doing it in a child-directed game or with users who have previously identified themselves as being 12 or under.
The FTC was nice enough to create one confusing exception to this: COPPA permits the collection of persistent identifiers without the need for parental notification/consent only if they’re being used for “internal operations;” However, the definition of “internal operations” is somewhat tricky and not at all fleshed out yet, so it’s still important for you to be aware of the issue and talk to your counsel if you’re collecting persistent identifiers.
You know you’re never going to start that P90X routine. The least you can do is understand the risks that come with COPPA and make sure you take them seriously this year.