What is COPPA?
The Children’s Online Privacy Protection Act of 1998 (which actually took effect in April of 2000) is a United States Federal Law that regulates what kind of information can be collected on children under 13 years of age as they use websites.
In July of 2013, revisions took effect that updated the language (to modernize it) and revised the regulations to include all online services, not just websites, as well as 3rd party data collection (such as external analytics services).
COPPA also dictates how privacy and data-collection policies should be disclosed, as well as how parental consent can be obtained to allow for the collection of identifying information on children under 13.
Why is it important?
The law is meant to protect children from sending personal data online, entering agreements they cannot legally consent to, falling prey to online predators, and being exploited by organizations for their personal data.
Why is it important for video games and smart toys?
As video games and toys utilize more online services for multiplayer, cloud saves, and AI, the industry encroaches on COPPA territory.
Game developers and toy designers shouldn’t fear COPPA. We should look at the requirements set forth in it as a base to help the industry be more responsible with children’s data, and our compliance should be seen as a badge of honor that we are producing safer products and services.
Keep COPPA in mind
Don’t save privacy and COPPA for last! It’s definitely something you want to keep in mind from the beginning, or you may face difficulties retrofitting designed components, qualifying 3rd party providers (for online storage and analytics), and finding time to make it all happen before launch.
It’s always a good idea to just bring up privacy in meetings about features. “How does this affect privacy?” and “Does this align with COPPA?” are questions what should be asked every step of the way.
A quick guide of COPPA compliance for game developers
What content is regulated?
COPPA applies to websites and online services, not stand-alone offline games. If your game is uses online services, those services should conform to COPPA rules. If your game is hosted on a website and plays in a browser or streams, it must also conform. If your game is downloaded from a website, that website must conform.
Workinman’s Advice: Keep track of what data is send and stored online and make those components conform to COPPA. As general practice, while your offline content does not need to conform, why not take the extra precautions and limit local data collection and storage as well, making your product overall safer for children.
What audience does COPPA apply to?
Children under 13 years of age, and (indirectly) their parents/guardians.
Workinman’s Advice: If your product is not intended for users of this age, or you’d rather not deal with COPPA policy, you can disallow access for users under 13.
Create and post a Privacy Policy
The is the most important step. You should create a clear and comprehensive privacy policy for your game or toy app. It should be accessible to users before and after they purchase/install/access the app. It should address specifically how personal information is collected and used for children under 13.
Workinman’s Advice: Either write your privacy policy so it’s short and to the point, or put important bullets at the top so readers can know the important facts first and foremost. No one likes long legal text.
Don’t collect and store personal identifying information
If a bit of information can be used to help identify someone under 13 years of age, or their location, you should avoid collecting it.
Personal information that should not be collected:
- First and last name.
- Address: street and city/town.
- Online contact information, such as an e-mail address.
- A screen or username that functions as online contact information (screen and usernames that have no contact capabilities are fine).
- A persistent username or identifier that, if used across multiple sites and services, could potentially lead to identification of the user.
- Additional information about the child that is collected and stored with the username/persistent identifier as described above For example, Jim25’s favorite color: blue and favorite animal: zebra. Jim25:Blue:Zebra may be used to help identify the user using data found across a multitude of services that use that shared identifier and information.
- A telephone number, including a skype number.
- A photograph, video, or audio file, where such file contains a child’s image or voice.
- A photograph or video, where from the child’s location can be deciphered.
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
Workinman’s Advice: Review what information you really need for your game to properly function. Does that information need to be passed online or can it exist only locally? What alternative bits of information can be used instead of the prohibited ones?
Need help? Contact us! COPPA-compliance for games is our expertise!
Obtain parental consent for personal data collection and give them access to manage it.
If you really do need to collect information on children under 13, notifying and obtaining parental consent is required. This consent must take place before information is collected. The consent cannot be a checkbox on an online form. It cannot be done by a method that can easily be defrauded by the child, such as a mail-posted signature or a credit card transaction.
3rd-party consent
Under this requirement, parents who give consent should also have the option to opt out of disclosure of information to 3rd parties.
Review and deletion
Parents should also be given the option to review and purge any information collected (unless that information is purged by the online service operator and no longer exists).
Opt-out
Parents should be given a master switch to opt-out of further data collection for their child, effectively stopping the permission they have previously given.
Workinman’s Advice: While there are many methods for obtaining proper parental consent, they are typically involved and not something you want to make mandatory as a part of your game or toy’s setup. If the Parental Permission method is decided upon, the infrastructure for parents to manage the data may need to be built, and this ads to development costs. Our advice is to avoid this unless it is absolutely necessary, and if it is, we can design a cost-effective method to streamline parental consent without causing usability problems.
Securely transfer and store the information you collect
Not only should you use secure protocols for transferring data online and utilize encryption where it is stored, you should also secure any physical or virtual point-of-access. Doors should lock to prevent unauthorized access to servers and terminals, employees should be trained on security and ethics of information, and the data repository should never be made portable (so it can be lost or stolen on a laptop).
Workinman’s Advice: Make sure employees are aware of COPPA and what it means to protect this data. A thorough company data security policy is key, and ethics training on how to properly safeguard children’s data can go a long way towards securing it. If data needs to be backed up or carried on a laptop, separate or leave out the identifying fields.
Quickly and Correctly purge data when you are done using it
Compile reports quickly, and once data is aggregated, sever it from identifying information and delete what’s no longer relevant. If a child account is deleted, a product no longer functions or exists, corresponding data should be removed. A company should take reasonable measures to prevent the permanence and proliferation of a child’s data.
Workinman’s Advice: If you are using data for analytics purposes, you can generate aggregate reports regularly and then purge at the individual level. There’s no reason to hold onto a child’s information indefinitely.
What about smart toys
For smart toys that connect directly to the internet, the online service used must comply with COPPA.
For toys that connect to a phone or tablet using WIFI or Bluetooth (BLE), the app the toy connects to is the focus. If the app utilizes online services, then the app must comply.
Workinman’s Advice: We highly recommend smart toys, even when not using online services, utilize principles from COPPA to avoid collecting locally-collected information and if you do, keep it safe. This means limiting, securing, encrypting, and purging data collected either on the toy itself, or the toy’s companion app. See our article on Connected Toy Security for for tips.
What are the penalties for COPPA violations?
Penalties vary and are determined by the court. While the maximum penalty can be upwards of $40,654 per violation, the resulting fine is typically based on a variety of factors, such as intent, number of children involved, past violations, the type of data, and how the data was used. Because the fines could be very damaging to small businesses, the size of the company may also correlate to the final fine total.
Workinman’s advice: penalties will most certainly outweigh the benefits and revenue obtained from collecting information illegally. The courts will make sure of it.
COPPA outside of the United States?
For the most part, the United State’s policies for children’s privacy tend to be a step ahead of most countries. For example, while the Canadian Privacy Commission has issued guidelines for children’s online privacy that are very much like COPPA, they are not an actual enforceable law–at least not yet (as of 2017).
Many countries have consent laws, regardless of the age of the user. The EU, Japan, Lithuania, Portugal, and others require unambiguous consent given by the user if personal information is to be collected. In the case of children, this type of consent may be debatable, as they may not be able to read the terms, understand them, or legally enter a contract.
The overwhelming majority of countries require upfront and accessible disclosure of what information is being collected and how it is being stored and used, usually in the form of a Privacy Policy. If you are deploying your product overseas, we highly recommend reviewing the local privacy laws and updating (as well as localizing) your privacy policy to comply.
Game Developers that are COPPA experts
The FTC’s website has a record of all it’s COPPA cases against app publishers, including details of the violations, arguments, and settlements. After a quick review, one thing becomes painfully clear: these developers were ignorant of the law and how to abide by it. Don’t make the same mistake when choosing your contract developer and then get stuck with the bill later on.
For over a decade, Workinman Interactive has been developing web games and connected apps for the youth market with a perfect COPPA record. We know exactly what to do to keep our content safe and secure, not only for kids, but for users of all ages. Simply put: the best way for you to be sure you are following COPPA in your games and apps is to make sure your developers are.
Interesting COPPA facts
Microsoft’s registration process charges a small fee to verify COPPA consent from parents. The fee is charged through a credit card transaction, which helps prove the consent is actually done by an adult. This fee is donated to the National Center for Missing and Exploited Children.
While the Federal Trade Commission (FTC) has the authority to issue regulations and enforce COPPA, any federal law enforcement agency, such as the FBI, can file charges under the law.
The FTC has designated seven “Safe harbor” programs: TRUSTe, ESRB, CARU, PRIVO, Aristotle, Inc., kidSAFE, and iKeepSafe in an effort to allow the industry to self-regulate, in lieu of FTC enforcement. These programs help inspect and certify websites and online services for COPPA compliance and other privacy/security standards.
The FTC acknowledges that in order for an online service to determine if a user is under 13 years of age, they must provide identifying information, such as age or birthdate. This is okay to do for this qualifying purpose. The FTC recommends asking in a neutral way that discourages, falsification, and that cookies are used to prevent subsequent attempts after the user is notified that access is restricted due to their age.
The largest COPPA settlement to date was a $3,000,000 fine imposed on Playdom, Inc., an online gaming company, for collecting, using, and disclosing the personal information of children under the age of 13 without their parents’ consent. The company collected the personal information of 1,224,000 children across two online services. The average per violation: $2.45.
