Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
October 21, 2014
arrowPress Releases
October 21, 2014
PR Newswire
View All
View All     Submit Event





If you enjoy reading this site, you might also want to check out these UBM Tech sites:


 
Think your game is exempt from COPPA? Think again.
by Roy Smith on 12/20/13 02:32:00 pm   Featured Blogs

The following blog post, unless otherwise noted, was written by a member of Gamasutra’s community.
The thoughts and opinions expressed are those of the writer and not Gamasutra or its parent company.

 

As I’ve stated in previous blog posts, the newly updated Children's Online Privacy Protection Act (COPPA) is not well understood within the game and app development industry and I'd like to improve that situation.

At the recent GDC/Next Game Developer / App Developer's convention in Los Angeles, I spent two full days talking to exhibitors and attendees about COPPA. The level of ignorance and misinformation I encountered was stunning. 

Many professionals in the industry were not even aware of this new law that could seriously impact their business. Most that had some knowledge of it had erroneous or incomplete knowledge about the law and its potential impact on their businesses. 

Only about 25% of the people I talked to were truly knowledgeable about COPPA and what it meant to them.

The purpose of this blog post is to improve game developers’ basic understanding of COPPA 2.0 (as I call the new law as updated on July 1, 2013). Over the next couple weeks I will follow-up with additional posts that look at other aspects of COPPA in an effort to dispel the most commonly held misconceptions and myths.

Many game developers think they aren't subject to COPPA, and they are usually wrong. At GDC, I found a lot of game developers who thought COPPA didn’t apply to them. Most of them were dead wrong.

Here are the most commonly held misconceptions I heard from game developers:

“My game doesn't target kids 12-under so I'm not subject to COPPA.”

 Wrong! This is a very common misconception. Even if your game does not target kids, if you have actual knowledge or any reason to believe that kids 12-under are using your game, you are subject to COPPA. From a practical standpoint, if you publish a game and it's got 200,000 users, you probably have some kids playing it.  If your game or the third party APIs it uses captures any personally identifiable information (PII) whatsoever without prior parental consent, you are potentially on the hook for up to $16,000 per kid.

The law says FTC can use a totality of circumstances when determining if your game targets children or not.  They will make case-by-case judgment calls based on your marketing, look and feel, and the construction of the user experience.

“My game doesn't gather screen names or logins, so we're not subject to COPPA.”

Probably Wrong! The only time this would be right is if your game also never uses in-app purchases, analytics or other third party APIs, and doesn't display ads. In other words, if the game has no in-game monetization, it might not be subject to COPPA. Since most games in the app stores are free, very few games fall into this category.

“We have a parent approval button, so we're COPPA compliant.”

Wrong!  COPPA proscribes a very specific sequence including positive, verifiable ID of the parent, disclosing them the app's privacy policy, and finally getting an affirmative indication from the parent approving the child's use of the app. There must also be a way for the parent to revoke their approval, at which time you must delete all data captured by your game, as well as all data captured by your third party APIs.

“We provide a link to our privacy policy, so we're COPPA compliant.”

Wrong! See above "approval button" for a full explanation.

I’m hopeful that calling out these commonly help misconceptions around COPPA will capture the attention of game developers who have thus far ignored the law. In my next post I will address the harsh reality of what can happen to developers and publishers who don’t get COPPA compliant.

If you'd like to educate yourself on COPPA, here's a page of history and links we've created for game developers at AgeCheq. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions regarding complying with COPPA: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions


Related Jobs

Rumble Entertainment, Inc.
Rumble Entertainment, Inc. — San Mateo, California, United States
[10.21.14]

Technical Product Manager - Platform (Chinese Fluency)
InnoGames GmbH
InnoGames GmbH — Hamburg, Germany
[10.21.14]

Mobile Developer C++ (m/f)
Treyarch / Activision
Treyarch / Activision — Santa Monica, California, United States
[10.21.14]

Senior UI Artist (temporary) Treyarch
Treyarch / Activision
Treyarch / Activision — Santa Monica, California, United States
[10.21.14]

Lead UI Artist






Comments


Anton Temba
profile image
Huh, that was interesting. I had no idea this was a real thing and that a developer could be fined heavily (16,000$ per kid, whoa) just for this, although I do realize why and whats the point with this.

By the way, what if the game itself is COPPA compliant, but there is a free internet forum or similar open message board/portal related to it provided by the developer, where potentially a child might register as a user, does the same law apply to a forum or these other things too?

Javier Degirolmo
profile image
I imagine it applies to the forum too (not the game though). This has been the case with the original COPPA since long ago, after all. This is why all forums ask if you're at least 13 years old when you register.

Michael Joseph
profile image
"...does the same law apply to a forum or these other things too?"

Yes. COPPA is not video game specific.

http://www.business.ftc.gov/documents/bus84-childrens-online-priv
acy-protection-rule-six-step-compliance-plan-your-business

Chris Londrie
profile image
This seems completely unreasonable.

The only reasonable course of action seems to be making it a violation of your terms of service for any child to touch your game, period. This basically makes building a children's game effectively impossible; every single child requires that you have a parent submit something along the lines of a passport and a signed permission agreement; the overhead for such a thing will kill almost any profitability.

Zac Burns
profile image
I agree, mostly. Fortunately the list of techniques for verifying parental consent is "non-exhaustive". It remains to be seen if someone can come up with something more clever that's not so cost prohibitive.

I could foresee, for example, someone creating a service where parents could do this sort of step once and only once creating a sort of single-sign-in for parents. The app developer would just hook into this api and if the parent logs in once, that would indicate consent for that app (much simpler than repeating the elaborate process). The service would then evolve several cost-effective methods that are convenient for the parent to go through and compliant with the latest laws.

Anyway, somebody get on this.

Roy Smith
profile image
Zac,
You have described what we do at AgeCheq, exactly. : )

https://vimeo.com/77859701

Roy (I'm the original author of this blog)

Johan Wendin
profile image
No Chris, said Children's game could monetize on the upfront payment instead of in-app purchases or ads.

I don't think I am alone in that I'd rather know how much a game for my kids will cost me rather than hope they don't find my credit card.

E Zachary Knight
profile image
Johan,

Just having an upfront payment doesn't protect you either. If your game includes any kind of online interaction with other people, it has to be COPPA compliant as well. It is the online component that puts you under the COPPA umbrella.

Roy Smith
profile image
Chris, we agree with your assessment. That's why I founded AgeCheq - to create a service that will enable the entire mobile game industry to comply with this law with a minimum of "friction" and cost.

The only way this can possibly work is if there is a single sign on for parents that covers the entire industry. That reduces the pain of positive ID to just one time. If each developer goes their own way in ID'ing parents, the parents will quickly say "enough" and that will be the end of the game industry.

AgeCheq handles the positive parental ID, the dashboard, the privacy disclosure, and the parental revocation. We also create accurate privacy disclosures that include the third party APIs your games use (push messaging, IAP, analytics, ad networks) which is also your responsibility under the law.

AgeCheq is free for developers and free for parents. Take a look - www.agecheq.com

Zac Burns
profile image
I've been reading a bit about this, and I'm a bit confused by the rules for usernames. According to here - http://www.business.ftc.gov/documents/Complying-with-COPPA-Freque
ntly-Asked-Questions " a screen or user name is personal information where it functions in the same manner as online contact information, which includes not only an email address, but any other “substantially similar identifier that permits direct contact with a person online.”"

It seems then, that the permissibility of collecting a username depends on how the user treats their usernames. Does a player choose the same username as their e-mail account or twitter handle? Or their real name? How is an app developer to know?

My game collects the username of the OUYA user automatically and without permission, and even displays it to their opponents (it's a chess-like game). Whether or not that's permissible seems to depend on what sort of a username a player chooses given the wording.

What's your advice on this?

Michael Thornberg
profile image
Don't release games to US market then. Simple.

Tuomas Pirinen
profile image
Based on this info (if this is correct) pretty much every single app on App Store (and pretty much every online game of any kind, PC or Console) violates these rules. Since there are over 1 million apps on Apple store alone (and who knows how many Android, Web, PC and console games and apps), the US courts will be very busy for centuries (or millennia) to come to prosecute them all.

All the cases I've seen for COPPA are for Apps specifically targeting children. I wonder how the reality will pan out going forward? I guess the terms of service banning your game from Children under 13 is the answer.

Will Hendrickson
profile image
If you read carefully, taken from COPPA.org:

"To determine whether a Web site is directed to children, the FTC considers several factors, including the subject matter; visual or audio content; the age of models on the site; language; whether advertising on the Web site is directed to children; information regarding the age of the actual or intended audience; and whether a site uses animated characters or other child-oriented features."

So, if you make your game super gory, with adult characters and harsh language, and have a notice that no children under the age of 13 may play, you should have an out. Since it's essentially impossible for an indie developer to comply with age verification, this seems the only option.

Please, correct me if I'm wrong! But, I can't find a single reliable way to verify parental consent that won't cost hundreds of thousands of dollars over the lifespan of a game because the only acceptable methods are:

"
-getting a signed form from the parent via postal mail or facsimile; these of course must be processed and if the game is not a total failure, most of the profit will be eaten up by verifying the form's authenticity

-accepting and verifying a credit card number in connection with a transaction; parents aren't going to give their credit card to an in-game dialogue, so this one's totally out

-taking calls from parents, through a toll-free telephone number staffed by trained personnel; I don't even have an office, so setting up a call center is definitely not feasible

-email accompanied by digital signature; how many parents actually know how to use digital signatures?
"

All of which are totally inaccessible by independent developers like myself.

I'll admit that I'm quite pissed off about all of this.

First of all, the idea that this will actually protect children from harassment, or abuse of personal information online, is totally absurd. Once parental consent is given, the child can still be bullied by other players, their accounts can still be hacked even with the best security measures available, and most parents are still totally ignorant of the realities of online interaction. Plus, parents sending in their credit card info will just make them more vulnerable to attack.

Second, the cost of compliance is absolutely prohibitive except to major corporations like Microsoft or Sony, because most indies can barely afford to create the game itself, much less purchase, rent, or construct and then staff supervise and manage a call center or mail-form processing operation. And companies like Lexis Nexis that do offer age verification solutions are not open to small developers.

Finally, I'm frustrated that the ignorance of so many foolish parents can be so destructive. As part of being a game designer, I study psychology, and it is clear that legislation like this is usually pushed through by two converging forces: the desire of large corporations to control the market by forcing out smaller ones (which has occurred repeatedly in the past with similar cases, requiring very expensive compliance to blanket legislation even by tiny entities who can't afford it), and the ignorance of parents who think it's actually possible to verify someone's identity online (which feeds the first cause further): http://www.nytimes.com/2012/06/18/technology/verifying-ages-onlin
e-is-a-daunting-task-even-for-experts.html?_r=0

So I guess for now, just making sure that my games in no way "target" children is the only real defense I have. I guess I'll have to amp up the gore and cursing a bit (adding gibbs and fluid-physics blood should do it nicely), and remove children from the game entirely (even though a medieval society with no children is ludicrous) , and just for good measure add a roadblock both on the website and the game itself that states no children under 13 may use either. Will that even be enough? I guess I'll have to find out the hard way if it isn't because I'm out of options.

Roy Smith
profile image
This is definitely a murky situation for developers so we created a quick 4 question survey that any gamedev can take that will give you a definitive email response showing you the exact part of the law you are subject to (or not, depending on your honest answers to the survey). Take the survey at www.coppasurvey.com


none
 
Comment: