This week Iām going to talk about common misconceptions about COPPA we hear every day when we talk to game developers.Ā Itās my goal to get the game development community to better understand the new version of the US COPPA law (or, as we in the business call it, 16 CFR Part 312).
I hear this literally every day.Ā Thereās a good reason why developers think they are in compliance with COPPA ā¦ they probably are in compliance with the ORIGINAL version of the law, which was put in place in 2000.Ā The original COPPA (we call it COPPA 1.0) was designed only for web sites (smartphones didnāt exist in 2000), and the intent of the original COPPA was to protect children from web pages that requested private information about them. You can view a summary of COPPA 1.0 here.
To comply with the original COPPA on your website, all you had to do was have an accurate āPrivacy Disclosureā page, and get a parentās approval before you could ask a child for any personally identifiable information (āPIIā, in FTC lingo).
A tale of two COPPAs
COPPA 1.0 was an effective law, and the FTC occasionally fined web sites that did not adhere to it.Ā The potential penalty for non-compliance is big ā up to $16,000 per child affected. That can add up.Ā In 2008, Sony was fined $1,000,000.00 and In May 2011, Disney-owned PlayDom was fined $3,000,000.00 for COPPA violations.
As the iPhone and other smartphones grew to dominate the market, their ability to collect PII gave rise to all sorts of new privacy issues that could not have been envisioned in 2000.Ā The FTC spent the better part of three years working on an update to the COPPA 1.0 law that would protect childrenās privacy as they used mobile devices, either on websites or on apps and games.Ā The updated law (which we refer to as COPPA 2.0) was approved in December 2012 and it went into effect on July 1, 2013. You can view a summary of COPPA 2.0 here.
Thereās a new sheriff in town ā¦ COPPA 2.0
Just because you were compliant with COPPA 1.0, you are not automatically compliant with COPPA 2.0.Ā 2.0 goes a LOT farther in protecting childrenās privacy, and requires much more of game developers and parents than the original law did.Ā Hereās the bottom line:
If you think you are not subject to COPPA 2.0 because you donāt āTarget Kids Under 13ā, you are probably wrong.Ā
The law says that no matter whether you target kids or not, if you have āactual knowledgeā that kids are using your game, you are required to handle them in a COPPA compliant way. Ā āActual knowledgeā is an inexact legal term but the FTC tried to spell it out better in a FAQ post in July.
Letās say your new word game has 10 million downloads ā¦ what are the chances that not one child under 13 is playing the game? Zero. What are the chances that just 1% of the users are kids? Fairly good. Thatās 100,000 kids!Ā All it takes for the FTC to fine you is one irate parent filing a complaint about your game capturing a screen name, a photo, or an email address. Whether you monetize with IAP or advertising, both of those activities capture PII and therefore fall under the COPPA 2.0 regulations.
The only way you can truthfully say that COPPA 2.0 doesnāt apply to your game is if your game is does not capture any user information at all, use advertising, or in-app purchases.Ā We know of very few games that meet those criteria.
If you'd like to educate yourself on COPPA, here's aĀ page of history and linksĀ AgeCheq has created for game developers.Ā To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions