In my continuing efforts to shed light on the issues surrounding the US COPPA law (16 CFR Part 312), this week I’m going to talk about another aspect of the law that looks like a great way to reduce the friction of compliance, but really isn’t a good solution.
When COPPA 1.0 was created back in the late 90’s, the web site “operators” who were going to be subject to the law were understandably unhappy with the inconvenient methods that the law offered for validating that someone was a parent so they could approve their child’s use of the web site. They were able to get an additional method of verifiable parental identification (VPI) into the law called “Email Plus”. At first glance, “Email Plus” seems like a boon to compliance because it’s easy for parents to do, and it’s easy for web operators to administrate.
Here’s how it works:
- The operator asks the child for the email address of the parent
- The operator sends an email to that email address with a privacy disclosure for the website and a request for the parent to give their permission by return email (typically a click on a coded link).
- If the parent clicked on “approve”, the operator waits for an undetermined period of time, and then sends a confirming email to the email address, getting a second validation from the parent that they really did approve. This extra step is the “plus”.
Sounds great, doesn’t it?
Here’s the problem. It’s quite easy for a child to provide their own email address if they have one, and then impersonate their parent and approve whatever they want. The time delay is only useful if the child commandeered the parent’s email address for a short time. Since anyone can fake an email address, this method does not really result in a “Verifiable Parental Identification”. But the claims from web sites that other, more invasive VPI methods could put them out of business were valid. So the FTC created an “Exception” for Email Plus.
Under the law, when your site or app uses “Email Plus” to validate the parent prior to getting approval, the data you capture even when you have positive parental approval cannot be used for anything except “Internal Operations” (see this previous blog post debunking this COPPA loophole). Let’s be clear about it - If you use Email Plus, your game can’t use any third party APIs, like ad networks, analytics, crash tests, screen caps, social networking, or leaderboards.
Because of the way modern mobile games are created, using many third party APIs, the net effect here is that you really can’t use “Email Plus” if your game wants to do anything interesting. And that, my friends, is why “Email Plus” is not the COPPA compliance solution you may have thought it to be.
If you'd like to educate yourself on COPPA, here's a page of history and links AgeCheq has created for game developers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions .
Because there are numerous “incomplete” versions on the web, I encourage you to always view the final, official text of the COPPA law, which can be found here: http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr312_main_02.tpl