COPPA Loophole Debunked

In my continuing efforts to shed light on the issues surrounding the US COPPA law (16 CFR Part 312), this week I’m going to talk about an aspect of the law that looks like a loophole, but it really isn’t a loophole.

Last week at Mobile World Congress, our sales team met with dozens of top game developers from around the world to discuss their strategies for dealing with the US COPPA law and its requirements for parental approval.  In a celebration of “wishful thinking”, many game developers we talked to were certain they weren’t subject to the law.   Some of them had researched the law and believed they had found a “loophole” that gave them a free pass to avoid COPPA.

Keeping in mind that COPPA was originally drafted for web sites, many of the terms in the law still refer to web sites and are not applicable to today’s world of mobile games and apps. For example, the law refers to the entity that is responsible for complying as the “operator”, instead of “developer” or “publisher”. 

The exception for “Internal Operations”

Another web-centric term that is in the law is “Internal Operations”.  The updated COPPA law appears to give an exception to any gathering of private data that is used for “Internal Operations”. Here’s the actual text of what activities are covered under the definition of “Internal Operations” in §312.2.

(i) Maintain or analyze the functioning of the Web site or online service;

(ii) Perform network communications;

(iii) Authenticate users of, or personalize the content on, the Web site or online service;

(iv) Serve contextual advertising on the Web site or online service or cap the frequency of advertising;

(v) Protect the security or integrity of the user, Web site, or online service;

(vi) Ensure legal or regulatory compliance; or

(vii) Fulfill a request of a child as permitted by §312.5(c)(3) and (4);

Wow! That seems like a “free pass”, doesn’t it? How many of those activities does your game do? Probably a few of them. If you just define your game’s privacy activity as “Internal Operations” when the FTC comes calling, you’ll be fine, right?

Sadly, no.  Although there are many preliminary versions of the law floating around the Internet and even on the FTC site, the actual, final version of the law closes this loophole by saying you can’t use private data captured under the “Internal operations” exception for anything.  Here is the exact text, with my underline emphasis:

(2) So long as The information collected for the activities listed in paragraphs (1)(i)-(vii) of this definition is not used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.

Loophole closed. 

For those game developers who believe they are not subject to COPPA because of the “Internal Operations” loophole, I encourage you to be sure to always view the final, official text of the COPPA law, which can be found at the following URL:

http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr312_main_02.tpl

If you'd like to educate yourself on COPPA, here's a page of history and links AgeCheq has created for game developers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions