Since I started blogging here in 2014, I’ve discussed how COPPA (and later, GDPR) are going to change the mobile gaming world. To some degree, I was the guy saying “The sky is going to fall”. And for a long time, not much happened.
The FTC appeared to be unwilling to enforce COPPA, even when faced with an extremely egregious violation in the form of the 2015 Vtech data breach, which exposed all sorts of private information of millions of children – probably the worst imaginable COPPA infraction. Three years later, the FTC fined Vtech just $650,000.
Today, a lot has changed; GDPR has been in force over a year and is finally beginning to be enforced, with Google breaking the ice with a €50M fine, followed by a €183M fine to British Airways and €99M to Marriott, both for data breaches. Unrelated to GDPR, in July the FTC fined Facebook $5 Billion for violating a 2010 consent decree, and many privacy advocates declared the fine too low. Because the US has no general federal privacy law, many U.S. states have been passing their own privacy regulations based on GDPR, with California, Nevada and Maine laws going into effect in just a few weeks.
And this week, following a year-long investigation, the FTC and State of New York announced a mammoth $170M COPPA fine against Google for improperly handling children’s privacy on its YouTube platform.
Even though this fine is 30 times larger than any previous COPPA fine, many have pointed out that with Google’s $130+ Billion annual sales, this fine equates to a few hours worth of revenues, hardly a deterrent. I’m not here to debate the size of the fine.
So what is my point?
I think game publishers need to understand the megatrends that are running behind these recent actions, with an eye toward where things are going in the next couple of years. I’ve referred to this megatrend as the “Privacy Tsunami” many times and I still think the name is very apt.
GDPR represents the tip of a spear representing a global backlash to the massive amount of privacy surveillance, tracking and outright data theft that characterized the first 20 years of the Internet age. Regulations are finally catching up with technology. The number and severity of backlash regulations have increased, and I feel comfortable saying that within a few years, every market that you care about will have a stiff privacy regulation in place.
With virtually no COPPA enforcement since 2014, when COPPA was updated, you may wonder why the FTC is suddenly fining Oath $5M, TikTok $5.7M and then Google $170M, just in the last 9 months.
Here’s my take. It’s political. In the US, we do not have a single federal privacy regulation, just a patchwork of balkanized departmental privacy regs, of which COPPA is just one. HIPAA is another. As the privacy tsunami has come ashore over the past few years, pressure has been mounting for Congress to create a comprehensive federal privacy law similar to GDPR. Unfortunately, Washington has been beset by partisan gridlock since 2012, and other than press releases about Privacy, very little was done.
The vacuum was filled in an odd way. In 2017 a California real estate developer named Alistair MacTaggart was dismayed at the amount of private information and tracking was being done on the web and in apps and devoted several million dollars into gathering signatures and creating a proposition that California voters could vote into law.
The regulation he proposed easily gained enough signatures to become California law. The tech cabal in Silicon Valley realized their days of blissful surveillance and data capture were coming to an end. Rather than let MacTaggart’s proposal come to a vote (and instantly go into effect if approved), the Tech lobby made a last-minute deal with MacTaggart, and used their political power to rush a watered-down bill through both California state houses. And that’s how the California Consumer Protection Act became law - as a jumbled, self conflicting patchwork, literally thrown together in a few days.
With many similarities to GDPR, CCPA will go into effect on January 1, 2020. Many other states have their own GDPR-like regulations pending, or passed (in the case of Maine and Nevada). In short, we are heading for a world where most states have their own privacy regulation, fines and enforcement agency – an example of the states gaining power and the federal government losing it due to its gridlock.
So, lacking any ability to pass new privacy laws, what was left for Washington to do? Wait, we have this old child privacy regulation that’s been in on the books for 19 years! Let’s enforce that so we look like we’re being an effective part of the global privacy tsunami!
So that is why COPPA is now a red hot topic, and you can expect many more COPPA fines in the coming months. This is also why the FTC has agreed to advance its 10 year scheduled COPPA review by 4 years and is currently seeking comments on ways to improve COPPA.
Based on the Google settlement and several other investigations of which I am aware, I’m here to tell you that COPPA isn’t going to be a joke for game publishers anymore. With EU regulators now aggressively enforcing GDPR, the California attorney general enforcing CCPA starting January 1, Nevada’s attorney general enforcing SB220 on October 1, and a revitalized and motivated FTC focused on COPPA, I’m strongly suggesting that game publishers “get your privacy act together”.