As I’ve stated in previous blog posts, the newly updated Children's Online Privacy Protection Act (COPPA) is not well understood within the game and app development industry and I'd like to improve that situation.
At the recent GDC/Next Game Developer / App Developer's convention in Los Angeles, I spent two full days talking to exhibitors and attendees about COPPA. The level of ignorance and misinformation I encountered was stunning.
Many professionals in the industry were not even aware of this new law that could easily put them out of business. Most that had some knowledge of it had erroneous or incomplete knowledge about the law and its potential impact on their businesses.
Only about 25% of the people I talked to were truly knowledgeable about COPPA and what it meant to them.
I’ve spent the last few posts attempting to improve game developers’ basic understanding of COPPA 2.0 (as I call the new law as updated on July 1, 2013). Over the next couple weeks I will follow up with additional posts that explain the hidden pitfalls that await game developers who take a casual approach to complying with the COPPA law.
FACT: Under COPPA 2.0, the game developer is responsible for not only the private data captured by the game itself, but also for the privacy issues of EVERY THIRD PARTY API THE GAME USES.
These days, very few games operate without the use of some sort of third party Application Program Interface (API). Since most games are published under the “Freemium” model, in-app monetization provides the main revenue source for most developers. For the first time, developers are now responsible for the privacy policies of all third party services they use.
The law puts developers into a tough situation of having to know in great detail the privacy activity of every third party API their app uses. Here’s an example of a popular top 50 iOS app (name redacted) showing how many third party APIs the app uses.
Under the new COPPA 2.0 law, this developer is required to disclose to a parent an aggregation of all the personally identifiable information (PII) that is captured by all of these ad networks, as well as any PII captured by the game itself. Without some sort of central PII clearinghouse that would provide this information, creating an accurate privacy disclosure could take a developer weeks.
FACT: When any aspect of the privacy activity of your game is changed, you must notify the parent, and give them the option to revoke their permission for their child to play your game. If they do revoke their permission, you must delete all PII that you captured from their child AND YOU MUST NOTIFY ALL THIRD PARTY API PROVIDERS TO DO THE SAME.
This feature of the COPPA 2.0 law is a mind blower for many developers when they finally understand it. After positively identifying a parent, showing them an accurate PII disclosure, and getting their affirmative permission for the child to play the game, you’d think that would be it. Not so … the FTC strives to protect children from “creeping privacy encroachment”, where approved apps secretly add privacy-capturing features following an app store update.
Think what this means to you from a practical standpoint ... assume you are the developer of the app shown above. If one of your ad networks changes their PII strategy in any way, you are now required to resubmit the privacy disclosure to the parent so they can approve the changes.
To be properly COPPA compliant, all third party API providers whose services are used in games must notify all of their customers any time they make a change to their PII data collection strategy.
The new COPPA law creates a number of really inefficient relationships (publisher – parent, publisher – third party, parent - publisher) and we believe if every developer attempts to create their own solution to this system, parents will rapidly lose their patience and curtail game usage by their U13 children, or (worse) simply ignore privacy issues altogether, defeating the spirit of the FTC law, yet leaving developers fully exposed.
In order to be efficient, this type of notification is best handled by a central industry “clearinghouse” that proves each of the stakeholders (game developers, parents, third party providers) a single sign-on interface that fulfills the requirements of the law. That is exactly what we’ve done at AgeCheq.
In my next post I’ll talk about what happens when a parent changes their mind and revokes permission for your app to be used by their child.
If you'd like to educate yourself on COPPA, here's a page of history and links we've created for game developers at AgeCheq. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions