As I’ve stated in a previous blog post, the newly updated Children's Online Privacy Protection Act (COPPA) is not well understood within the game and app development industry and I'd like to improve that situation.
At the recent GDC/Next Game Developer / App Developer's convention in Los Angeles, I spent two full days talking to exhibitors and attendees about COPPA. The level of ignorance and misinformation I encountered was stunning.
Many professionals in the industry were not even aware of this new law that could easily put them out of business. Most that had some knowledge of it had erroneous or incomplete knowledge about the law and its potential impact on their businesses.
Only about 25% of the people I talked to were truly knowledgeable about COPPA and what it meant to them.
The purpose of this post is to improve game developer’s basic understanding of COPPA 2.0 (as I call the new law as updated on 7/1/2013). Over the next couple weeks I will follow-up with additional posts that look at other aspects of COPPA in an effort to dispel the most commonly help misconceptions and myths.
COPPA Codewords and Acronyms
Like many complex government projects, COPPA has codewords and acronyms used by "insiders" that make it easier to communicate about the law.
Codewords
"Operator" - This odd term is used throughout the COPPA law to describe a company that "operates" a web site or a mobile app or game. COPPA 2.0 extends this definition to include any third party APIs that are accessed within an app or game, such as ad networks, analytics services, etc. We in the app industry might use the term "developer" or possibly "publisher", but COPPA uses "operator".
"Privacy Policy" - While you might think this refers to the boilerplate privacy policy that is found in the bottom navigation of most commercial websites, in COPPA vernacular, it's actually all that and more. Each app or game must now have a "parental privacy disclosure" that explicitly describes all of the personally identifiable information (PII) collected by the app AND BY ITS THIRD PARTY APIs. The responsibility for this disclosure being accurate falls on the "Operator". Failure to provide an accurate privacy disclosure is the first and most obvious place that game developers are failing to comply with COPPA 2.0.
Acronyms
PII - "Personally Identifiable Information". This includes any user-related data or content that could be captured by an app. Examples include email addresses, IP addresses, screen names, VoIP IDs, social media account names, photographs, audio files, video, and geo-coordinates.
VPC - "Verifiable Parental Consent". COPPA 2.0 requires that publishers make a positive identification of the parent or guardian and get that person's "affirmative consent" before allowing a child 12 and under to download an app that collects any PII. The law is very specific in defining what constitutes VPC, and this is a major sticking point for every app and game publisher.
To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions regarding complying with COPPA: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions