VTech proves the “Wild West Days” of Gaming are Over. Deal with it.
I actually have a planned posting schedule for this blog but really important things keep happening in the online and gaming world that demand coverage. This time, I’m going to discuss the implications for developers and the industry if it continues to disregard user privacy when designing, coding, and operating games.
The trigger event for this post is the ever worsening hack of the VTech company, which now involves all sorts of private data on 5 million parents and 6 million children. This breach is somewhat of a “perfect storm” of bad news, involving poor programming and design, along with a huge amount of photographs, video, and chats from millions of children. Like other recent headline generating breaches such as Ashley Madison, Target, and even the US Government, VTech is going to give a lot of privacy advocates and regulators the ammunition they need to come after the mobile gaming industry.
This is likely to be painful, because in general, the mobile gaming industry is not a particularly good example of care and concern for user privacy. In my opinion, mobile gaming is just emerging from its infancy, in which revenue generation was king, and developers could pretty much do whatever they wanted, including grabbing all sorts of random user information and storing it unprotected.
How did we get here? Why isn’t privacy routinely “built in” to games today, as regulators repeatedly urge? Aren’t there laws that have to be complied with? There are, but they are just starting to be enforced.
In the US, the COPPA law was updated specifically to address privacy issues arising from smartphone games. Unfortunately, in two and a half years since COPPA 2.0 was enacted, the FTC has never actually enforced any of the new features of the law. Many big publishers have taken a ‘wait and see’ approach because they don’t see much risk of being fined.
In the EU, smartphone games fall under the “Data Protection Directive”, a 20 year old privacy directive that was written long before tablets and smartphones were even a possibility. For the last four years, the EU has been working toward an update that will be called the General Data Protection Regulation (GDPR). GDPR contains child privacy protections similar to the US COPPA law, and is expected to be ratified in early 2016. One important difference between GDPR and COPPA is that as proposed, GDPR extends the age requiring parental approval from 12 and under (COPPA) to 15 and under. The final ratification of GDPR is expected shortly, and I will definitely be blogging about it when that occurs.
It’s clear to me that unless the gaming industry’s disinterest in privacy changes, there will be many more bad outcomes, in the form of breaches like VTech and also with costly and potentially career-ending government enforcement of COPPA and GDPR. In the US, bigger publishers may even be targeted by class action lawsuits, as happened this week to Mattel, alleging improper compliance with COPPA.
Designing privacy into games is not hard. It will not double the engineering effort required to create your game. Your team doesn’t have to build a complex notice and consent system and then worry if you really comply with the regulations. There are third party compliance services designed specifically for game publishers, including (shameless plug) my company, AgeCheq.
Properly handling and protecting your users’ privacy is the right thing to do. The ‘wild west’ phase of the mobile game business is now over, and it’s time to abide by privacy laws, just like every other corporate citizen.
If you'd like to educate yourself on COPPA, here's a page of history and links AgeCheq has created for game developers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions . Because there are numerous “incomplete” versions on the web, I encourage you to always view the final, official text of the COPPA law, which can be found here: