What Could Be Better Than COPPA? Ever Heard of CalOPPA? You Will!

This week I’d like to fill you in on another little-known privacy regulation that you should definitely be aware of.  If you have read any of my past blog posts, you know something about COPPA, which is focused only on giving the parents of children under 13 the ability to control what personally identifiable information is captured, stored, and shared by mobile apps and games.

What about everybody else? Don’t we adults matter? Well, in California we do. In 2003 the state passed the original version of the California Online Privacy Protection Act (CalOPPA), which simply stated that if a website collected any form of personally identifiable information (PII), it was required to show users what it was going to do with that data by posting a conspicuous “Privacy Policy”.

Unlike our old friend COPPA, CalOPPA was quite direct and easy to understand, and it did not really require any new procedures or activity on the part of the website “operator” (there were no apps back in ’03).  Over a period of several years, most websites complied with the law and it became commonplace to see “Privacy Policy” somewhere in the footer of every website. The typical privacy policy was written by a lawyer, and set in 8 point font – challenging reading.

Just like COPPA, when CalOPPA turned ten years old, advances in technology rendered it clearly in need of an update, and the California legislature passed an amendment in September 2013 that went into effect on January 1, 2014. In the updated law, the definition of “online service” is extended to include networked mobile apps and games. Additionally the law states that ad networks and other third parties that access a user’s data must be included in the privacy policy.  It also requires the operator to disclose whether or not they respond to consumer “DO NOT TRACK” settings if encountered.

The penalty for non-compliance with CalOPPA is up to $2500, per user, per infraction.  Like COPPA, this potentially translates to a huge, career-ending fine for apps with millions of users. And because it applies to all users, not just children, the numbers are staggering.  The California Attorney General has indicated she intends to actively enforce CalOPPA.

This week I saw a great quote from Dr. Brian Burton noting that these new regulations over mobile apps are actually a good thing for the mobile game industry. They signal the fact that the app business is maturing and the “land grab” period is over.  Over time, these laws will shake out the vast numbers of “junk” apps that flood the app stores. We’re now into the “infrastructure” and “rules” period, just like the old west after the gold rush ended.  I think this is a wonderful analogy. 

The days of blissfully making apps that grab private user data as needed are over. Let’s get on with the business of making great games that we design with privacy in mind.  Don’t worry about all of the compliance details – companies like AgeCheq will handle the details of compliance as a cloud-based service you build into your games, just like push messaging and ad networks.

If you’d like to know more about CalOPPA, the state has published a guide on privacy policies and DO NOT TRACK disclosures. If you'd like to educate yourself on COPPA2, here's a page of history and links AgeCheq has created for game developers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://www.ftc.gov/tips-advice/business-center/complying-coppa-frequently-asked-questions. Because there are numerous “incomplete” versions on the web, I encourage you to always view the final, official text of the COPPA law, which can be found here: http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr312_main_02.tpl