What Does a COPPA Compliant Game Really Look Like?

In the U.S., the Children’s Online Privacy Protection Act (COPPA) has been the topic of polite party discussion among game developers for several years now.  “What if the FTC never enforces it?” “Who will they target first?” “Developers are just going to avoid kids altogether if it’s enforced”. It’s widely known that very few apps and games even make an attempt to comply with the law, even though the updated version has been in force for 15 months.  Now that the FTC has signaled in no uncertain terms that they are going to enforce COPPA and that the actions against Yelp and TinyCo were just the beginning, I think the industry’s “wait and see” period is coming to an end.

So this week I’d like to share our thinking on how mobile games can become COPPA compliant without ruining user acquisition or game flow.

As I mentioned before, with respect to targeted user ages, there are four categories that all apps fall into.  If your app is targeting children under 13, you definitely know every user needs COPPA treatment. Likewise, if your app is adult only, you definitely don’t need to worry about COPPA.  The challenging categories are the two ‘general audience’ cases; all-age games that want children to be able to play (for example, Angry Birds), and general audience games that really would rather not have children as users (Clash of Clans).

Many of the top game producers and user acquisition specialists we talk to think their finely crafted world will come to an end when their management forces them to comply with COPPA.  To them, COPPA compliance means an age gate and brick wall on the first startup.

I don’t agree at all. 

At its most basic level, COPPA says you have to have parental approval before you capture any Personally Identifiable Information (PII) from a user under 13.  If you have young children, you’ll agree that’s actually pretty reasonable.  As a general principle, “Privacy by Design” dictates that you should never gather any PII from anybody unless you absolutely, positively need it to make your game or app work, and even then, only with their permission.

Want to comply with COPPA without hobbling your game’s amazingly engaging intro levels?  Simply design your game so that the first few levels don’t capture any PII.  If you are using ads, don’t put any in these levels.

After users have engaged with your game for a few levels and you want to capture PII to proceed (perhaps to set up a screen name, receive emails, post scores to Facebook, etc.) integrate the necessary COPPA steps into your game flow. 

Common COPPA consent mechanisms like AgeCheq and AssertID free you from ever having to manage individual parent accounts and disclosures. By providing a single sign on dashboard and a standardized, easy-to-understand privacy disclosure for games, they make compliance much easier for parents as well. 

Using AgeCheq’s API, you can instantly check to see if the user’s device has been identified as U13 by a parent. If yes, your game can rapidly get parental permission with a popup saying something like “We need your parent’s permission before you can play level 4.”  If no, you can still use a “neutral” age gate to determine if the user is under 13 using a free power up incentive to keep their interest.

If a parent denies you permission to capture PII, you do not have to kick the child off your game.  Just don’t capture any PII as they play.  To easily do this, your code should make all PII capture conditional, based on a flag we’ll call “PII_Flag”.  Just set the PII_flag to “off” if you get a parental “No” API response or an age gate response below 13.

If the API shows that parent did give approval, turn PII_Flag on and run the game as designed. Once you get past the child test, your game can operate exactly as it did before. Of course, you must properly store and protect any PII you capture, whether it was from children or not. 

Remember that under COPPA, a parent can decide later to revoke their permission for you to capture their child’s PII, and if they do, you are required to delete it.  A well-designed compliance service will provide revocation notice to you and to all of the third party APIs your game integrates, making it easy for you to just delete the data.

So there it is. For game developers, COPPA compliance is not the end of the world. 

The fact that the mobile game market is finally being regulated is actually a very good thing, because it means that mobile games have grown to be so big and important that they are attracting the attention of regulators.  Every other form of popular content (TV, movies, music, literature) has regulatory rules to govern what they can and can’t do.  Mobile games are now mainstream, and poised for even more growth.

If you'd like to educate yourself on COPPA2, here's a page of history and links AgeCheq has created for game developers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://www.ftc.gov/tips-advice/business-center/complying-coppa-frequently-asked-questions .  Because there are numerous “incomplete” versions on the web, I encourage you to always view the final, official text of the COPPA law, which can be found here:

http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr312_main_02.tpl