Where Were You The Day COPPA 2.0 Became Real? That Was Yesterday.

On September 16, the U.S. Federal Trade Commission announced that mobile app developers Yelp and TinyCo each settled cases with the FTC on COPPA 2.0 non-compliance issues.  Both companies’ apps collected personally identifiable information from children under 13 without seeking advance permission from the parents of the children.

Others who know much more about government affairs than me have told me this timetable is pretty normal.  It’s important to remember that the public doesn’t hear about FTC activities until they are completed. 

If the FTC acts consistently with the way they policed COPPA in the past, they are making the mobile app industry aware of the law by “making an example” of a few well known companies.  If the FTC has more cases underway (and I believe they do) it would have been very easy for them to find apps that don’t meet the COPPA standard.   Very few games in the Apple and Android app stores are COPPA compliant today. 

Yelp – What Happened?

As game developers, Yelp is less interesting to us because it’s not a game, nor is it targeted at children. But it’s worth taking a look at what Yelp did wrong and why they were an easy target for the FTC’s compliance crackdown.

Yelp’s app had what we call an “age gate”, which asks the user what year they were born and then adjusts their experience appropriately.  Under COPPA, this is a perfectly fine way for a “general purpose” app to protect kids privacy, because the government realized that kids under 13 would be a small minority of the users.

Yelp’s public statement is that there was a “bug” in their age gate code. And the bug continued unnoticed for a four year period, from 2009 to 2013.  I’ll leave you to come to your own conclusions on Yelp’s QC efforts.

Yelp’s normal user activity is to sign on while visiting a restaurant or other business and leave a review. That means the app identifies the user’s device and then captures the user’s GPS location in order to identify the business. This is where things went badly. By capturing these data on children without disclosing the capture to parents and getting verifiable consent, the Yelp app was clearly in violation of the law.  They owe $450,000 in fines and will be subject to continuing privacy reporting and audits. You might say Yelp is in the “Privacy Penalty Box” for the next 7 years.

TinyCo – What happened?

This game developer has been on a roll recently, with a nice line of “Tiny” games, and most recently the “Family Guy – Quest for Stuff” game.  The “Tiny” series, in particular is interesting because it has colorful cartoon characters, lovable cubbies, and uses language that seems to be targeting children.  Without taking any steps to identify user age or get parental consent, the games gathered email addresses, posted to facebook, even rewarded players with in-game virtual goods if they provided an email address.

I’ve blogged before about the unclear wording of the COPPA law which appears to give game developers a way to sidestep COPPA – specifically the terms “Directed at Children” and “Actual Knowledge”.  At AgeCheq, we’ve talked to hundreds of game developers and have heard many times “We aren’t really subject to COPPA” because “Our games aren’t directed at children” and “We have no actual knowledge that children are using our games”.  A surprising number of top 50 game developers have refused to even talk to us because they believe doing so would jeopardize their possible future claim that they had no actual knowledge of children playing their games. 

With TinyCo, the FTC has eviscerated the hopes of developers who were thinking they could skate through the COPPA compliance issue by using these verbal excuses.  In its blog post explaining the action, The FTC specifically calls out the characters and language of the TinyCo games as proof that they are directed at children and therefore need to be fully COPPA compliant.  Like Yelp, TinyCo has to pay a fine ($300K) and submit to 7 years of privacy audits (at their expense). 

I’m not saying I told you so, but …

While I’m pleased that I can finally lose the “Chicken Little” reputation I’ve had for continually claiming “COPPA enforcement is coming”, I’m really looking forward to seeing the mobile game industry accept the fact that this law is now a real thing that must be understood and complied with.

COPPA will definitely cause user acquisition friction.  But like a strong wind in a golf tournament, it affects everyone equally.  Your company can choose to create its own compliance system.  Or you could use one of the FTC designated “Safe Harbor” certification programs to examine your compliance and give you a seal of approval.

Another option is what’s called a “Common Consent Mechanism” (CCM) which allows parents to use a central dashboard to curate their children’s privacy from a large number of developers.  CCMs reduce the effort for parents because they only have to identify themselves once, and they can use a dashboard that works the same for every game their kids want to play.  As written, the law implies that every developer needs to have a complex relationship with every parent of every child under 13 who plays their game, an untenable situation that CCMs eliminate.

Full Disclosure: Here Comes A Shameless Plug

My company AgeCheq has applied to the FTC for approval of a PayPal-like CCM system that minimizes compliance effort for developers and eases curation for parents.  The FTC has asked for public comments on the system. If you would like to encourage the FTC to allow new technological compliance solutions like this, please feel free to read the application and register your comment at the FTCs site.  

If you'd like to educate yourself on COPPA2, here's a page of history and links AgeCheq has created for game developers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://www.ftc.gov/tips-advice/business-center/complying-coppa-frequently-asked-questions.  Because there are numerous “incomplete” versions on the web, I encourage you to always view the final, official text of the COPPA law, which can be found here:

http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr312_main_02.tpl