In celebration of Data Privacy Day 2014: An Audit

For the last three years, the National Cyber Security Alliance has promoted January 28th as “Data Privacy Day” in an effort to empower and educate people on how to protect their privacy and control their digital footprint.  At AgeCheq, we support this effort, and in an attempt to help educate the mobile games industry about the need for improved adherence to child privacy laws, we conducted a very informal privacy audit of the top ten apps in the “For Kids” section of Apple’s App Store.

Over the weekend, we assembled a motley crew of “privacy testers,” consisting of two ten year old boys and a nine year old girl. Together, with their parent’s permission, we visited the Apple app store’s “Kids” section and let our kid testers choose three paid and three free apps to download from the Top Ten list.

By virtue of being listed in the “Kids” section of the App store, these apps clearly targeted children.  Under the updated Children's Online Privacy and Protection Act (COPPA), which has been in effect for nearly 7 months, each of these apps should have identified the parent of the child user, showed the parent a privacy disclosure, and received permission from the parent to allow the child to use the app and collect information from the child (even if it was only an IP address or Device ID).

We watched our young focus group play with each of the six apps, and we paid close attention to the methods top game development companies used to comply with the new COPPA regulations.  Each of the six apps involved captured and stored user data, which means they should be subject to COPPA restrictions.

Here are the results of AgeCheq’s “Data Privacy Day” Audit: Not one of the six “top ten” apps our focus group tried was compliant with COPPA. Five out of the six apps completely ignored the new law.  Only one app asked for parental approval, but it didn’t authenticate the parent, disclose the information it planned to collect from the child, nor give the parent an option to revoke their permission for the child to use the app (all clear violations of the law).

Not one of the apps that our focus group of kids tried was compliant with the COPPA law. That means each of these developers are at risk for a fine from the FTC (up to $16,000 per child) and up to 20 years of annual privacy audits.  Considering that Top Ten apps in the Kids category have very large audiences, the potential fines for these developers could easily be many millions of dollars.

On this, Data Privacy Day 2014, we want to educate the game development community that COPPA is the law of the land in the U.S.  Very few developers are heeding the warnings that the FTC issued last May, and as an industry, we must work together to encourage adherence to COPPA  - not only because it is there to protect children, but also because the cost of not adhering to the law could be financially disastrous to mobile games developers.  While it is certainly inconvenient for developers to comply with COPPA, doing so ensures the protection of the privacy of our children.

If you'd like to educate yourself on COPPA, here's a page of history and links we've created for game developers at AgeCheq. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions