In my continuing efforts to shed light on the issues surrounding the US COPPA law (16 CFR Part 312), this week I’m going to talk about the problems caused by some use of confusing and inexact wording in the law itself. Specifically, I want to examine a single poorly chosen phrase in the law that has opened a miasma of confusion and ill-considered strategies for avoiding compliance. Here’s the phrase:
The law says that if you have “actual knowledge” that your game is collecting personally identifiable information (PII) from kids, you have to treat them with COPPA methods. Armed with this ambiguity, some game developers have concluded, “Simple, we’ll just make sure we never have actual knowledge that children are using our game.”
I’m certain that COPPA wasn’t written with the intent to motivate game developers to never admit their games are being used by children, but that is exactly what has happened. Over the past six months I’ve repeatedly encountered companies that will not do anything that would admit that children are playing their games, because such an admission could be later used to prove they had “actual knowledge” children were playing their games.
This is a situation only a lawyer could love: interpreted one way, “actual knowledge” says you aren’t subject to it if you didn’t know you were in violation of it. The outcry about this phrase was so loud when COPPA 2.0 became law that the FTC took the unusual step of providing guidance for those who lived or died by the interpretation of this simple phrase.
Even with the clarifications, many game developers have adopted our industry’s version of “don’t ask, don’t tell” by completely ignoring COPPA and betting on “plausible deniability”. Personally, I don’t think this “Ostrich” strategy is a good long term bet for game developers and publishers who are using it. Here’s why.
When the FTC begins to enforce COPPA (if it does what it has in the past), it will first target very successful games and there will be multi-million dollar fines that will get a lot of publicity. I’m not a lawyer, but I find it hard to believe that the FTC will buy the defense “We had no idea any children were playing” for games with hundreds of millions of monthly average users that are based on puppies, balloons or pieces of candy.
There is evidence in recent federal IPO filings that suggests that some of these top developers have taken a cynical approach to COPPA, concluding it’s better to possibly pay a few million dollar fine than to actually comply with the law and protect the privacy of children who buy their virtual goods. I find that troubling.
COPPA is well intentioned but difficult to comply with, and it’s colliding with a large and growing mobile game market that has been a “wild west” of privacy concerns since its inception. It shouldn’t be surprising that there will be a lot of confusion, bad actors, and general ugliness as the FTC begins enforcing it.
If you'd like to educate yourself on COPPA, here's a page of history and links AgeCheq has created for game developers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://www.ftc.gov/tips-advice/business-center/complying-coppa-frequently-asked-questions.
Because there are numerous “incomplete” versions on the web, I encourage you to always view the final, official text of the COPPA law, which can be found here: http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr312_main_02.tpl