What is COPPA and how does it affect my game company?

COPPA, the Children’s Online Privacy Protection Act, is a law that was created to protect the privacy of children under 13. The Act was passed in 1998, took effect in 2000, and then it was updated in 2013.

There are a lot of misconceptions about COPPA so let’s address a few of them and how this law may affect your game company.

What is COPPA?

COPPA specifies that sites must require parental consent for the collection or use of any personal information on website and online service users 12 and under. The term “online service” broadly covers most services available over the Internet or services that connect to the Internet. This includes mobile apps, games, social networking sites and more.

Personal information must be addressed in your privacy policy and the Act dictates when and how to seek verifiable consent from a parent or guardian.  It also means that your privacy policy must address the responsibilities that the operator of a website legally holds with regards to children’s safety and privacy rights online. This is especially applicable to marketing and how children under the age of 13 can be targeted with marketing methods.

Some examples of being COPPA compliant includes:

  • Clear consent forms for gaining parental consent
  • Requiring parents to use a credit card to authenticate their age and identity
  • Accepting emails from a parent that includes a digital signature to verify their identity

COPPA compliance for online services that do include children under 13

As of 2013, COPPA has updated the list for personal identifiable information (PII) that can and cannot be collected without parental notice. The list that is now covered under consent required includes:

  • full name
  • home or physical address
  • online contact information like an email address or another identifier (like an IM identifier, video chat identifier, etc.)
  • screen name or user name
  • telephone number
  • Social Security number
  • a persistent identifier, like a cookie number or an IP address
  • a photo, video, or audio file containing a child’s image or voice
  • geolocation information
  • other information about the child or parent

In order to comply, you must have a privacy policy, provide direct notice to parents about parental consent, give parents the choice of consenting to the collection and use of data (and also give them the opportunity to prevent further use or collection of the data), provide parents access to the PII, maintain confidentiality and keep the information secure, and retain the PII collected as long as necessary.

For more on the details of COPPA compliance, contact us to discuss your options.

COPPA isn’t just about games targeting children under 13

If your game doesn’t target children under 13 but you have knowledge or reason to believe that children 12 and under are using your game, you are subject to COPPA.

More importantly, if your game or a third party API you’re using captures PII without prior parental consent, you are liable. The FTC has stated that it will make case-by-case judgment calls based on marketing but it’s ideal to err on the side of caution. The best case scenario is to either design your game and your privacy policies to be COPPA compliant from the get-go or don’t capture any PII at all. Common COPPA consent mechanisms like AgeCheq can help you keep your privacy disclosures standardized and keep you compliant.

The repercussions of not following COPPA

A court can hold operators who violate COPPA liable for civil penalties of up to $40,654 per violation. The FTC will often settle enforcement actions for less than the statutory maximum, but the maximum is still at risk.