When does my game fall within the scope of COPPA?

United States federal privacy regulations are different for kids under 13 and compliance is really tough. Provided the game is not primarily targeted or advertised at kids, and a game studio has no knowledge of kids using it, it’s usually a simpler plan to just exclude them where monetizing through ads or otherwise collecting personally identifiable information from users.

The longer version:

The problem with allowing children under the age of 13 to play a game is that it opens an organization up to issues with COPPA, the Children’s Online Privacy Protection Act. Complying with COPPA adds an additional very complicated, and often expensive layer to legal obligations. COPPA enforcement has resulted in fines and allegations against Disney, TinyCo ($300k), LAI Systems and Retro Dreamer ($360k), Sybo Games and Kiloo Games, YouTube, HyperBeard ($150k)Broken Thumbs ($50k), and more.

If any of the following are true, a game would fall within the scope of COPPA:

  • The game is directed to children under 13 and personal information is collected from them;
  • The game is directed to children under 13 and others collect personal information from them;
  • The game is directed to a general audience, but the organization has actual knowledge that personal information has been collected from children under 13; or
  • The organization runs an ad network or plug-in, for example, and there’s actual knowledge that personal information has been collected from users of a website or service directed to children under 13.

COPPA requires all online services which are either directed at children or which the operators have actual knowledge are used by children, to do the following:

(a) provide notice on its website of what information it collects from children, how it uses that information, and how it might disclose such information;

(b) obtain verifiable parental consent prior to collecting, using, or disclosing a child’s personal information;

(c) provide a reasonable means for a parent to review the personal information the operator has collected from a child and to refuse to permit further use of that information;

(d) establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children; and

(e) Cannot condition a child’s participation in a game, prize offering, or other activity on the child disclosing more personal information than is reasonably necessary to participate in such activity.

Acceptable methods for obtaining parental consent include requiring parents to:

  • Sign a consent form and return it by mail, electronic scan, or even fax;
  • Use an online payment processor such as a credit or debit card that provides notification of each transaction to the account holder;
  • Connect to trained staff through a toll-free phone number or video conference;
  • Provide a copy of a form of government-issued identification that may be corroborated using a database (this copy of identification must be deleted from your site or service’s records after the verification process is completed);
  • Answer knowledge-based challenge questions that would be difficult for someone other than the parent to answer; or
  • Verify a picture, using facial recognition technology, of a driver’s license or other photo ID submitted by the parent by comparison to another photo already submitted by the parent.

These methods often prove to be cumbersome and costly and are sometimes not worth the trouble if children under the age of 13 are not a key audience.

This leads to two options if a business wants to include kids and use targeted ads: comply with COPPA or bifurcate users and only collect personal information from those over 13.

All of this is related to US federal law. It does not address state law (like CCPA in California) or international law (like GDPR in the EU), which add layers of complexity and have their own frameworks for dealing with children.