Last year, on a scenic summer day next to the Susquehanna River, AgeCheq morphed from an idea into a company. Roy Smith, founder and CEO, had just finished some research on the new COPPA law that was put into place by the US Federal Trade Commission (FTC). Wondering how every game company that targets kids would be able to comply with this new law, he gathered his then three-man team together at their HQ (a picnic table). Everyone decided that this was a business that needed to exist to help the mobile industry work with the law. Tyler Smith, director of game developer relations, talks about COPPA and what to keep in mind as a developer.
What is COPPA?
If developers don’t comply with COPPA, they can get up to a $16,000 fine per user that is under 13, along with up to 20 years of privacy audits by the FTC. When you’re a developer serving millions of users, this can become a big headache fast.
The New COPPA
In the past five years, game developers have had to make a lot of changes in how they conduct business. From mobile gaming becoming one of the top grossing markets, to fighting for exposure inside the crowded app stores, adaptation has been key to pushing the industry forward. With all of this innovation in a burgeoning mobile space, the regulations on how business is to be conducted when concerning children grew outdated very quickly. This new shift in technology prompted the law known as the “Children’s Online Privacy Protection Act” or COPPA to be updated in 2013.
There are six main steps to the FTC’s newly updated COPPA compliance plan. Developers have to comply with each to make sure they aren’t in violation of the law. Let’s take a look at what the steps are:
- Determine if your company is a website or online service that collects personal information from kids under 13
- Notify parents directly before collecting personal information from their kids
- Get parents’ verifiable consent before collecting information from their kids
- Honor parents’ ongoing rights with respect to information collected from their kids
- Implement reasonable procedures to protect the security of kids’ personal information
In order to create great games for education and learning, as well as casual games that could be directed at kids, these new rules need to be followed.
The Big Six Breakdown
The first step is to determine whether or not your mobile game or app collects Personally Identifiable Information (PII) from any kids under 13. If you don’t collect any Personally Identifiable Information – which includes any unique identifiers like IP address or device ID – or if you have a foolproof method of making sure that kids under 13 aren’t using your game or app, you are in the clear.
Obtaining verified parental consent is by far the most complicated step. The law defines four different ways that a parent can be verified.
- Have the parent sign and mail in a consent form
- Require the parent to do a monetary transaction through a credit card
- Have the parent call a toll-free telephone number
- Check a government-issued ID
At AgeCheq, we use the two most practical methods: a consent form, and a monetary transaction. After parents sign up for an account and verify themselves via one of these two choices, they are able to approve any privacy disclosures that are in their dashboard. We link the parents of children directly to the information they need to decide if the game controls its data collection.
Now, even if parents have agreed that you may collect information from their kids, parents have ongoing rights — and you have continuing obligations. Not only must you continue to give parents a way to review the personal information collected from their child, but you must also give parents a way to revoke their consent if they refuse the further use or collection of personal information from their child. Once they do that, you must also delete their child’s personal information from your databases.
Finally, the FTC’s plan requires that you establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. This is all pretty common-sense stuff. Keep the data you collect secure.
This is a lot of information to digest, but hopefully you now have a better understanding of what COPPA means to the mobile gaming industry.