What Developers Should Know About COPPA

November 19, 2014 — by Industry Contributions

Tyler Smith, Director of Game Developer Relations, AgeCheq

Last year, on a scenic summer day next to the Susquehanna River, AgeCheq morphed from an idea into a company. Roy Smith, founder and CEO, had just finished some research on the new COPPA law that was put into place by the US Federal Trade Commission (FTC). Wondering how every game company that targets kids would be able to comply with this new law, he gathered his then three-man team together at their HQ (a picnic table). Everyone decided that this was a business that needed to exist to help the mobile industry work with the law. Tyler Smith, director of game developer relations, talks about COPPA and what to keep in mind as a developer.

What is COPPA?

The Children’s Online Privacy Protection Act (COPPA) was originally passed in 1998 and was put into effect in 2000. The initial intent of COPPA was to detail what a website operator must include in a privacy policy, dictate when and how to seek verifiable consent from a guardian or parent, and define what responsibilities an operator has to protect children’s privacy and safety online. This includes restrictions on marketing to users under 13.

If developers don’t comply with COPPA, they can get up to a $16,000 fine per user that is under 13, along with up to 20 years of privacy audits by the FTC.

If developers don’t comply with COPPA, they can get up to a $16,000 fine per user that is under 13, along with up to 20 years of privacy audits by the FTC. When you’re a developer serving millions of users, this can become a big headache fast.


In the past five years, game developers have had to make a lot of changes in how they conduct business. From mobile gaming becoming one of the top grossing markets, to fighting for exposure inside the crowded app stores, adaptation has been key to pushing the industry forward. With all of this innovation in a burgeoning mobile space, the regulations on how business is to be conducted when concerning children grew outdated very quickly. This new shift in technology prompted the law known as the “Children’s Online Privacy Protection Act” or COPPA to be updated in 2013.

There are six main steps to the FTC’s newly updated COPPA compliance plan. Developers have to comply with each to make sure they aren’t in violation of the law. Let’s take a look at what the steps are:

  1. Determine if your company is a website or online service that collects personal information from kids under 13
  2. Post a privacy policy that complies with COPPA
  3. Notify parents directly before collecting personal information from their kids
  4. Get parents’ verifiable consent before collecting information from their kids
  5. Honor parents’ ongoing rights with respect to information collected from their kids
  6. Implement reasonable procedures to protect the security of kids’ personal information

In order to create great games for education and learning, as well as casual games that could be directed at kids, these new rules need to be followed.

The Big Six Breakdown

Picture clipping 2

The first step is to determine whether or not your mobile game or app collects Personally Identifiable Information (PII) from any kids under 13. If you don’t collect any Personally Identifiable Information – which includes any unique identifiers like IP address or device ID – or if you have a foolproof method of making sure that kids under 13 aren’t using your game or app, you are in the clear.

If you are not, then the next step is to make sure to post a privacy policy. It must clearly and comprehensively describe how you handle personal information collected from kids under 13. The notice must describe not only your practices, but also the practices of any third party service or API your game or app relies on – like an advertising network or analytics package.

You may already have a privacy policy document. However, COPPA asks developers to tell parents specifically what PII your game or app collects. AgeCheq handles this by creating a database-driven layered privacy disclosure.

Obtaining verified parental consent is by far the most complicated step. The law defines four different ways that a parent can be verified.

  1. Have the parent sign and mail in a consent form
  2. Require the parent to do a monetary transaction through a credit card
  3. Have the parent call a toll-free telephone number
  4. Check a government-issued ID
Picture clipping 4
Obtaining verified parental consent is by far the most complicated step.

At AgeCheq, we use the two most practical methods: a consent form, and a monetary transaction. After parents sign up for an account and verify themselves via one of these two choices, they are able to approve any privacy disclosures that are in their dashboard. We link the parents of children directly to the information they need to decide if the game controls its data collection.

Now, even if parents have agreed that you may collect information from their kids, parents have ongoing rights — and you have continuing obligations. Not only must you continue to give parents a way to review the personal information collected from their child, but you must also give parents a way to revoke their consent if they refuse the further use or collection of personal information from their child. Once they do that, you must also delete their child’s personal information from your databases.

Finally, the FTC’s plan requires that you establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. This is all pretty common-sense stuff. Keep the data you collect secure.

This is a lot of information to digest, but hopefully you now have a better understanding of what COPPA means to the mobile gaming industry.

Knowing that there is a lot of information, Tyler welcomes questions about COPPA or AgeCheq’s solutions via his email at, or feel free to check out AgeCheq’s website.