COPPA: A game developer's primer
"COPPA has many easy-to-miss trip wires," and Reed Smith's John P. Feldman and Wendell J. Bartnick are here to help
This article was co-written by John P. Feldman and Wendell J. Bartnick from the law firm Reed Smith LLP.
Social features have become integral to making and selling games that are fun for all ages. Users enjoy communicating with their friends and family, and finding new friends while they play. To facilitate these features, developers will typically collect user account information, the information that players submit through the game, and information about game usage. Even games without social interactivity will commonly collect and send gameplay information back to the developer.
Developers use this player and game-related data to build new features and products, troubleshoot problems, and for many other purposes beneficial to users. The data may also be useful for targeting ads and marketing ("You've been playing for 14 straight hours, do you need a 5-hour ENERGY?"). In the United States, federal and state privacy laws may apply to the collection, use, disclosure, and security of the data that developers collect through games. One particular area of focus is protecting the privacy of children under the age of 13.
Almost 20 years ago, Congress enacted the Children's Online Privacy Protection Act. COPPA prohibits online services such as websites, apps and games from collecting personal information from children under the age of 13 ("children") without first providing notice to parents and obtaining their verifiable consent. The statute also provides parents with the right to learn about the actual personal information collected from or about their children, and to refuse further data collection and use.
"The FTC can fine companies over $40,000 per COPPA violation... The potential damages could be unimaginably high"
Finally, COPPA requires companies to implement reasonable security measures protecting children's personal information. The Federal Trade Commission (FTC) is the primary enforcer of COPPA and can fine companies over $40,000 per violation, which could be calculated based on the number of users who are children. The potential damages could be unimaginably high, but the largest penalty so far has been $3 million. The state attorneys general can also enforce COPPA.
Several features of COPPA may surprise the unwary; we will discuss some of them below.
COPPA applies to games "directed at children."
COPPA applies to personal information a collected from children by game developers when either (1) the developer knows the users are children under 13, or (2) the game is "directed at children." But when is a game directed at children?
The FTC will consider several factors, including:
- subject matter;
- visual content;
- use of animated characters or child-oriented activities and incentives;
- music or other audio content;
- age of models;
- presence of child celebrities or celebrities who appeal to children;
- language;
- whether advertising, promoting or appearing on the game is directed to children;
- the age/content ratings in app stores and published by the ESRB and game reviewers;
- other characteristics.
For example, in a complaint brought against TinyCo, the FTC concluded that the company's games were directed at children because they used themes that appeal to children (e.g., zoos, pets, mermaids), brightly colored animated characters, and simple language. In another complaint, the FTC pointed to a statement by W3 Innovations, which stated, "a fun storytelling app with charming graphics ... which we thought that younger girls and nostalgic adults in particular might enjoy. Based on feedback from users, it seems that the core of v1.0 hit our target market..."
"Developers can find themselves in a situation where a game intended for a general audience inexplicably trends toward child users"
To reduce the risk that a game will be deemed "directed at children," developers should carefully consider the game's look, sounds, and feel.
In addition to game characteristics, the FTC will also look at the age composition of actual users and evidence regarding the intended audience. Developers can unknowingly find themselves in a tricky situation where a game intended for a general audience inexplicably trends toward child and teen users. Game developers are well advised to monitor player age trends over time and possibly make game adjustments to change unwanted trends.
Developers can block child users from general audience games, but must follow rules
When a developer has actual knowledge that a game has child users, such as through the collection of age or date-of-birth, it likely has COPPA obligations regardless of the intended audience of the game. However, if games are intended for a general audience, a developer can block children from playing a game by checking its users' ages.
When a developer sets up a proper age screen it may rely on the age information that users enter, even if that age information is not accurate. The FTC recommends that the child screening process should be done a certain way. Several companies have been investigated for improperly implementing age screens.
First, the FTC recommends that the age check be presented in a neutral manner. According to the FTC, developers should make sure:
- Users can accurately enter their age or birthday. For example, developers should not permit users to select only a birth year that would make them over 12.
- Children are not encouraged to falsify their age. For example, a message that says "Users under 13 cannot play this game. How old are you?" is probably not neutral. Further, a checkbox stating "I am at least 13 years old" is probably not neutral.
- To display a generic message - "We are sorry but we could not create your account at this time" - when blocking a child, rather than, "You are too young to use this game."
- Not to save any information about a child that attempted to use the game.
Second, the FTC recommends that developers consider using technological measures to prevent users from easily circumventing the age block. This means that, once a child is blocked, the child should not be able to easily retrace his or her steps and simply change the age information to create an account.
"If games are intended for a general audience, a developer can block children from playing by checking its users' ages"
COPPA applies to device and other persistent identifiers
When thinking about privacy and personal information, people do not typically think about IP addresses, device identifiers, or other persistent identifiers associated with devices rather than specific individuals. However, COPPA applies to the collection of such identifiers. Therefore, when a game may have child users, the developer should consider whether it has COPPA-related obligations with respect to the identifiers collected from users in addition to the more typical types of personal information.
Game developers may be responsible for all data collection through their games
The FTC recommends that developers of child-directed games review the information collection practices of anyone that provides an SDK or other code or service used in the game. Even if a developer does not collect any personal information, the FTC will seek to hold developers liable for the information collected through its game. The FTC stated that the developer is responsible for determining whether to provide the COPPA notice and obtain parental consent, based on the data collection practices of others. Remember, COPPA applies to the collection of persistent identifiers, such as IP addresses and device identifiers.
One common situation where COPPA may come into play is when a developer works with a third party advertiser to show ads in a game. Typically, ad networks use persistent identifiers to track users online and tailor ads to them. Recently, the FTC found that two developers of child-directed mobile apps allegedly used ad networks without complying with COPPA. Another was also recently sued in a class action lawsuit alleging similar facts. We frequently advise companies that had no idea third-party code was collecting geo-location and other personal information.
Developers can outsource compliance efforts, but not responsibility
Developers can work with others to meet COPPA obligations. For example, an app store or gaming platform can perform certain COPPA compliance steps - such as age gating and obtaining parental consent - for the games in the store or platform, rather than each game doing so. However, according to the FTC, developers are ultimately responsible for COPPA compliance. If the app store or gaming platform fails to properly meet a developer's obligations, that developer may face a government investigation. Developers should regularly test the procedures they use that are provided by others to make sure they actually comply with COPPA.
COPPA has many easy-to-miss trip wires. When games collect age information from users or could be "directed at children," developers should consider whether they have COPPA obligations.