This is a guest post from Andrew Smith, the Director of Developer Education at AgeCheq. AgeCheq provides tools that help mobile device users manage their private data that is captured, stored and even provided to third parties.
If you are in the business of writing mobile games or apps, you need to know about the Children’s Online Privacy Protection Act (COPPA). This is a federal statute enforced by the U.S. Federal Trade Commission that regulates the collection of personal information from children’s online activity. Here are the top five reasons you need to worry about COPPA.
The law isn’t just for Websites
COPPA applies not just to websites, but to any sort of online service such as a mobile app or game. If the program is connected to the Internet and it collects personal information from a child under 13 without a parent’s consent the developer could be found culpable by the FTC.
The law has recently changed
Since an update to the law in 2013, the FTC’s definition of “Personally Identifiable Information” includes information that was once seen as being benign. Any unique identifiers like a UDID, IP Address, CPU serial number, or even any sort of cookie is now considered an offense. Since many advertising and analytics services rely on a unique identifier to do their jobs, you need to think twice about adding any third-party APIs. Chances are that your game or app already collects PII and you don’t even know it.
The penalties can be steep
The fine for not complying is $16,000 for each affected child. The FTC could also decide to burden you with up to 20 years of annual privacy audits. If your company is collecting PII and you aren’t sure who you are collecting it from, you could be in for quite a penalty. You can ignore it and hope that the FTC never gets around to punishing you. Of course then you are also taking your chances in the court of public opinion. It would be pretty damaging to your brand if your software was called out as an example of what not to do by parents’ groups.
You can’t just block kids
For an app or game that targets kids under 13, you must get an adult’s approval before you may collect any Personally Identifiable Information. If you’ve got a game that also targets older users you might think that you can solve this problem by just adding an age-gate, but this creates another problem. The law states that if your game’s target audience includes children under 13, not only can you not collect any PII on these individuals but you may not turn them away from your game or app. The law specifically says you must allow them to play, and you must not collect any Personally Identifiable Information.
The law means some work should be done
The only alternative COPPA gives to allowing kids to play indefinitely without collecting any PII is to get a parent’s approval of the information you plan to capture. However, that means a lot of work. You’ll need a system in place to authenticate adults. You’ll have to create a Privacy Disclosure that spells out all the Personally Identifiable Information your game or app collects – including information collected by any third-party APIs you may use. The law requires you to give parents a forum to give you their approval to collect any PII. Finally, you must manage this relationship with adults to give them the ability to revoke their authentication in which case your app must delete all the information captured and stored on that child – once again including data captured by any third-party APIs you may use.
Rather than doing this all yourself, take some time to investigate some of the newly created available technology. You’ll find that the new technologies in the compliance industry can help alleviate much of this work in an inexpensive and straightforward way.
This post was provided by a guest contributor. To check out posts by our most frequent authors, subscribe to our blog.