The FTC has finally enforced COPPA 2.0. Here’s what you need to know.
The final months of 2015 have been a roller coaster of activity in the field of privacy and mobile gaming. First there was the VTech hack, then the COPPA class action suit against Mattel, then yesterday’s agreement on the EU General Data Protection Regulation (GDPR) which gives each EU member country the ability to choose the ‘age of consent’ for children from age 13 to 16. For game developers, these are all ‘big stories’ because they point toward increased regulation and the need for more thoughtful handing of user privacy.
Today’s huge news that the FTC has settled COPPA violation cases with two small app developers with civil penalties totaling $360,000 came as quite a surprise. Since it has been nearly two and a half years since the updated COPPA became law, many had written off the FTC ever enforcing COPPA.
The most interesting aspect of today’s news to me is that ad networks are the primary culprit, yet the game publishers are being held responsible. Ad networks and targeting were the primary impetus for Congress to update COPPA – Today’s actions illustrate the FTC trying to make the point to publishers that they need to be aware of all the components inside their apps, and know what (if anything) each component does with respect to privacy.
I covered this little known aspect of COPPA in detail last year in this blog.
In the case of LAI systems, the publisher didn’t tell their ad networks they were delivering ads to children, therefore the ad network delivered non-compliant ads. Since LAI didn’t follow COPPA required parental notice and consent, they violated COPPA. The publisher, not the ad network will pay a $60,000.00 fine.
Retro Dreamer is slightly different – according to the FTC, the ad networks noticed the apps were child-focused and warned Retro Dreamer that they needed to comply with COPPA. Apparently, the publishers ignored that advice, and after a talk with the FTC enforcement department they have agreed to a civil fine of $300,000.00.
Here’s today’s takeaway thought for you. In the eyes of regulators, you the publisher are responsible for all that happens when a child is using your app. They don’t care whether an analytics package is what actually captures a user’s IP address. They don’t care why your real time ad bidding service chose to run ads that had targeting features. It’s your responsibility to manage the entire user experience of your app.
Make it your business to know the privacy activity of every third party service or code you build into your app. To comply with COPPA (and soon, GDPR), you have to show the parent a true and accurate representation of your game’s activity as you seek consent. Fortunately, since all publishers with child audiences face these same hurdles, there are cloud services for game developers that simplify this requirement and other aspects of regulatory compliance.
If you'd like to educate yourself on COPPA, here's a page of history and links AgeCheq has created for game developers and publishers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions . Because there are numerous “incomplete” versions on the web, I encourage you to always view the final, official text of the COPPA law, which can be found here: