Legal Requirements for Children's Gaming Apps

Legal Requirements for Children's Gaming Apps

In the United States, the Children's Online Privacy Protection Act (COPPA) has been in effect since 1998. Most mobile application developers have become accustomed to the regulations associated with offering online services to children under 13.

However, Europe's recently implemented General Data Protection Regulation (GDPR) has introduced a range of edicts regarding child privacy, rendering some child privacy provisions inadequate.

Let's go over the basic requirements for each of the major children's privacy regulations to see what's changed. We'll also give you some tips and ideas for compliance.

If this is your first time developing an app that's aimed towards children, you may not realize the liability involved in collecting personal information from kids.

If your gaming app is attractive to children, it will most likely be considered a child-targeted service under the law.

Even if it's a game targeted to all ages, the application will need to implement strict protocols in the event that children pick up the game and start playing.

Collecting personal information from children is illegal without verifiable parental consent. Unlike the checkbox tick that passes for adult consent, parental consent must be verifiable, such as through a signed form or valid credit card number.

Another big difference is that adults have the power to consent to personalized advertising, while children must not be tracked or personalized for advertising purposes at all. That is not to say that advertising to children is illegal, but that personalization or tracking technology must not be used.

The Loophole

Many gaming apps directed at children choose to avoid any potential infringement of child privacy stipulations like those described above by creating a "zero-data" environment within the game that does not collect any information, either directly or anonymously, from users.

The zero-data method removes the need for parental consent, but it is not possible for all games.

For instance, many online multiplayer games require a user to create an account or username in order to play. Even the creation of a username is enough to warrant parental consent.

Complying with COPPA

Compliance with COPPA

The United States blazed new trails in online privacy when they passed the COPPA law in 1998. Since then, it has been expanded and amended into the most comprehensive children's privacy regulation in the world.

Here are a few of its basic requirements:

Post a clear Privacy Policy

This policy should outline what information you are collecting from children and how you use that information. Clearly describe how your service collects information, including any third-party affiliates or cookies you have in place.

Many companies choose to create a separate Children's Privacy Policy to fulfill this requirement:

Walt Disney Children’s Privacy Policy intro clause

The above is the Disney Children's Privacy Policy. This is separate from the corporate Privacy Policy and includes a section for parental controls.

According to COPPA, the Privacy Policy for an online service directed to children should include the following:

  • Clearly and comprehensively, which information is being collected about children and why
  • How this information is collected and used
  • Any third-party affiliates that will have access to the information and why
  • Statement of parental rights regarding their children's personal information
  • Instructions as to how children's' information may be accessed, reviewed, edited, or deleted by the parents
  • Instructions on how consent may be given and/or revoked by the parents

Disney breaks all this down into three major categories:

Walt Disney Children's Privacy Policy: sections menu

On click, each of these categories opens into a very detailed breakdown of all the points described above. Here is an example of one section:

Walt Disney Children's Privacy Policy: Parental Choices and Controls clause

In this way, Disney provides a clear and accessible course of action for parents to remain in control of the information collected about their children.

Unless your game is a zero-data application, you will need to request verifiable consent from a parent before collecting any information at all from a child, even if it's just an IP address.

Verifiable consent may be obtained in a variety of ways:

  • Send a form to the parent's email address that would need to be printed, signed, and returned via mail, fax, or electronic scan.
  • Require the parent to submit a valid credit card number or other form of online payment that may be verified through a small transaction.
  • Have the parent call into a toll-free telephone verification system or video call staffed by trained personnel.
  • Request a government-issued identification document, provided this information is deleted after the verification process is complete.

The verifiable parental consent process is not as complicated as it sounds. Most of the verifiable methods above can be completed with minimal time and effort by implementing a few simple online features.

For example, the children's social network Kudos has streamlined the process into a few easy steps.

The child's birthdate is requested during the registration process to determine their age and if parental consent is necessary:

Kudos mobile app: Screenshot of registration step

If the entered birthdate confirms that the child is younger than 13, the application requests a parent's email address to begin the consent verification process:

Kudos mobile app: Registration screen requesting parent's email for consent - COPPA

The parent will receive a copy of the email below, which meets all the requirements set out by COPPA:

Kudos account registration parental consent email to authorize a child's account - COPPA

This email describes the application for which the child is trying to register, lists the personal information Kudos will collect from the child, describes their policies for marketing and third-party sharing, and links to the Privacy Policy.

All of this information is required by COPPA to be communicated to a parent before collecting personal information from a child

Once the parent clicks the "Authorize" button in the email, they are directed to an online form where they can access and submit their verifiable consent in a variety of different ways. Each of these methods is approved by COPPA and easy to complete online.

Privo: Parental consent and identity verification tool - COPPA

Notification Only

There are a few exceptions to the verifiable parental consent requirement.

For example, for the following activities, you would only need to notify the parent or guardian, but not necessarily obtain verifiable consent:

  • For a child to create a username within a game where no other data is collected, while ensuring that the username will not to be used as a form of communication.
  • Where a game collects a child's email only to communicate with the child in regard to their account, but will not use the information in any other way or share it with third parties.
  • If an app needs to collect the names of the child, their parents, and a parent's email address for no reason other than to protect the child's safety.

In the case of one of these exceptions above, the app would only need to send direct notification of these activities to a parent or guardian. This notification would need to be confirmed via a link or code verification method.

This process can be illustrated by the Bloxels Builder registration process.

By default, the Bloxels Builder game is a zero-data environment. However, if the child wishes to create an account to save their progress in the game, they will be presented with the following registration screen:

Bloxels Builder account registration screen

In order to continue, the child must enter a parent's email address where an unlock code will be sent:

Bloxels Builder account registration screen for parent permission email

After an email address for a parent is entered, the following email will be sent to the parent. Here, the parent is informed of how the game works, what the child will have access to, and which information will be collected from the child:

Bloxels Builder parental consent email to activate account

Note the following statement from the email:

"The only personally identifiable information stored is their email address for password retrieval purposes, but this will never be shared with others."

This statement is important because it is the only manner in which an email address may be collected from a child without using one of the verifiable consent methods mentioned previously.

Once the parent has opened the email, they may click the "Activate Account" link or enter an unlock code within the app:

Bloxels Builder account registration: Screen for parent to enter unlock code to give consent

Once this final step is completed, the child may create his or her own account on the game and play but will not be submitting any personal information other than an email address.

Give parents a choice about sharing personal information with third parties

Parents should be able to check yes or no to allow or refuse the sharing of their children's information with third parties.

An online game or app directed at children must still provide their service to children, even if their parents refuse the sharing of personal information to third-parties.

Microsoft illustrates this concept in this online consent form:

Microsoft parental consent verification form with checkbox for third party apps - COPPA

Here, along with verifiable consent in the form of a credit card transaction, the parent has the option to allow or disallow their child to use (and share information with) third-parties.

Allow parents to review and/or delete children's personal information

Parents must be given full access to view, update, and delete the personal information held about their children by any online entity.

You must also provide clear instructions to the parents on how to get this access:

In this example, Xbox One provides parents with instructions on how to access and change settings on child accounts:

Xbox One online safety and privacy settings for parents and children: From xbox.com section

From inside the account management platform, the parent can view, change, or delete the child's information.

There are also comprehensive settings within the XBox interface to monitor and control children's online privacy settings as they play online games:

Screenshot of Xbox mobile Child Privacy and Online Safety settings screen

Even after a parent has given consent for the collection and processing of their children's personal information, they must be given the option to easily revoke that consent or prevent further use of said information.

Here's how Microsoft provides a "Remove from family" option for child accounts -- an action that would both revoke consent for the use of the child's information and block the child's access from associated online activities:

Microsoft Family: More options menu

Keep personal information of children confidential and secure

All possible measures must be taken to protect the information of children and maintain its confidentiality.

Assurances to this affect may be included within the Children's Privacy Policy, as shown here by Time for Kids:

Time for Kids Privacy Notice: Commitment to Security clause

When information about children is shared with third parties, it is the responsibility of the original data controller to ensure that those third parties are also upholding sufficient security measures.

Time for Kids also mentions these requirements in their Children's Privacy Policy:

Time for Kids Privacy Notice: Clause about agents and contractors being required to protect information

Only retain children's personal data for as long as absolutely necessary

Keep the personal data collected from children only as long as is needed to fulfill the purposes for which it was gathered. Once the information is no longer needed, it must be deleted.

No personalized advertising

All behavioral and targeted advertising to children is out. For this reason, all advertising in a children's gaming app will need to be strictly contextual, unless you have a gated adult section for advertising to parents.

Complying with the GDPR

Compliance with GDPR

Although the guidelines for children's online privacy in Europe are very similar to those set by COPPA, there are some marked differences - the most significant being the age at which an individual will be considered a child.

Unlike COPPA, which sets a clear cutoff for childhood at 13, the GDPR gives its EU member states a range of ages to choose from. A person between age 13 and 16 may be considered a child, depending in which EU member state they reside in.

In Spain, for example, the cutoff age is 14, while in the Netherlands, the age of consent is set at 16. While some member states do have the cutoff age set at 13, like the USA, it is advised for any online business that collects data from European minors to set the age of adult consent at 16, to be safe.

The GDPR sets fines for failing to obtain parental consent for a child's information at €10 million or 2% of global annual turnover. Below find the main points of GDPR compliance for child-targeted online apps and games.

Child-Intelligible Privacy Policy

Although a separate children's Privacy Policy is not specifically required by the GDPR, it does mention that any online business that targets children should write their Privacy Policy in a way that is clear and easy for children to understand.

The UK's Eureka! Children's Museum keeps their Privacy Policy short and simple for the benefit of any children that may read it:

Eureka! Children's Museum Privacy Policy: What information we collect clause

Article 8 of the GDPR states that "processing [personal information of a child] shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child" and that "the controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology."

At first glance, this sounds similar to the requirements of COPPA, but nowhere in the text of the GDPR does it define what "reasonable efforts" to verify parental consent will be considered valid.

Most European apps and websites that are targeted to children follow verifiable consent guidelines as stated by COPPA, but others argue that such vigilance is not required under the GDPR.

It remains to be seen how GDPR advisory authorities will choose to judge this subject.

Under this article, any targeted or behavioral advertising within a child-targeted app would also require specific consent from the parent or guardian.

What if the App is Targeted to All Ages?

Even if your gaming application is not necessarily targeted to children, you may still need to put provisions in place to comply with child privacy laws. Although the game may be originally intended for an older audience, if the graphics and gameplay are deemed attractive to children, FTC and GDPR officials will expect the app to remain compliant with child privacy laws.

One way that applications and online games are addressing this is by creating two different versions of the game - one zero-data environment for users who do not sign in, and an age-gated version of the game with an assigned username for each user.

By using an age-gate and a verified username account, you can ensure that only users of qualified age are submitting personal data.

There are several methods to accomplishing this:

Age gate and assignation of an email-verified username

This is an example of an age gate as implemented by the Smurf Village app.

Screenshot of Smurf Village app registration form with age gate for children

Sign-in using a social network that allows access to user birthdate

The application Trivia Crack uses a Facebook login to verify user age. Because a user will have verified age already on the social network site, using the social log-in lets you verify age in this roundabout way:

Trivia Crack app: Screenshot of mobile sign-in with Facebook pop-up

Sign-in using an affiliated user account on another server, such as a Game Center, X-Box Live, or Google Play account that can verify user birthdate

Minecraft requires users to sign in to their Microsoft account in order to use certain game features. This helps Minecraft verify that anyone using these features has a verified Microsoft account and has a birthdate on file.

Minecraft mobile sign-in with Microsoft screen

Zero-Data Environments

Zero-Data Environments

In order to avoid the additional infrastructure and programming involved in obtaining parental consent, many child-targeted apps and online games are now operating in a zero-data environment. That is to say that they collect no personal data whatsoever during gameplay, using "parental gates" to manage data-requiring activities like in-app purchases.

In-App Parental Gating

In order to avoid the legal risks of children attempting to submit unauthorized personal information or make in-app purchases, child-targeted games create parental gates as a safeguard.

Parental gating usually involves the parent following specific written instructions on-screen before passing into a "parents only" section of the app. It may look something like this.

In the children's app Elmo ABCs, the parents' section is marked by a blue button. On click, the text that appears reads, "Drag button to upper left corner to unlock." Once these instructions have been followed, the parents' interface appears:

Elmo ABCs game app: Screenshot of parental consent unlock feature

Within this module, parents can personalize their child's gameplay or shop for in-app purchases, but only after passing through the parental gate.

Elmo ABCs game app: Parental control screen

Another solution is to require parents to perform a simple mathematical equation before proceeding into the adult section, as is demonstrated here in the Puzzingo game app:

Puzzingo game app: Math screen to verify an adult

By implementing zero-data environments and parental gating, online gaming apps can safely provide entertainment for children while simultaneously serving advertising and in-app purchases to parents.

This may be the simplest solution for games that do not require individual user accounts or personal information for game play.

Jaclyn K.

Jaclyn K.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.