27 January 2020
In the United States, the Children's Online Privacy Protection Act (COPPA) has been in effect since 1998. Most mobile application developers have become accustomed to the regulations associated with offering online services to children under 13.
However, Europe's recently implemented General Data Protection Regulation (GDPR) has introduced a range of edicts regarding child privacy, rendering some child privacy provisions inadequate.
Let's go over the basic requirements for each of the major children's privacy regulations to see what's changed. We'll also give you some tips and ideas for compliance.
If this is your first time developing an app that's aimed towards children, you may not realize the liability involved in collecting personal information from kids.
If your gaming app is attractive to children, it will most likely be considered a child-targeted service under the law.
Even if it's a game targeted to all ages, the application will need to implement strict protocols in the event that children pick up the game and start playing.
Collecting personal information from children is illegal without verifiable parental consent. Unlike the checkbox tick that passes for adult consent, parental consent must be verifiable, such as through a signed form or valid credit card number.
Another big difference is that adults have the power to consent to personalized advertising, while children must not be tracked or personalized for advertising purposes at all. That is not to say that advertising to children is illegal, but that personalization or tracking technology must not be used.
Many gaming apps directed at children choose to avoid any potential infringement of child privacy stipulations like those described above by creating a "zero-data" environment within the game that does not collect any information, either directly or anonymously, from users.
The zero-data method removes the need for parental consent, but it is not possible for all games.
For instance, many online multiplayer games require a user to create an account or username in order to play. Even the creation of a username is enough to warrant parental consent.
The United States blazed new trails in online privacy when they passed the COPPA law in 1998. Since then, it has been expanded and amended into the most comprehensive children's privacy regulation in the world.
Here are a few of its basic requirements:
This policy should outline what information you are collecting from children and how you use that information. Clearly describe how your service collects information, including any third-party affiliates or cookies you have in place.
Disney breaks all this down into three major categories:
On click, each of these categories opens into a very detailed breakdown of all the points described above. Here is an example of one section:
In this way, Disney provides a clear and accessible course of action for parents to remain in control of the information collected about their children.
Unless your game is a zero-data application, you will need to request verifiable consent from a parent before collecting any information at all from a child, even if it's just an IP address.
Verifiable consent may be obtained in a variety of ways:
The verifiable parental consent process is not as complicated as it sounds. Most of the verifiable methods above can be completed with minimal time and effort by implementing a few simple online features.
For example, the children's social network Kudos has streamlined the process into a few easy steps.
The child's birthdate is requested during the registration process to determine their age and if parental consent is necessary:
If the entered birthdate confirms that the child is younger than 13, the application requests a parent's email address to begin the consent verification process:
The parent will receive a copy of the email below, which meets all the requirements set out by COPPA:
All of this information is required by COPPA to be communicated to a parent before collecting personal information from a child
Once the parent clicks the "Authorize" button in the email, they are directed to an online form where they can access and submit their verifiable consent in a variety of different ways. Each of these methods is approved by COPPA and easy to complete online.
There are a few exceptions to the verifiable parental consent requirement.
For example, for the following activities, you would only need to notify the parent or guardian, but not necessarily obtain verifiable consent:
In the case of one of these exceptions above, the app would only need to send direct notification of these activities to a parent or guardian. This notification would need to be confirmed via a link or code verification method.
This process can be illustrated by the Bloxels Builder registration process.
By default, the Bloxels Builder game is a zero-data environment. However, if the child wishes to create an account to save their progress in the game, they will be presented with the following registration screen:
In order to continue, the child must enter a parent's email address where an unlock code will be sent:
After an email address for a parent is entered, the following email will be sent to the parent. Here, the parent is informed of how the game works, what the child will have access to, and which information will be collected from the child:
Note the following statement from the email:
"The only personally identifiable information stored is their email address for password retrieval purposes, but this will never be shared with others."
This statement is important because it is the only manner in which an email address may be collected from a child without using one of the verifiable consent methods mentioned previously.
Once the parent has opened the email, they may click the "Activate Account" link or enter an unlock code within the app:
Once this final step is completed, the child may create his or her own account on the game and play but will not be submitting any personal information other than an email address.
Parents should be able to check yes or no to allow or refuse the sharing of their children's information with third parties.
An online game or app directed at children must still provide their service to children, even if their parents refuse the sharing of personal information to third-parties.
Microsoft illustrates this concept in this online consent form:
Here, along with verifiable consent in the form of a credit card transaction, the parent has the option to allow or disallow their child to use (and share information with) third-parties.
Parents must be given full access to view, update, and delete the personal information held about their children by any online entity.
You must also provide clear instructions to the parents on how to get this access:
In this example, Xbox One provides parents with instructions on how to access and change settings on child accounts:
From inside the account management platform, the parent can view, change, or delete the child's information.
There are also comprehensive settings within the XBox interface to monitor and control children's online privacy settings as they play online games:
Even after a parent has given consent for the collection and processing of their children's personal information, they must be given the option to easily revoke that consent or prevent further use of said information.
Here's how Microsoft provides a "Remove from family" option for child accounts -- an action that would both revoke consent for the use of the child's information and block the child's access from associated online activities:
All possible measures must be taken to protect the information of children and maintain its confidentiality.
When information about children is shared with third parties, it is the responsibility of the original data controller to ensure that those third parties are also upholding sufficient security measures.
Keep the personal data collected from children only as long as is needed to fulfill the purposes for which it was gathered. Once the information is no longer needed, it must be deleted.
All behavioral and targeted advertising to children is out. For this reason, all advertising in a children's gaming app will need to be strictly contextual, unless you have a gated adult section for advertising to parents.
Although the guidelines for children's online privacy in Europe are very similar to those set by COPPA, there are some marked differences - the most significant being the age at which an individual will be considered a child.
Unlike COPPA, which sets a clear cutoff for childhood at 13, the GDPR gives its EU member states a range of ages to choose from. A person between age 13 and 16 may be considered a child, depending in which EU member state they reside in.
In Spain, for example, the cutoff age is 14, while in the Netherlands, the age of consent is set at 16. While some member states do have the cutoff age set at 13, like the USA, it is advised for any online business that collects data from European minors to set the age of adult consent at 16, to be safe.
The GDPR sets fines for failing to obtain parental consent for a child's information at €10 million or 2% of global annual turnover. Below find the main points of GDPR compliance for child-targeted online apps and games.
Article 8 of the GDPR states that "processing [personal information of a child] shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child" and that "the controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology."
At first glance, this sounds similar to the requirements of COPPA, but nowhere in the text of the GDPR does it define what "reasonable efforts" to verify parental consent will be considered valid.
Most European apps and websites that are targeted to children follow verifiable consent guidelines as stated by COPPA, but others argue that such vigilance is not required under the GDPR.
It remains to be seen how GDPR advisory authorities will choose to judge this subject.
Under this article, any targeted or behavioral advertising within a child-targeted app would also require specific consent from the parent or guardian.
Even if your gaming application is not necessarily targeted to children, you may still need to put provisions in place to comply with child privacy laws. Although the game may be originally intended for an older audience, if the graphics and gameplay are deemed attractive to children, FTC and GDPR officials will expect the app to remain compliant with child privacy laws.
One way that applications and online games are addressing this is by creating two different versions of the game - one zero-data environment for users who do not sign in, and an age-gated version of the game with an assigned username for each user.
By using an age-gate and a verified username account, you can ensure that only users of qualified age are submitting personal data.
There are several methods to accomplishing this:
This is an example of an age gate as implemented by the Smurf Village app.
The application Trivia Crack uses a Facebook login to verify user age. Because a user will have verified age already on the social network site, using the social log-in lets you verify age in this roundabout way:
Minecraft requires users to sign in to their Microsoft account in order to use certain game features. This helps Minecraft verify that anyone using these features has a verified Microsoft account and has a birthdate on file.
In order to avoid the additional infrastructure and programming involved in obtaining parental consent, many child-targeted apps and online games are now operating in a zero-data environment. That is to say that they collect no personal data whatsoever during gameplay, using "parental gates" to manage data-requiring activities like in-app purchases.
In order to avoid the legal risks of children attempting to submit unauthorized personal information or make in-app purchases, child-targeted games create parental gates as a safeguard.
Parental gating usually involves the parent following specific written instructions on-screen before passing into a "parents only" section of the app. It may look something like this.
In the children's app Elmo ABCs, the parents' section is marked by a blue button. On click, the text that appears reads, "Drag button to upper left corner to unlock." Once these instructions have been followed, the parents' interface appears:
Within this module, parents can personalize their child's gameplay or shop for in-app purchases, but only after passing through the parental gate.
Another solution is to require parents to perform a simple mathematical equation before proceeding into the adult section, as is demonstrated here in the Puzzingo game app:
By implementing zero-data environments and parental gating, online gaming apps can safely provide entertainment for children while simultaneously serving advertising and in-app purchases to parents.
This may be the simplest solution for games that do not require individual user accounts or personal information for game play.