Owners of mobile games may be required to get consent from users before collecting, using, or disclosing their personal information. Failure to do so can result in fines, legal issues, loss of consumer trust, and possibly the removal of your mobile game from app store distribution.

Here's what you should know about what consent is and when you need to obtain it, how to get consent, and what happens if you fail to get required consent with your mobile games.



Consent in the context of legal requirements for mobile games refers to the permission the owner of the game must obtain from users before collecting, using, or sharing their personal information.

Personal information is any information that can be used to identify an individual, such as birthdays, email addresses, and financial information.

Many state, federal, and global privacy laws require businesses to get users' consent before collecting, processing (using), or disclosing users' personal information. However, even in situations where it may not be legally required, getting consent is a good idea as it can help demonstrate your business's commitment to transparency and build trust with consumers.

Here's an example of a type of consent request screen in a mobile game that asks players to consent to the Terms and Privacy Policy of the game:

Gardenscapes mobile game app: Notification to Accept Terms of Use and Privacy Policy

Yes, it is a requirement of both laws and app stores where mobile games will be distributed.

Privacy legislation is constantly evolving, but the laws that apply to you typically depend on your location and business activities as well as your users' locations. You should research the requirements that apply to you to avoid penalties for noncompliance.

Here are a few laws that require mobile games to get consent before collecting, processing, or disclosing users' personal data.

GDPR

The European Union's (EU) General Data Protection Regulation applies to businesses located within the EU that process personal data as well as companies outside of the EU that offer goods or services to or monitor the behavior of individuals located in the EU.

Among other requirements, the GDPR requires businesses to ensure personal data is processed in accordance with one of its six lawful bases, one of which is consent. Many businesses choose consent as their legal reason for processing data.

Under the GDPR, consent must be "freely given, specific, informed, and unambiguous."

COPPA

If your mobile game is intended for children, you will need to comply with the Children's Online Privacy Protection Act (COPPA). The Federal Trade Commission (FTC) developed the COPPA Rule to interpret and enforce COPPA. The COPPA rule applies to anyone who operates a commercial website or online service (including mobile games) that targets children under 13 and collects, processes, or discloses children's personal information.

General audience websites and online services that collect, use, or share personal information belonging to children and operators who have a third party collect or maintain children's personal information on their behalf must also comply with the COPPA Rule.

The COPPA Rule requires applicable operators to post a Privacy Policy that describes how they treat children's personal information, get verifiable parental consent before collecting children's personal information, and give parents the right to opt out of future collection or use of a child's personal information, among other requirements.

Section 312.3 of the COPPA Rule explains that operators of websites and online services must maintain an accessible Privacy Policy and get parental consent before collecting children's personal information, in addition to other obligations:

COPPA Rule Section 312 3 excerpt

CCPA

The California Consumer Privacy Act (CCPA) requires applicable businesses to notify California consumers about their data collection practices and enable them to opt in or out of certain data processing activities.

It also requires businesses to get explicit consent from a parent or guardian before selling or sharing any personal data belonging to minors under the age of 13.

Section 1798.120 of the CCPA states that businesses cannot sell or share personal information belonging to consumers under the age of 16 unless they get the consumer's consent. Parents or guardians must consent to the sale or sharing of personal data belonging to minors under the age of 13:

CCPA Section 1798 120 with Section c highlighted

App stores such as the Google Play and Apple Store require certain things for apps they allow to be distributed on their platforms, including obtaining necessary consent before collecting personal data through the game.

In general, you should get consent before collecting, processing, or sharing personal information.

Specific situations in which you may need to obtain consent include the following:

  • If your mobile game is aimed at kids. Use an age verification mechanism and get parental or guardian consent before collecting children’s personal information.
  • If you sell personal data to or share personal data with third parties. Users should have access to information about how you intend to use their data. Be sure to get consent to use their data for those specific activities.
  • If you use personal data for tracking, profiling, or marketing purposes. It’s important to let users know if you track their behavior or preferences for analytics, email marketing, or targeted advertising purposes.
  • If you collect sensitive information. Sensitive information can include data about race or ethnicity, financial and health information, and information about an individual’s sexual orientation.
  • If you use real-time location data. Location data is considered personal information under some privacy laws.
  • If your game requires access to certain device features. You should get consent if your game requests access to mobile device features such as contacts or the camera or microphone.

The first step in obtaining user consent is clearly explaining what you intend to do with any personal data you collect (and giving users options for how to manage how their data is used). You will need to provide this information before collecting personal data.

One way to ensure users are informed about your data processing activities and understand their rights is to include that information within your legal agreements. You can (and should) provide links to your Privacy Policy and Terms and Conditions agreement within your consent mechanism and design the mechanism so that users must agree to your terms before playing your game.

A Privacy Policy is a legal document that explains how you handle users' personal information and how they can exercise their privacy rights. Many data protection laws (including the GDPR, CCPA, and COPPA) require applicable businesses to maintain a Privacy Policy.

Summoners War X Demon Slayer's Privacy Policy contains clauses concerning the data it collects, what it does with the information it collects, its users' privacy rights, and how it treats children's information, among others:

Summoners War game Privacy Policy table of contents

A Terms and Conditions agreement (also referred to as a Terms of Service or Terms of Use agreement) explains the rules and responsibilities users must agree to in order to use your mobile game.

MONOPOLY GO!'s Terms of Service agreement includes clauses about licensure, user content, fees, and disclaimers:

Monopoly Go game Terms of Service table of contents

It's not enough to inform users about how you handle personal information. You will also need a way to record their consent. A common consent mechanism for mobile games is a clickwrap agreement.

A clickwrap agreement consists of a statement that the user agrees to the terms listed in your legal agreements and includes links to those agreements. The user must tick a checkbox or button next to a statement indicating that they have read and consent to your legal agreements before they can play your mobile game.

When users download Pokémon TCG Pocket, they are met with a statement that they must agree to its Terms of Use agreement and Privacy Notice in order to play the mobile game. Users can click on the relevant buttons to read the legal documents and then must tick a checkbox next to a statement that they agree to each document:

Pokemon TCG Pocket game Agree to Terms and Privacy screen

In order to play Genshin Impact, users must register for an account and tick a checkbox next to a statement that they have read and agree to the game's linked Terms of Service agreement and Privacy Policy:

Genshin Impact game Register screen with Agree section highlighted

Another way mobile game owners can get consent from users is through the use of a pop-up box that contains information about what personal data they are collecting and how it's being used.

Users can consent to the data processing activities by clicking a button that says "Accept" or "I Agree" within a pop-up box.

When users first open the RAID: Shadow Legends mobile game, they are presented with a pop-up box that users must agree to its Terms of Use agreement, Privacy Policy, and Cookie Policy. Users can click on "Review" to read the game's terms and must click "Accept" to exit the box and continue with the mobile game:

RAID Shadow Legends game Accept Terms of Use screen

If a user consents to the game's Terms of Use agreement, they are presented with an informational pop-up box that lets them know that they can get a personalized experience if they allow the game to track their data across other apps and websites:

RAID Shadow Legends game Tracking information screen

When the user clicks "Continue," they can choose to allow the app to track their activity or deny the tracking request:

RAID Shadow Legends game Allow tracking permissions screen

Similarly, when users open Homescapes for the first time, they are presented with a pop-up box that contains links to its Terms of Use agreement and Privacy Policy, and a statement that by clicking "OK" they are accepting the game's legal agreements:

Homescapes game Accept Terms and Privacy Policy pop-up

When the user clicks "OK," they encounter a second pop-up box asking if the user will allow the mobile game to track their activity across third-party apps and websites to improve its advertising campaigns and the user's gaming experience. The user can either accept or deny the request and then move forward with playing the game:

Homescapes game Accept tracking pop-up

If your game is geared toward children, you may also need to use age verification mechanisms to get parental consent before collecting users' personal data.

When users download Disney Magic Kingdoms, they must enter their age and then click "Accept" to indicate that they have read and agree to the mobile game's linked legal documents:

Disney Magic Kingdoms game Age verification and accept legal agreements screen

If the user is underage and clicks "Accept," they will be presented with a second pop-up window with a statement requiring the consent of parents or guardians:

Disney Magic Kingdoms game Age verification and accept legal agreements screen with underage and parental consent notice

Family Island users must confirm that they are at least 16 years old and have read and agree to the mobile game's Terms and Conditions agreement and Privacy Policy in order to play:

Family Island game: Age verification and agree to legal agreements consent screen

Remember, you want to give users choices as to how their data will be used, and make sure you get consent before collecting or processing their data.

If you don't obtain consent when required by law, you may be subject to fines and legal action. Your game can also be removed from app stores for violating laws and requirements.

For example, the GDPR explains that infringements involving the conditions for consent are subject to fines of up to the higher amount of €20 million or 4% of the company's annual revenue from the previous year.

Summary

Consent, in the context of mobile games, refers to the process of getting users' permission to collect, use, or disclose their personal information.

Many state, federal, and international privacy laws require applicable businesses to obtain user consent before collecting, processing, or sharing users' personal data. The laws that require mobile game owners to get consent before collecting or processing users' personal information often depend on the owner's location and business activities as well as the users' locations.

Major privacy laws include the GDPR, CCPA, and COPPA.

App stores also have requirements around obtaining appropriate consent before mobile games can be distributed on the stores.

Mobile game owners should get consent whenever they collect, use, or disclose users' personal information.

You may need to get consent in the following situations:

  • If your mobile game is directed at kids
  • If you sell or share personal information
  • If you use personal data for tracking, profiling, or advertising purposes
  • If you collect sensitive personal data
  • If you use location data
  • If your mobile game requests access to certain mobile device features

Mobile game owners can get consent by using a consent mechanism such as a clickwrap agreement to provide access to their legal agreements, explain their data processing activities, and record user consent.

If you fail to get required consent from users of your mobile game, you may be faced with financial penalties and legal consequences, and have your game pulled from app store distribution.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy