03 February 2020
You'll need this kind of document even if you don't collect any personal data through the mobile game.
Children are the primary users of many mobile games: in the US over, 46% of teenagers, play games on mobile, and kids aged 2 to 12 years old spend the greatest proportion of their device time on gaming.
As a mobile game developer, you need to consider these requirements before you publish your mobile game in any App Store:
In the U.S., COPPA (Online Privacy Law For Kids) is directed towards businesses (websites, mobile apps, Facebook apps, etc.) that have kids under the age of 13 as their audience.
If your mobile game is directed towards kids under the age of 13, as a business, you're subjected to more requirements in order to be compliant with COPPA.
If your mobile game is not directed towards kids under 13, make sure that children under 13 are not using and don't have access to your game.
Yelp.com isn't directed towards children under 13 and isn't operating any mobile game, but Yelp asked for users' birth dates during registration and didn't block users whose age was under 13 at the time of registration.
The FTC fined Yelp fined $450,000 and ordered it to take down all info collected from its users younger than 13 years old from the time they registered to the service.
Singapore, Malaysia, and South Korea have some of the most comprehensive general privacy laws in place in the region.
In Singapore, the applicable law is the Personal Data Protection Act 2012 (PDPA). The PDPA sets out that consumers have the right to have their personal data protected.
The PDPA also covers the rights of companies to collect that data for legitimate and reasonable purposes.
The Singapore PDPA has no section on the personal information of minors, other than allowing the Minister to make regulations for "the classes of persons who may act under [PDPA] for minors, deceased persons or any other individuals who lack capacity to act under [PDPA]". The PDPA does not specify the situations in which a minor (that is, an individual who is less than 21 years of age) may give consent for the purposes of the PDPA.
The Personal Data Protection Commission in Singapore has stated that "the applicable test under English common law for when a minor can consent on his own behalf in matters relating to medical treatment (and several other areas) is called the Gillick test.
In brief, the Gillick test sets out that a minor may provide consent if he has sufficient understanding and intelligence to enable him to understand fully what is proposed. To-date, the Gillick test has not yet been expressly approved by a Singapore court.
The Personal Data Protection Commission in Singapore has stated:
the applicable test under English common law for when a minor can consent on his own behalf in matters relating to medical treatment (and several other areas) is called the Gillick test. In brief, the Gillick test sets out that a minor may provide consent if he has sufficient understanding and intelligence to enable him to understand fully what is proposed. To-date, the Gillick test has not yet been expressly approved by a Singapore court
The Commission has set out guidelines stating:
organisations should generally consider whether a minor has sufficient understanding of the nature and consequences of giving consent, in determining if he can effectively provide consent on his own behalf for purposes of the PDPA.
This means that you need to consider the fact that if minors under the age of 13 are using your mobile game, you should ensure that you obtain consent from the minor's parent or guardian for any collection or use of the minor's private information.
Malaysia's legislation is also called the Personal Data Protection Act (PDPA) but it came into force in November 2013. It's requirements are similar to the Singapore PDPA, as they are both heavily based on the European Data Protection Directive.
Malaysia has no law specific to the information privacy of children.
However, under the Malaysian PDPA data users are required to obtain the consent of data subjects for the processing (which includes collection and disclosure) of their personal data. Where consent is required from a data subject under the age of eighteen, the data user should obtain consent from the parent or guardian.
South Korea's privacy legislation is thought to be the strictest in the region. The Personal Information Protection Act (PIPA) came into force in 2012. The South Korean PIPA is thought to be stricter than other privacy legislation in the region because only the minimum collection of data necessary for the purposes is allowed.
The South Korean Framework Act on Juveniles has some laws about preventing harmful media from being distributed to minors. It appears that this relates more to the content of the media itself, rather than the use of children's information when they access that media.
The Act on "Promotion of Information and Communications Network Utilization and Data Protection" also includes a section on collecting the personal information of minors. This section (section 31) requires that:
Any information and communications service provider shall, when it intends to collect the personal information from any child of age below 14 ... or to utilize the personal information or transfer such information ... obtain a consent thereof from his/her legal representative. ... The information and communications service provider may demand from the child the necessary minimum information, including the name, etc. of the legal representative, so as to obtain his/her consent.
The section also allows the legal representative to withdraw his/her consent, and request the access to, or correction of, the personal information provided by the child.
When designing the sign-up of new users (on boarding new users) to start playing your mobile game, consider the privacy implications first: is your mobile game directed towards kids?
If it is, at which point or screen from your mobile game you ask for personal information from kids? Under COPPA rules, parents must give you their permission before you collect any kind of personal information through your mobile game.
You can include a separate screen in your mobile game that's only accessible by parents where you could inform them about your privacy practices (direct them to the legal agreement).
Here's how Fairy Tales mobile game from Toca Boca includes a section for parents only (notice the For Parents in the top left):
The screen is locked:
In this kind of parents-only screen, you can inform parents about your COPPA-compliant status:
The Quick Maths Jr. mobile game (by Shiny Things) does something similar. Notice the "For Parents" button on the top left that appears on the first screen after a user loads the mobile game:
The screen is locked:
This is the parents-only screen from the Quick Maths Jr. game, where you could add the information needed to inform parents about your privacy practices:
However, their mobile game doesn't collect any kind of personal information from kids:
Make sure that the legal agreement is available on the profile page of the App Store where your mobile game appears (both Apple's App Store or Google's Play Store). This gives users the possibility to read about your practices before downloading the mobile game:
Disney Royal Celebrations
Because a mobile game developed by Disney can collect personal information from users and because Disney is based in the U.S., they must comply with COPPA.
Disney's Privacy Center has a Children's Privacy section that informs parents about their privacy practices.
We recognize the need to provide further privacy protections with respect to personal information we may collect from children on our sites and applications. Some of the features on our sites and applications are age-gated so that they are not available for use by children, and we do not knowingly collect personal information from children in connection with those features.
Quick Maths Jr.
l in-app purchases are behind a child-proof parental lock. Outside of the locked parental section, Quick Math Jr:
- Does not have ads
- Does not collect personal information
- Does not integrate with social networks
- Uses analytics to track usage and crash information, no personally identifiable information is collected
LEGO Ninjago Tournament
The Ninjago Tournament mobile game developed by LEGO is aimed for kids between the age of 9 and 11.
Whenever you're designing your first mobile game, consider the following:
What kind of personal information you need to collect from your game users?
The best policy is to collect the least amount of personal information, as this will minimize your risk.
If you do need to collect at least some types of information, consider if these are personal information or not.
If you don't have this agreement ready yet, create one first before publishing the mobile game.
If you already have it, update it to inform parents about their rights regarding the privacy of their kids' personal information.