Privacy Policy for mobile games

Privacy Policy for mobile games

Mobile games, especially those directed towards kids, are subject to special requirements when it comes to privacy practices and their Privacy Policy agreements.

You'll need this kind of document even if you don't collect any personal data through the mobile game.

Children are the primary users of many mobile games: in the US over, 46% of teenagers, play games on mobile, and kids aged 2 to 12 years old spend the greatest proportion of their device time on gaming.

As a mobile game developer, you need to consider these requirements before you publish your mobile game in any App Store:

Privacy requirements for mobile games

United States

US Flag

In the U.S., COPPA (Online Privacy Law For Kids) is directed towards businesses (websites, mobile apps, Facebook apps, etc.) that have kids under the age of 13 as their audience.

If your mobile game is directed towards kids under the age of 13, as a business, you're subjected to more requirements in order to be compliant with COPPA.

Your Privacy Policy must reflect this:

  • The agreement must disclose all parties that collect personal information from kids while using the game. It needs to disclose how you collect this data, how you store it and how are you using it (for what purposes).
  • A "Parents' Rights" section must be included in the agreement.
  • COPPA requires mobile games to give the parents a direct notice about collecting personal information before the mobile game itself starts processing personal information from kids.
  • COPPA also requires all mobile games to get a parent's verifiable consent over the collection of their kids' personal information.
  • And so on.

If your mobile game is not directed towards kids under 13, make sure that children under 13 are not using and don't have access to your game.

Logo of Yelp

Yelp.com isn't directed towards children under 13 and isn't operating any mobile game, but Yelp asked for users' birth dates during registration and didn't block users whose age was under 13 at the time of registration.

The FTC fined Yelp fined $450,000 and ordered it to take down all info collected from its users younger than 13 years old from the time they registered to the service.

Southeast Asia

Flags of Southeast Asia countries

Singapore, Malaysia, and South Korea have some of the most comprehensive general privacy laws in place in the region.

Singapore

Flag of Singapore

In Singapore, the applicable law is the Personal Data Protection Act 2012 (PDPA). The PDPA sets out that consumers have the right to have their personal data protected.

The PDPA also covers the rights of companies to collect that data for legitimate and reasonable purposes.

The Singapore PDPA has no section on the personal information of minors, other than allowing the Minister to make regulations for "the classes of persons who may act under [PDPA] for minors, deceased persons or any other individuals who lack capacity to act under [PDPA]". The PDPA does not specify the situations in which a minor (that is, an individual who is less than 21 years of age) may give consent for the purposes of the PDPA.

The Personal Data Protection Commission in Singapore has stated that "the applicable test under English common law for when a minor can consent on his own behalf in matters relating to medical treatment (and several other areas) is called the Gillick test.

In brief, the Gillick test sets out that a minor may provide consent if he has sufficient understanding and intelligence to enable him to understand fully what is proposed. To-date, the Gillick test has not yet been expressly approved by a Singapore court.

The Personal Data Protection Commission in Singapore has stated:

the applicable test under English common law for when a minor can consent on his own behalf in matters relating to medical treatment (and several other areas) is called the Gillick test. In brief, the Gillick test sets out that a minor may provide consent if he has sufficient understanding and intelligence to enable him to understand fully what is proposed. To-date, the Gillick test has not yet been expressly approved by a Singapore court

The Commission has set out guidelines stating:

organisations should generally consider whether a minor has sufficient understanding of the nature and consequences of giving consent, in determining if he can effectively provide consent on his own behalf for purposes of the PDPA.

This means that you need to consider the fact that if minors under the age of 13 are using your mobile game, you should ensure that you obtain consent from the minor's parent or guardian for any collection or use of the minor's private information.

Malaysia

Flag of Malaysia

Malaysia's legislation is also called the Personal Data Protection Act (PDPA) but it came into force in November 2013. It's requirements are similar to the Singapore PDPA, as they are both heavily based on the European Data Protection Directive.

Malaysia has no law specific to the information privacy of children.

However, under the Malaysian PDPA data users are required to obtain the consent of data subjects for the processing (which includes collection and disclosure) of their personal data. Where consent is required from a data subject under the age of eighteen, the data user should obtain consent from the parent or guardian.

South Korea

Flag of South Korea

South Korea's privacy legislation is thought to be the strictest in the region. The Personal Information Protection Act (PIPA) came into force in 2012. The South Korean PIPA is thought to be stricter than other privacy legislation in the region because only the minimum collection of data necessary for the purposes is allowed.

The South Korean Framework Act on Juveniles has some laws about preventing harmful media from being distributed to minors. It appears that this relates more to the content of the media itself, rather than the use of children's information when they access that media.

The Act on "Promotion of Information and Communications Network Utilization and Data Protection" also includes a section on collecting the personal information of minors. This section (section 31) requires that:

Any information and communications service provider shall, when it intends to collect the personal information from any child of age below 14 ... or to utilize the personal information or transfer such information ... obtain a consent thereof from his/her legal representative. ... The information and communications service provider may demand from the child the necessary minimum information, including the name, etc. of the legal representative, so as to obtain his/her consent.

The section also allows the legal representative to withdraw his/her consent, and request the access to, or correction of, the personal information provided by the child.

How to design the mobile game

When designing the sign-up of new users (on boarding new users) to start playing your mobile game, consider the privacy implications first: is your mobile game directed towards kids?

If it is, at which point or screen from your mobile game you ask for personal information from kids? Under COPPA rules, parents must give you their permission before you collect any kind of personal information through your mobile game.

You can include a separate screen in your mobile game that's only accessible by parents where you could inform them about your privacy practices (direct them to the legal agreement).

Your Privacy Policy will still need to cover the same things as any other legal agreement regarding privacy of users, but with additions and modifications relating to children.

A Privacy Policy is a legal statement that explains how customer or user data is collected, used, managed, and disclosed. This legal agreement also explains to the customer how their personal information will be protected.

If you're developing a mobile app directed towards children, your Privacy Policy should set out that:

  • You don't knowingly collect the personal information of children
  • Any information you do collect is kept safe and secure
  • What you use the information for
  • Who you share it with
  • How parents or users can access the information you hold on them or their children
  • Dispute resolution processes

Here's how Fairy Tales mobile game from Toca Boca includes a section for parents only (notice the For Parents in the top left):

Screenshot of Fairy Tales game

The screen is locked:

Locked Screen by Fairy Tales Game

In this kind of parents-only screen, you can inform parents about your COPPA-compliant status:

Parents-Only Screen In Fairy Tales Game

The Quick Maths Jr. mobile game (by Shiny Things) does something similar. Notice the "For Parents" button on the top left that appears on the first screen after a user loads the mobile game:

Screenshot of Quick Maths Jr Game

The screen is locked:

Lock Screen in Quick Maths Jr Game

This is the parents-only screen from the Quick Maths Jr. game, where you could add the information needed to inform parents about your privacy practices:

Parents-Only Screen in Quick Maths Jr Game

If your mobile game isn't directed towards kids, inform users (both kids and parents) through your Privacy Policy agreement that you don't.

Here's how the Monster Math mobile game developers are informing users that Makkajai Edu Tech (developers of Monster Math) is complying with COPPA in their Privacy Policy.

However, their mobile game doesn't collect any kind of personal information from kids:

COPPA Compliant Privacy Policy of Makkajai Edu Tech

Make sure that the legal agreement is available on the profile page of the App Store where your mobile game appears (both Apple's App Store or Google's Play Store). This gives users the possibility to read about your practices before downloading the mobile game:

iOS Privacy Policy Link in the App Store

Examples of Privacy Policies

Disney Royal Celebrations

Disney Royal Celebrations Logo

The Royal Celebrations mobile game from Disney is targeted towards kids under the age of 5. Its Privacy Policy is comprehensive as it groups all related legal agreements of Disney:

Screenshot of Disney Privacy Center

Because a mobile game developed by Disney can collect personal information from users and because Disney is based in the U.S., they must comply with COPPA.

Disney's Privacy Center has a Children's Privacy section that informs parents about their privacy practices.

We recognize the need to provide further privacy protections with respect to personal information we may collect from children on our sites and applications. Some of the features on our sites and applications are age-gated so that they are not available for use by children, and we do not knowingly collect personal information from children in connection with those features.

Quick Maths Jr.

Quick Maths Jr Logo

The Quick Maths Jr. mobile game developed by Shiny Things Software is directed towards kids at the age of 5 or under, but the mobile game itself doesn't collect any kind of personal information from users as specified in their Privacy Policy:

l in-app purchases are behind a child-proof parental lock. Outside of the locked parental section, Quick Math Jr:

  • Does not have ads
  • Does not collect personal information
  • Does not integrate with social networks
  • Uses analytics to track usage and crash information, no personally identifiable information is collected

LEGO Ninjago Tournament

LEGO Ninjago Tournament Logo

The Ninjago Tournament mobile game developed by LEGO is aimed for kids between the age of 9 and 11.

The Privacy Policy page of LEGO informs users that they collect personal information and, if the user is under the age of 12 it asks the parent for permission:

Screeshot of LEGO Summarized Privacy Policy

LEGO's URL to its legal agreement contains the summarized version of their full Privacy Policy page. In the full agreement, LEGO informs users what's their policy on Children's Privacy:

LEGO Full Privacy Policy: Children Privacy

Whenever you're designing your first mobile game, consider the following:

  • Is your mobile game's audience kids under the age of 13?
  • What kind of personal information you need to collect from your game users?

    The best policy is to collect the least amount of personal information, as this will minimize your risk.

    If you do need to collect at least some types of information, consider if these are personal information or not.

  • Update the Privacy Policy agreement of the mobile game.

    If you don't have this agreement ready yet, create one first before publishing the mobile game.

    If you already have it, update it to inform parents about their rights regarding the privacy of their kids' personal information.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.