I stumbled accross these articles today ([1] and [2]) and got really concerned with publishing my first game. What does COPPA imply to game publishers? What are your experiences and how do you handle this? Are you explicitly excluding audiences under 13 or do you have this parental consent in place? How do you handle personal data requirements and do you list personal stored information before the game starts?
Honestly I played a lot of games and I have never seen a game which does that. Does it mean this is safe to ignore or is there some trick I am not aware of?
All new EA mobile games should already be COPPA compliant. e.g. Plants vs. Zombies 2 and Dungeon Keeper. Basically if the player is under 13, you CANNOT collect any info from him/her. In some games they wonât allows players to play if he/she is under 13, and in some games chat wonât work.
This is stupid. Why isnât this 18 not years old? A child is a child. This is vote buying.
Most indies only need worry about what the Ad API might be inquiring about as itâs not feasible for them to collect and save this information anyway. You should expect this in the APIs soon enough. These personal information gathering companies should know just because the information they seek is often stored elsewhere on the device that doesnât give them permission to retrieve it. Of course they know that: such companies are playing NSA here.
And I really donât like declining to use Facebook apps because they insist on having your Friend list. The other information is OK - itâs mine but my friends and acquaintances arenât personal possessions to be bartered to play some trite game or take some quiz. Are they nuts? Would you make such a request of anyone anywhere else and not be told âWho do you think you are?â
Needed still would be if individual sites and apps allowed you to restrict the content of advertising since it happens over a public venue even if delivered to a âprivate deviceâ to exclude violent or sexual content in an and/or fashion. Itâs called being respectful to others shouldnât need a law for that. And then we might get some original good content instead of Doom 2015.
You canât guarantee the player doesnât use a screenname that doesnât match their email or real name - or the name on any other service, or some other online service where you CAN communicate with them. And it sounds like text-chat is a no-go as well.
The full list:
Some are OK (name, phone number, etc.) But how are you supposed to do any sort of online game with the screen name restrictions? Even Mario Kart Wii would violate these rules with the Miiâs.
Itâs really rather silly but advertisers act in a predatory manner.
Itâs really to protect against predators but the best protection is to police and shut down predator sites and production of predator content. They are descending down a slippery slope by refusing to define obscenity. Obscenity includes violence although many definitions wrongly think itâs strictly about sex due to Hollywood and the pervasiveness of violence in their output. To be able protect against such predators means defining portrayal of some types of obscene behavior as illegal, adult ID or not, and some types of obscene behavior would be simply be legal to portray and view by adults. That they were legal to view by adults doesnât mean they necessarily would be legal to participate in such behavior in real life: violence falls under this umbrella. And the easiest way to do that is to have the guts to define a national standard for obscenity (which includes violence), deny access to anyone that canât prove they are of age via an ID, and then enforce those laws.
You donât know how unfettered access can allow predation?
You donât see how parents might be concerned that big corporations are asking for the same information as those creepy sex and violence predators and stalkers seek to find in situations where no money is changing hands to buy a product? That the openSSL heartbleed bug was recently exposed after 2 years. That theyâve found the worldâs largest businesses, governments, and criminal organizations have been collecting information on them for years?
The law and itâs enforcement or lack of enforcement are relevant to trust and the lack of trust that is evidenced by COPPA 2.0 and every new law that is passed.
Stopping kids from watching Robocop will not affect online predators in the slightest (except perhaps by giving them more opportunities to exploit the bored kids). And it still doesnât have anything to do with complying with COPPA, which is the topic at hand.
Stopping exploiting kids is the topic of COPPA. And just as enforcement of minor laws such as vandalism led to a sharp drop in violent crime in NYC so is it elsewhere. Itâs about respect.
Itâs about helping protect privacy. Itâs not a be-all-end-all child internet safety solution. And this topic is about complying with that law. And Iâve expressed concerns that complying with this law is, in practice, nigh-impossible for any online game. Iâd like to hear someone elseâs opinion on that.
How does preventing criminals from committing crimes so the same criminals donât commit worse crimes relate to preventing children from doing something so that other people donât do something completely unrelated to the childrenâs actions? Unless theyâre going around in their van bribing kids with Rambo, I donât see the connection.
Problem is us legit game devs who want to let players communicate with each other get caught in the crossfire. There has to be a better way then requiring each and every player to send in a copy of their driverâs license, or something equally impractical.
Our experience with it was (in one particular case) was pretty rough. We ended up paying millions in fines. It had to do with collecting/storing email and ages upon registration, and then allowing users being able to share that information with the system itself. Essentially, a child could register (kids were a part of the audience for that game), but then could make their age and email available in their public profile (though I donât believe that was the default setting). In truth it was nothing that our company directly did.
It is not my area, and I donât know a whole lot about the specifics, but at the point where my responsibilities do deal with it, my understanding is that sharing any information regarding age or other personal information should not be allowed by the system. And that reasonable measures should be taken to prevent it. (not allowing elements of the system to identify personal details, like forums or clan names for example) I know there is more to it than that, but that is just where my knowledge of it connects with what parts of the games I build.
I checked out how PvZ2 does it. They show a popup to enter the users age the first time it is started (and never again until you delete the local data). I tried 12 and 20. The difference I could spot is Facebook integration. When you are <13 you wonât see any of it.
From what I read about COPPA this is not enough though. How do they ensure that a child does not enter a higher age? This is where this hole written consent thing comes into play. I really doubt the practical feasability of it.
What I wonder though: Why do we developers have to care about all that? Shouldnât the app store be the central gate keeper and if parents enter their password to download a game itâs their decision. If they donât want their child to play it donât download it. Period. I wonder if the law somehow got beyond what is reasonable.
Itâs the law is why but in the same way there are those that claim US income taxes are illegal and go to jail for it you can sacrifice your freedom to preserve your lack of a right to collect childrenâsâ personal information.
IANAL, but my experience/understanding of âusernamesâ, âscreen namesâ and âpersistent identifier(s)â referenced in the âPersonal Informationâ category is specifically about what is collected. These are separate from the username your player would choose at your site/game. They mean things like skype, instant messengers and icq. For example, look here on your profile page. Items listed under Instant messages would examples of collected personal information.
If you read the full document, each of those elements described is defined within scope of the document. Personal information is described as information collected for use of the site/app/game. A âusernameâ is described as âA screen or user name that functions as online contact informationâ. This means a field that collects your facebook/skype/twitter/etc. username. These âfunctionâ as an online contact. If the player has to choose a username to play in your game, that doesnât âfunctionâ as an online contact. Sure, a user could (and probably does) choose a name that is the same as their fb name, but that can be handled by a large disclaimer warning them not use a identifying handle or if they are <13 auto-generate or have them choose from wordlists. (many games already do this).
Its not impossible at all, it is just something that you have to be aware of. If you donât collect any extraneous personal data, and more importantly, do not share any personal information, you should be fine. You can go further by not collecting/sharing any data and connecting users through gamecenter/fb. Then you will have only an anonymous id and the onus is on those parties.
Not really. It helps ensure that a certain amount of due diligence is being done. If you are dealing with and sharing user/player information, you have a responsibility to behave ethically. But is very possible to have no intention do anything unethical and still do something that can cause harm, simply because you didnât understand (or couldnât comprehend) how something you built could be used in an unethical way. I would assume you, like me, and I would wager 99.999% of game devs, donât constantly consider how your game may help predators connect with kids. And would probably be horrified if you found that your game was used for that purpose, especially if it could have been prevented. Yea, COPPA can be a bit of hassle, but really not a lot of extra work, and well worth it if it makes exploiting kids more difficult for those who want to.
COPPA predates the app center. I agree that if you are making a mobile game for the app store, you really donât have to worry about that much at. Especially if you donât collect any additional information or connect outside the gamecenter, and donât share any info.
If you are developing a social/web game, as a developer you should be very informed about it, and be very careful.
Gave the page another look and it seems more reasonable this time around, especially after reading your reply.
Fair enough. Would be nice to get a concrete answer, though. $16000 is a large gamble on this sort of thing.
I like the wordlist idea. But, how do we know that simply allowing them to potentially choose the same name as elsewhere doesnât violate the law? And what if the word list lets a kid make his YouTube screen name?
Fair enough. But letâs say that collecting usernames IS a violation. Then what? I canât afford to set up a call center, and I canât see many parents willing to go through all this to let their kid play a game.
Still, kids games arenât usually online anyways (with some exceptions, like Club Penguin), so it doesnât seem to be much of a problem. Mobile games targeted at 13-15 year olds could definitely pose a problem though.
Think you may want to add a few more â9âsâ in there.
Certainly.
Still a little uneasy about this, but certainly not as much as before. Thanks.
Itâs like you I believe you mentioned earlier, nothing is 100% perfect. They could use their ssn, phone number, full name or email as their username. IANAL, but I believe that the main difference is that a user name chosen for participation/identification in a social game is by definition public information. While info like contact information related to the account (email, contact, age, billing, etc) is personal information. There is no expectation of privacy with a username in game for obvious reasons, and in fact the whole point of a username is to unbind it from a real name. At some point a parent has to be responsible, but a parent should be able to reasonably expect that if they do make that effort that a game/site wonât sell or publish âpersonalâ information.
Itâs best not to collect personal information you donât need. If your data is compromised you could be responsible. If you donât collect it in the first place you are sate, and safe with regards to COPPA. Use existing, well-known and safe third parties like GameCenter or Facebook.
As you said, most arenât targeted specifically toward kids. (Club Penguin is one of ours, and it is whole different ball of wax. We have many teams/people dedicated to making our kidâs games as safe as possible as we have several products/games directly built for kids.) I believe that as long as your target audience isnât specifically <13 kids, and you arenât collecting personal data yourself (or sharing personal data), you shouldnât have to worry. But that isnât legal advice. If you think there may be a concern with something you are doing, contact a lawyer that specicalizes in this sort of stuff. A consultation with a lawyer would cheaper than a lawsuit.
