5 things game developers need to know about COPPA and GDPR-K

With 170,000 kids going online for the first time every day, developers have to consider them a likely audience for their games, even if they are not deliberately child-directed. Data privacy laws for children such as COPPA (US) and GDPR-K (EU) are now well known, but the lack of clear guidance on how to apply them can make publishing such games difficult and scary for developers.

Here are five things to keep in mind if you’re developing apps or sites for a children’s audience OR which might be accessed by children:

1. COPPA/GDPR-K seeks to put parents in control over what information is collected from their children.

Up until this point, developers were able to collect and use data freely. Most games developers are used to this concept being universal. If you’ve got a kids audience (or might have), you have to think in a new paradigm.  

Are you interested in implementing push notifications in your app? Here’s how to do it compliantly. 

2. In the absence of explicit verifiable parental consent, COPPA/GDPR-K prohibits the collection of any information that can identify a person.

This includes the name, address, online username, image, voice recording, telephone or social security number, geolocation, or a persistent identifier (such as a cookie ID, device ID or IP address).  Critically for game developers, this also includes the technical identifiers needed to send push notifications. Basically, data collection should be kept to an absolute minimum when dealing with young audiences.  Any user-generated content that can be shared publicly is considered personal information.

3. These laws apply to any website, online service or mobile app that’s directed (or deemed to be directed) at children.

This is judged by subject matter, content, use of cartoons and other child-friendly imagery, among a number of other factors. Importantly for game developers creating more casual or family games, it also applies to any sites that are aware that they have an audience of children under 13 (US) or 16 (EU).  AND – importantly – it also applies to any site with an audience in the US or EU, whether the owner operates there or not.

4. Websites or services that are caught out can be fined $40k per user under COPPA, or 4% of turnover under GDPR-K

The intention is that the penalties be deliberately harsh in order to ensure that games developers act proactively rather than reactively. In 2018 alone over $6,000,000 of fines were doled out in the US alone.  Now that GDPR-K has been enacted, European companies are vulnerable to even bigger penalties. Additionally, civil class actions are now being filed, which pose an entirely separate (and potentially much larger) risk.

5. It’s not just the big brands and publishers any more

The topic of children’s digital privacy has become mainstream and now even small publishers are being called out (and commercially badly damaged as a result) for breaches of these laws.

Some innovative kids’ content startups are building in data privacy compliance from the start.

Tankee is the fastest growing games streaming platform for kids. You can see how they’ve tackled the challenges around COPPA and GDPR-K in this case study.

Or just get in touch with any questions.  

Leave a Reply