In the United States, the Children's Online Privacy Protection Act (COPPA) has been in effect since 1998. Most mobile application developers have become accustomed to the regulations associated with offering online services to children under 13.
However, Europe's recently implemented General Data Protection Regulation (GDPR) has introduced a range of edicts regarding child privacy, rendering some child privacy provisions inadequate.
Let's go over the basic requirements for each of the major children's privacy regulations to see what's changed. We'll also give you some tips and ideas for compliance.
- 1. The Loophole
- 2. Complying with COPPA
- 2.1. Post a clear Privacy Policy
- 2.2. Get parental consent
- 2.2.1. Verifiable Consent
- 2.2.2. Notification Only
- 2.3. Give parents a choice about sharing personal information with third parties
- 2.4. Allow parents to review and/or delete children's personal information
- 2.5. Allow parents to revoke consent
- 2.6. Keep personal information of children confidential and secure
- 2.7. Only retain children's personal data for as long as absolutely necessary
- 2.8. No personalized advertising
- 3. Complying with the GDPR
- 3.1. Child-Intelligible Privacy Policy
- 3.2. Parental Consent Under the GDPR
- 4. What if the App is Targeted to All Ages?
- 4.1. Age gate and assignation of an email-verified username
- 4.2. Sign-in using a social network that allows access to user birthdate
- 4.3. Sign-in using an affiliated user account on another server, such as a Game Center, X-Box Live, or Google Play account that can verify user birthdate
- 5. Zero-Data Environments
- 5.1. In-App Parental Gating
If this is your first time developing an app that's aimed towards children, you may not realize the liability involved in collecting personal information from kids.
If your gaming app is attractive to children, it will most likely be considered a child-targeted service under the law.
Even if it's a game targeted to all ages, the application will need to implement strict protocols in the event that children pick up the game and start playing.
Collecting personal information from children is illegal without verifiable parental consent. Unlike the checkbox tick that passes for adult consent, parental consent must be verifiable, such as through a signed form or valid credit card number.
Another big difference is that adults have the power to consent to personalized advertising, while children must not be tracked or personalized for advertising purposes at all. That is not to say that advertising to children is illegal, but that personalization or tracking technology must not be used.
The Loophole
Many gaming apps directed at children choose to avoid any potential infringement of child privacy stipulations like those described above by creating a "zero-data" environment within the game that does not collect any information, either directly or anonymously, from users.
The zero-data method removes the need for parental consent, but it is not possible for all games.
For instance, many online multiplayer games require a user to create an account or username in order to play. Even the creation of a username is enough to warrant parental consent.
Complying with COPPA
The United States blazed new trails in online privacy when they passed the COPPA law in 1998. Since then, it has been expanded and amended into the most comprehensive children's privacy regulation in the world.
Here are a few of its basic requirements:
Post a clear Privacy Policy
This policy should outline what information you are collecting from children and how you use that information. Clearly describe how your service collects information, including any third-party affiliates or cookies you have in place.
Many companies choose to create a separate Children's Privacy Policy to fulfill this requirement:
The above is the Disney Children's Privacy Policy. This is separate from the corporate Privacy Policy and includes a section for parental controls.
According to COPPA, the Privacy Policy for an online service directed to children should include the following:
- Clearly and comprehensively, which information is being collected about children and why
- How this information is collected and used
- Any third-party affiliates that will have access to the information and why
- Statement of parental rights regarding their children's personal information
- Instructions as to how children's' information may be accessed, reviewed, edited, or deleted by the parents
- Instructions on how consent may be given and/or revoked by the parents
Disney breaks all this down into three major categories:
On click, each of these categories opens into a very detailed breakdown of all the points described above. Here is an example of one section:
In this way, Disney provides a clear and accessible course of action for parents to remain in control of the information collected about their children.
Get parental consent
Unless your game is a zero-data application, you will need to request verifiable consent from a parent before collecting any information at all from a child, even if it's just an IP address.
Verifiable consent may be obtained in a variety of ways:
- Send a form to the parent's email address that would need to be printed, signed, and returned via mail, fax, or electronic scan.
- Require the parent to submit a valid credit card number or other form of online payment that may be verified through a small transaction.
- Have the parent call into a toll-free telephone verification system or video call staffed by trained personnel.
- Request a government-issued identification document, provided this information is deleted after the verification process is complete.
Verifiable Consent
The verifiable parental consent process is not as complicated as it sounds. Most of the verifiable methods above can be completed with minimal time and effort by implementing a few simple online features.
For example, the children's social network Kudos has streamlined the process into a few easy steps.
The child's birthdate is requested during the registration process to determine their age and if parental consent is necessary:
If the entered birthdate confirms that the child is younger than 13, the application requests a parent's email address to begin the consent verification process:
The parent will receive a copy of the email below, which meets all the requirements set out by COPPA:
This email describes the application for which the child is trying to register, lists the personal information Kudos will collect from the child, describes their policies for marketing and third-party sharing, and links to the Privacy Policy.
All of this information is required by COPPA to be communicated to a parent before collecting personal information from a child
Once the parent clicks the "Authorize" button in the email, they are directed to an online form where they can access and submit their verifiable consent in a variety of different ways. Each of these methods is approved by COPPA and easy to complete online.
Notification Only
There are a few exceptions to the verifiable parental consent requirement.
For example, for the following activities, you would only need to notify the parent or guardian, but not necessarily obtain verifiable consent:
- For a child to create a username within a game where no other data is collected, while ensuring that the username will not to be used as a form of communication.
- Where a game collects a child's email only to communicate with the child in regard to their account, but will not use the information in any other way or share it with third parties.
- If an app needs to collect the names of the child, their parents, and a parent's email address for no reason other than to protect the child's safety.
In the case of one of these exceptions above, the app would only need to send direct notification of these activities to a parent or guardian. This notification would need to be confirmed via a link or code verification method.
This process can be illustrated by the Bloxels Builder registration process.
By default, the Bloxels Builder game is a zero-data environment. However, if the child wishes to create an account to save their progress in the game, they will be presented with the following registration screen:
In order to continue, the child must enter a parent's email address where an unlock code will be sent:
After an email address for a parent is entered, the following email will be sent to the parent. Here, the parent is informed of how the game works, what the child will have access to, and which information will be collected from the child:
Note the following statement from the email:
"The only personally identifiable information stored is their email address for password retrieval purposes, but this will never be shared with others."
This statement is important because it is the only manner in which an email address may be collected from a child without using one of the verifiable consent methods mentioned previously.
Once the parent has opened the email, they may click the "Activate Account" link or enter an unlock code within the app:
Once this final step is completed, the child may create his or her own account on the game and play but will not be submitting any personal information other than an email address.
Give parents a choice about sharing personal information with third parties
Parents should be able to check yes or no to allow or refuse the sharing of their children's information with third parties.
An online game or app directed at children must still provide their service to children, even if their parents refuse the sharing of personal information to third-parties.
Microsoft illustrates this concept in this online consent form:
Here, along with verifiable consent in the form of a credit card transaction, the parent has the option to allow or disallow their child to use (and share information with) third-parties.
Allow parents to review and/or delete children's personal information
Parents must be given full access to view, update, and delete the personal information held about their children by any online entity.
You must also provide clear instructions to the parents on how to get this access:
In this example, Xbox One provides parents with instructions on how to access and change settings on child accounts:
From inside the account management platform, the parent can view, change, or delete the child's information.
There are also comprehensive settings within the XBox interface to monitor and control children's online privacy settings as they play online games:
Allow parents to revoke consent
Even after a parent has given consent for the collection and processing of their children's personal information, they must be given the option to easily revoke that consent or prevent further use of said information.
Here's how Microsoft provides a "Remove from family" option for child accounts -- an action that would both revoke consent for the use of the child's information and block the child's access from associated online activities:
Keep personal information of children confidential and secure
All possible measures must be taken to protect the information of children and maintain its confidentiality.
Assurances to this affect may be included within the Children's Privacy Policy, as shown here by Time for Kids:
When information about children is shared with third parties, it is the responsibility of the original data controller to ensure that those third parties are also upholding sufficient security measures.
Time for Kids also mentions these requirements in their Children's Privacy Policy:
Only retain children's personal data for as long as absolutely necessary
Keep the personal data collected from children only as long as is needed to fulfill the purposes for which it was gathered. Once the information is no longer needed, it must be deleted.
No personalized advertising
All behavioral and targeted advertising to children is out. For this reason, all advertising in a children's gaming app will need to be strictly contextual, unless you have a gated adult section for advertising to parents.
Complying with the GDPR
Although the guidelines for children's online privacy in Europe are very similar to those set by COPPA, there are some marked differences - the most significant being the age at which an individual will be considered a child.
Unlike COPPA, which sets a clear cutoff for childhood at 13, the GDPR gives its EU member states a range of ages to choose from. A person between age 13 and 16 may be considered a child, depending in which EU member state they reside in.
In Spain, for example, the cutoff age is 14, while in the Netherlands, the age of consent is set at 16. While some member states do have the cutoff age set at 13, like the USA, it is advised for any online business that collects data from European minors to set the age of adult consent at 16, to be safe.
The GDPR sets fines for failing to obtain parental consent for a child's information at €10 million or 2% of global annual turnover. Below find the main points of GDPR compliance for child-targeted online apps and games.
Child-Intelligible Privacy Policy
Although a separate children's Privacy Policy is not specifically required by the GDPR, it does mention that any online business that targets children should write their Privacy Policy in a way that is clear and easy for children to understand.
The UK's Eureka! Children's Museum keeps their Privacy Policy short and simple for the benefit of any children that may read it:
Parental Consent Under the GDPR
Article 8 of the GDPR states that "processing [personal information of a child] shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child" and that "the controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology."
At first glance, this sounds similar to the requirements of COPPA, but nowhere in the text of the GDPR does it define what "reasonable efforts" to verify parental consent will be considered valid.
Most European apps and websites that are targeted to children follow verifiable consent guidelines as stated by COPPA, but others argue that such vigilance is not required under the GDPR.
It remains to be seen how GDPR advisory authorities will choose to judge this subject.
Under this article, any targeted or behavioral advertising within a child-targeted app would also require specific consent from the parent or guardian.
What if the App is Targeted to All Ages?
Even if your gaming application is not necessarily targeted to children, you may still need to put provisions in place to comply with child privacy laws. Although the game may be originally intended for an older audience, if the graphics and gameplay are deemed attractive to children, FTC and GDPR officials will expect the app to remain compliant with child privacy laws.
One way that applications and online games are addressing this is by creating two different versions of the game - one zero-data environment for users who do not sign in, and an age-gated version of the game with an assigned username for each user.
By using an age-gate and a verified username account, you can ensure that only users of qualified age are submitting personal data.
There are several methods to accomplishing this:
Age gate and assignation of an email-verified username
This is an example of an age gate as implemented by the Smurf Village app.
Sign-in using a social network that allows access to user birthdate
The application Trivia Crack uses a Facebook login to verify user age. Because a user will have verified age already on the social network site, using the social log-in lets you verify age in this roundabout way:
Sign-in using an affiliated user account on another server, such as a Game Center, X-Box Live, or Google Play account that can verify user birthdate
Minecraft requires users to sign in to their Microsoft account in order to use certain game features. This helps Minecraft verify that anyone using these features has a verified Microsoft account and has a birthdate on file.
Zero-Data Environments
In order to avoid the additional infrastructure and programming involved in obtaining parental consent, many child-targeted apps and online games are now operating in a zero-data environment. That is to say that they collect no personal data whatsoever during gameplay, using "parental gates" to manage data-requiring activities like in-app purchases.
In-App Parental Gating
In order to avoid the legal risks of children attempting to submit unauthorized personal information or make in-app purchases, child-targeted games create parental gates as a safeguard.
Parental gating usually involves the parent following specific written instructions on-screen before passing into a "parents only" section of the app. It may look something like this.
In the children's app Elmo ABCs, the parents' section is marked by a blue button. On click, the text that appears reads, "Drag button to upper left corner to unlock." Once these instructions have been followed, the parents' interface appears:
Within this module, parents can personalize their child's gameplay or shop for in-app purchases, but only after passing through the parental gate.
Another solution is to require parents to perform a simple mathematical equation before proceeding into the adult section, as is demonstrated here in the Puzzingo game app:
By implementing zero-data environments and parental gating, online gaming apps can safely provide entertainment for children while simultaneously serving advertising and in-app purchases to parents.
This may be the simplest solution for games that do not require individual user accounts or personal information for game play.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.