COPPA: CHILDREN'S PRIVACY, YOUR GAME, AND THE CHANGING ONLINE LANDSCAPE MONA IBRAHIM SENIOR ASSOCIATE INTERACTIVE ENTERTAINMENT LAW GROUP

WHAT IS COPPA? Children Online Privacy Protection Act of 1998 Effective since the year 2000 Enforced by the Federal Trade Commission (FTC) Designed with consumer protection in mind Grants parents control over the information collected from children online

WHAT COPPA IS NOT Not a censorship measure– does not regulate website content or limit the information that can be collected through a website or online service; Not grounds for a private cause of action– only the federal government can enforce COPPA; Not designed to capture online predators, nor is it a crime fighting tool Not international law

ELEMENTS OF COPPA: WHO MUST COMPLY You must comply with COPPA notification and data protection/disposal regulations if: You run a website or online service that: Collects “personal information”, allows other third parties (apps and plug ins) to collect personal information, or you are the third party; Is directed towards children under the age of 13; or Is directed towards a general audience, but you have actual knowledge that you collect information from the under 13 demographic

ELEMENTS OF COPPA: WHAT IS AN ONLINE SERVICE? Websites and online services include mobile apps and game platforms with online components; Plug-ins Ad networks

ELEMENTS OF COPPA: DIRECTED TO A YOUNGER AUDIENCE No hard and fast guidelines to determine whether a game or website is “directed to children under the age of 13”; Factors taken into consideration include Use of animation/cartoons Nature of the content Child-oriented activities Age of models Presence of child celebrities or characters/celebrities that appeal to kids

ELEMENTS OF COPPA: PERSONAL INFORMATION If you collect any of the following end user information you may need to comply with COPPA: Full name Home or other physical address, phone number, social security number Screen name or user name that enables direct contact with the user (via VOIP, , IM, direct message) Photos, videos, or audio files containing a child’s image or voice Geolocation information Persistent identifiers– cookies, IP addresses, processor or device number or identifier

ELEMENTS OF COPPA: “COLLECTION” != STORAGE “request”, “prompt” or “encourage” the submission of information– submission need not be mandatory (e.g., “sharing” functions) Passive online tracking Enables information to become public, unless measures are taken to remove personally identifying information before content is published

DEVELOPER CHECKLIST: DO I FALL UNDER COPPA REGULATION? Ask yourself this: Are your games directed towards a younger audience? Do you collect user information through your website or ask users to create a username/account/profile? Are other service providers, such as ad networks, web hosts, plug in or add on providers, able to collect information through your website/game? If your game is designed for an older/general audience, do you ask age oriented questions– date of birth, highest level of education achieved, etc.

FAILURE TO COMPLY: PENALTIES FTC enforcement actions; Parents, competitors, etc. can submit complaint to FTC for investigation; Can be enforced by both states and other federal agencies; Penalty fees: up to $16,000 per violation; COPPA can apply to foreign entities if you distribute your game to US audiences

DEVELOPER’S CHECKLIST: IF COPPA APPLIES Check your documentation! EULA TOS/Privacy Policy (website, forums) NDAs Employee handbook Confidentiality policies Non-competes Vendor agreements

COPPA COP-OUT: ESRB SAFE HARBOR FTC has granted “safe harbor” status to ESRB privacy certified sites and products; Sites and service providers protected by a safe harbor are subject to far less scrutiny; For more information:

WHAT DOES COPPA COMPLIANCE LOOK LIKE? Your privacy policy should include: List of all third parties and operators that may collect information through your site/game; Description of the personal information collected and how it’s used; Description of parental rights Your privacy policy should NOT include: Promotional materials and unrelated information; Contradictory or confusing language; “legalese”

PARENTAL RIGHTS If you fall under COPPA regulation you MUST tell parents the following: You won’t require children to provide any information that is not strictly necessary; They can review the information collected and ask you to delete it, or refuse to permit further collection; They can permit use for the designated purpose, but may prohibit you from sharing that information with third parties; Procedures to follow to exercise rights

PARENTAL RIGHTS: PROCEDURES Notification should happen BEFORE information is collected; Notification must be DIRECT– via is standard. You can’t just send them a link to the privacy policy; Make sure you’re actually communicating with a parent or guardian What the notice to parents includes depends on why you’re contacting them. COPPA covers four contingencies: You’re collecting a child’s information; You’re voluntarily contacting parents concerning child’s online activities that do not involve information collection; You’re contacting the child through child’s online contact information, but you are not otherwise collecting information; and You’re collecting the child’s information for the child’s own safety and is not used for any other purpose

PARENTAL RIGHTS: NOTICE Notice should include (generally): Statement that parent’s contact information has been collected from the child and why; Statement that parental consent is required before you will collect child’s information; Identify the personal information that will be collected from child if parent consents; Link to your privacy policy State the means of verifiable consent permitted; If consent isn’t given in a reasonable amount of time, parent contact information will be deleted

PARENTAL RIGHTS: VERIFIABLE CONSENT Acceptable methods: sign a consent form and send it back to you via fax, mail, or electronic scan; use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder; call a toll-free number staffed by trained personnel; connect to trained personnel via a video conference; or provide a copy of a form of government issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process.

PARENTAL RIGHTS: PLUS Sometimes game developers only collect personal information for internal purposes– bug fixes, customer support, etc. If this is the case you have more flexibility re: compliance and verifiable consent. plus: Request consent via , if consent is granted to must follow up with a call, letter or at a later time. In all cases parents must be given the option to: Change/delete personal information; Revoke consent

AGE SCREENING Rated “E” for Everyone a good example of when age screening may be relevant; If your game or website qualifies as “directed to children” you cannot use age screening to bar children under 13 from playing the game/using the site; Age screening must take place before any other personally identifiable information is collected.

THIRD PARTIES: ADS AND PLUG INS If implementing ads, third party apps, or plug ins in your game/site: You must know what information they will collect; If they collect personal information you must disclose this activity in YOUR privacy policy You must provide a list of third party operators collecting personal information; You may have a single entity/individual handle inquiries on behalf of all operators

THE 2013 AMENDMENT What changed? Expansion of “personal information”: Screen names, user names, or account creation that enables direct messaging to the child; Photographs, video, audio; Geolocation; “identifiers” such as cookies, mobile device IDs, IP addresses. Clarifies role of “age-screening” Increases methods for obtaining verifiable consent Increases number of exceptions from parental consent requirements Holds websites and service providers responsible for third party collection and sharing activities Regulates data storage and deletion

INFORMATION COLLECTION BEST PRACTICES Only collect information you actually need; Frequently review third party operator collection activities– due diligence here is a must; Make sure third parties have the ability (and warrant that ability) to keep information confidential and secure; Only keep information for as long as you need it; Securely dispose of information once you’re able to get rid of it; Make sure your employees and contractors are aware of their obligations under COPPA

QUESTIONS? Skype: MonaAIbrahim