When does COPPA apply to my website, app or game?
If you operate a website, game or app you should consider whether the U.S. Children’s Online Privacy Protection Act (COPPA) applies to your data collection practices. Even if you complied with COPPA in the past, it is surprisingly easy to violate in the future when the development team adds new features without running them by legal counsel.
COPPA applies to your website, game or app in any of these four scenarios:
1. if directed to children under 13 and you collect personal information from them;
2. if directed to children under 13 and you let others collect personal information from them;
3. if you have a general audience, but actually know that you collect personal information from children under 13; or
4. if you operate a plug-in or other third party service, and have actual knowledge that you collect personal information from websites, games or apps directed to children under 13.
What is personal information? Personal information is information that can identify a user, such as their full name, email address (or other persistent online identifier), image, voice or geolocation data.
How do you know if your website, game or app is directed at children under 13? A number of factors are considered, such as subject matter, content, whether animated characters are used, child-oriented activities or incentives, ads directed at children or any other evidence regarding the age of the actual or intended user base.
Can I use an age screen? Maybe (my apologies for the typical lawyer answer). Age screens are permitted if the service does not target children as its primary audience. The determination of primary audience is (once again) a factor-oriented analysis.
Penalty? Penalties depend on a number of factors, but each violation can cost up to $16,000.
COPPA will not always apply to your website, app or game but you should consult legal counsel to determine whether COPPA applies. Additionally, before adding any new features that collect personal information, consult with legal counsel once again to ensure that these new features don’t implicate COPPA.
Privacy by Design: How to Incorporate a Privacy Policy into the Development Process
Startups and video game companies often ask me to draft a privacy policy AFTER development is complete. Unfortunately, developers often fail to track their software’s information collection features and 3rd party plugins used for data collection during development. As a result, privacy policy drafting may require development backtracking to determine these collection practices.
I recommend that developers consider privacy as part of the development process. This simplifies the process of drafting a Privacy Policy, documents all information collection features in your software to assist with future development and may lower legal fees!
During development, consider the following:
1. Collect the minimum. Only collect the minimum amount of information your company needs as this simplifies the privacy policy and is appreciated by users.
2. What are you collecting? Create a list of all information that your software collects and make sure this list is shared between development teams and is kept up to date. If possible, separate this information into “Personal”, such as first and last names, geolocation data or email addresses, and “Anonymous”, such as number of clicks or how long a user stayed on a page.
3. What are you using this information for? Opposite each piece of information you collect, note what you are using this information for. For example, in a restaurant app, beside geolocation data: “determines user location to list nearby businesses that are similar to type requested by user”. If you can’t find a use for information, consider not collecting that information.
4. Are you disclosing this information outside the company? Opposite each piece of information you collect, note if you disclose that information to 3rd parties outside of your company and how those companies are using this information.
5. 3rd party plugins? Keep track of 3rd party plugins/APIs incorporated into your software and, if possible, determine the collection practices of these 3rd party plugins/APIs as this information is also incorporated into the privacy policy.
Considering privacy as part of the development process will impose an organizational structure on your information collection practices to assist with future development and greatly assist your lawyer when preparing your privacy policy.