With 20 years in the field protecting children’s privacy and safety online, PRIVO’s CPO Claire Quinn will be the first to tell you that NOW is the time to think about privacy and security for young users or playtesters. It doesn’t matter if you’re a new startup or a major brand in the children’s digital space; there are just too many regulatory changes on the horizon to risk not thinking about privacy, security, and safety– particularly if your company serves youth populations under 13 years in the US, or under 16 in the EU.

And while the task of adopting additional privacy and security requirements late in the game can seem daunting (lucky for you if you designed privacy into your build from the get-go), don’t panic yet! We recently sat down with Quinn in a 30 minute webinar to help educate new and existing game studios about current trends in child privacy protections, and the steps we can all take to better comply with these legal standards. In short, if you’ve heard about the GDPR and COPPA, but don’t really know how those apply to your business, then you might be interested in hearing Quinn’s latest advice from the industry’s frontlines.

What is COPPA and GDPR?

When taken together, the Children’s Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR) and the Children's Code occupy 2021’s gold standard for digital security among children audiences, affirmed Quinn. Together, they ensure that when compliant businesses test their digital products with children, that they are doing so safely.

Surprisingly, the COPPA standard has, unlike the GDPR, been around for over 20 years and, while centered on protecting the privacy of children online, focuses more on parental consent. With COPPA, if a US company tests on children younger than 13, they must be in compliance with these legal requirements regardless of user location – a fact Quinn says often catches bigger companies off-guard. COPPA regulations are also enforced by both states’ attorney general offices as well as by the Federal Trade Commission (FTC), with compliance suits becoming more prevalent in places like New York and New Mexico.

How Does COPPA Function?

Where the GDPR gives children and parents rights, COPPA supports parents by putting them in control of their child’s data.

Under COPPA, parental consent is required to collect and use a child’s personal information. There is a sliding scale of consent depending on what data you collect and how you intend to use it. Audience is also key. For example, if the majority of your users are 12 or under then you have what is called a Primary Child-Directed Audience. If you serve a significant number of older users as well (even teens), then your service may fall into a mixed audience definition.

Quinn is quick to point out that based on your audience type and type of data collected, you will require different levels of permission from parents or guardians. For example, if you require simply an email, you’ll need lower-tier permissions, while video recordings and location information would require additional ‘levels’ of parental consent. For added guidance, here are direct links to the COPPA and GDPR Child Code guidelines:

CHILDREN'S CODE

COPPA FAQ

What Happens if I Don’t Comply?

Non-compliance with any child-protection regulations will result in severe repercussions for businesses, users, and any investors involved. In fact during our interview, Quinn held up a stack of pages to showcase a summary of COPPA violations, each adding up to millions of dollars in fines. Anyone with child users, she says, must comply. “If you don’t, there are serious consequences, so people need to be keenly aware of the rules and their obligations”.

3 Steps to Improve Privacy & Security Compliance with Child Users

The biggest question many businesses are asking these days is how do I comply with COPPA and GDPR?

According to Quinn, there’s a prevalent rumor that user compliance for child subjects (particularly during mobile game testing) is difficult, or is a ‘blocker’. With little regulatory governance, companies have in the past simply stated that their product is not meant for kids 12 and under – yet Quinn sees this as problematic as well, and advises that in today’s world, such acts are not some kind of ‘get out of jail free card’.

Instead, Quinn says these same people should alter their thinking to see such regulations as enablers. The idea is, if you comply with these regulations, there is actually so much positive and insightful research that can be conducted with kids! Such compliance opens up opportunities to truly engage with the unique audience your competitors aren’t (or won’t). Then, you can monetize it, and build an incredible amount of lifetime value into your product.

Certainly, the end result is worth the efforts you take to keep your child users safe online.

So, how do companies practically implement COPPA AND GDPR regulations without becoming overwhelmed?

Here are three simple ways to improve your compliance as you pursue data collection and product research with young audiences across the globe:

1. Audience Mapping

Before you go seeking out those rules and regulations, stop! The first step to compliance isn’t to be hyper-vigilant about the rules. In fact, Quinn says that a company’s ability to follow the rules will be greatly impeded if they attempt to do so without first mapping out their audience. Here, concerned parties should ask: which category does my audience fall under? Do I serve a primary child-directed or mixed audience type? In doing so, you will be well on your way to discovering which provisions and regulations actually apply to you and your business.

2. Data Mapping

Once you have a good sense of who your audience is, you can then fully realize and “map” the data you are collecting, or that you plan to collect. “You’d be surprised how many big brands, let alone smaller developers and startups have no clue what data they're collecting from their users,” says Quinn.

To be sure, you can’t understand how to treat your data compliantly without first knowing what data you collect, or why you’re collecting it. That means understanding the data you collect actively AND passively, such as via SDKs and other in-app implementations. There are also numerous resources out there on data-mapping to help companies like yours complete a data impact/privacy assessment. Such documents and processes will ultimately help you determine, say, what to put in your privacy policy or in-game notices.

3. Compliance Stage

By the time you’ve mapped your audience and data, you will be in the best position to implement compliance from the ground-up. Quinn likes the often-used concept of privacy by design. In this sense, businesses, startups and independent app-owners can think intentionally about how they may integrate privacy by default, while complying with all regulations attributable to their digital product. Quinn further breaks down this stage into three potential paths forward to full compliance – though one or more of the following options may apply per individual case.

  1. Get Legal Counsel. Many legal teams these days offer cost-effective guidance and support regardless of your company size. Legal audits can then be a great first step to not only understand compliance, but to implement it as well. Note that many legal teams provide low-fee options for smaller businesses or startups.
  2. Work with a Safe Harbor Organization (PlaytestCloud is certified under PRIVO’s COPPA safe harbor program). Safe Harbor Organizations are a direct line to COPPA certification, which indicates without question that your business is in compliance with the standards and regulations set out there. These organizations work with you to ensure no risk of company or user exposure.
  3. Address Compliance Independently. Armed with audience and data maps, it’s time to follow the linked COPPA and GDPR regulations to the number, making internal changes and altering systems to approach compliance as soon as possible. As Quinn asserts, there is no better time to build privacy compliance by design than when you hit the drawing board.

No matter what path you take, it is critical that you do much more than simply be aware of the privacy and security rules and regulations related to the data your company collects. As a result, you should test privacy by design often with your users, focus on getting those privacy settings high by default, and have adequate reporting mechanisms built in at every permission level.

What else can you do?

Well, for starters you may want to ensure all privacy and security notices are clear and accessible to the age group you’re testing. The GDPR has clear guidelines on the use of icons or colors to make such notices age-appropriate. You may also want to include a simple way for young users to contact you with concerns, without having to divulge a ton of personal information as well. These types of focuses will help you answer the tough questions, such as how you would approach privacy for data collection with an 8 year old vs. a pre-teen.

Concerned businesses and startup game studios should also consider a review of their in-game or in-app content to ensure all content is similarly ‘privacy preserving’, as Quinn puts it. Basically, keeping content appropriate for the age group and making it clear and understandable will have similar positive effects where security and privacy compliance are concerned. In short: give your users clear, accessible guidance on how you will be collecting and using their data and you shouldn’t run into too many problems.

What Should I Do if I Collect Restricted Information from a Child User?

On Quinn’s guidance companies who accidentally find themselves with a data point that falls under ‘restricted information’ - or, data with special guidelines and regulations around collection - should immediately delete that source of data if they do not have consent to collect and process it or a valid lawful basis. Naturally, this process requires several steps to achieve:

  1. Understand what restricted data is, and what special categories of data exist for your audience type.
  2. Go to the ICO website and download a DPIA form. This assessment will help you determine what information you should and shouldn’t be collecting.
  3. Determine whether you have a special interest reason to be collecting any restricted information types about/from your subjects.
  4. Look-up proper deletion processes to securely dispose of problematic data.
  5. If there is no valid consent , or legal basis to collect such information, delete that information from your servers. Make sure you haven’t stored it elsewhere or shared it.
  • (recommended) Log the deletion in a follow-up action sheet or book for your records.

In any case, as a game studio working with PlaytestCloud we will walk you through this process, so you will not need to worry. Just alert us of the issue by reporting the video directly in the video player and we will delete the video off of our servers and replace it with a replacement video free of charge.

The Future of Security and Privacy for Children Online

In an ever-evolving landscape of privacy, safety, and security regulations, businesses at any stage of their journey need to start thinking about the future impacts of tightening privacy restrictions across the globe.

Not only have we seen continued improvements to child privacy protections online in the GDPR and COPPA, but many countries in southeast Asia are now implementing their own regulatory, digital security frameworks. In the United States are building up further protections for teen audiences between 13 and 18, and even app stores are making changes to prevent the online tracking of children and youth.

Altogether, these shifts will change the way we test games with children and youth audiences– though Quinn believes more protections will benefit everyone on the playing field. Just remember, she says, to start observing the data you’re collecting, building privacy into your systems by design, and understanding what’s being tracked while providing the ability to opt out.