Trending
Opinion: How will Project 2025 impact game developers?
The Heritage Foundation's manifesto for the possible next administration could do great harm to many, including large portions of the game development community.
The ways in which childrens' privacy is treated in games and apps is being more heavily scrutinized. This article discusses recent developments in that area.
Facebook just settled the Federal Trade Commission’s (“FTC”) eight separate privacy-related allegations against it for $5 billion. Equifax just settled the FTC’s claims against it arising from Equifax’s September 2017 data breach for $425 million.
On May 25, 2018, the GDPR - a law relating to privacy in the European Union – went into effect. In January 2020, California’s own privacy law will go into effect. Federal privacy legislation has been proposed in the Senate and various states are also looking at passing their own state privacy laws.
It should come as no surprise that, with this dynamic, there is growing scrutiny on the ways in which the personal information of children is handled in their digital lives. Anyone making games or other apps geared toward children should assume that the trend in the law will be to afford children’s data more protection, not less, than you might see in the marketplace right now.
The California Constitution and Common Law Is A Source of Protection for Children’s Privacy and Interpretation of These Sources is Evolving with a Growing Expectation for Privacy
In a series of class actions, the Northern District of California was asked to determine whether the California Constitution and California’s common law could serve as the source for claims related to the alleged misuse of data derived from gaming apps for kids. Those class actions all alleged “that the apps were used to track online behavior on a device and user-specific level, and that defendants exploited the data, without disclosure or consent, for profit. In effect, the complaints allege that the apps were covert collectors of behavioral data for delivery of targeted advertising to users, namely the kids who played the games.” Each of the class actions asserted claims under the California Constitution and for intrusion upon seclusion under California law.
The complaints for each class action alleged similar facts pertaining to those to causes of action. Generally, they alleged that a parent or child downloads and installs a gaming app onto a cell phone or other mobile device for play. When the app is launched, it connects immediately to a server hosted by the developer and begins sending data even before the user plays the game. The data sharing is invisible to the user. As the user plays the game, the embedded SDK code communicates with the SDK defendant’s individual server. The SDK code sends requests or “calls” for an ad to the server, and the user’s personal data is sent with each call. As a result of the call, the user “may receive a single ad, but nonetheless multiple SDKs have exfiltrated to their servers the user’s Personal Data.” The “Personal Data” could include name, gender, birthdate, geolocation information, search queries, mobile device identifier, mobile phone number, alternative email addresses, contacts, contact information, nicknames and aliases, physical address, IP address, other persistent identifiers, or other information the child might share with the app (such as photos, videos, or other audio files, all of which might include the child’s face and voice).
The court found that the plaintiffs had adequately alleged both of the California privacy claims. The analysis was influenced by the Court’s observation that “[c]urrent privacy expectations are developing, to say the least, with respect to a key issue in these cases – whether the data subject owns and controls his or her personal information, and whether a commercial entity that secretly harvests it commits a highly offensive or egregious act.”
Privacy expectations can be influenced by many factors in society. One is certainly existing or proposed laws.
The Children’s Online Privacy Protection Act (“COPPA”) Is Another Source of Legal Protection for Children’s Privacy and is Undergoing Review by the FTC
On July 17, 2019, the FTC announced that “[i]n light of rapid changes in technology” it was seeking comment on the effectiveness of the COPPA Rule. The COPPA Rule first went into effect in 2000 to implement COPPA. The Rule requires certain websites and other online services that collect personal information from children under the age of 13 to provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information from those children.
Some of the questions posed by the FTC about the COPPA Rule as they pertain to games and apps include:
Does the Rule overlap or conflict with any other federal, state, or local government laws or regulations?
Has the Rule affected practices relating to the collection and disclosure of information relating to children online? If so, how?
Has the Rule affected children’s ability to access information of their choice online? If so, how?
Has the Rule affected the availability of websites or online services directed to children? If so, how?
Has the 2013 addition, found in part (3) of the definition of “Web site or online service directed to children,” which permits those sites that do not target children as their primary audience to age screen users, resulted in stronger protections for children’s privacy? Should the Rule be more specific about the appropriate methods for determining the age of users?
What are the implications for COPPA enforcement raised by technologies such as interactive television, interactive gaming, chatbots, or other similar interactive media?
The FTC will receive comments on the COPPA Rule on or before October 23, 2019. Instructions on how to submit comments are included in the Federal Register notice, but a lawyer can also help you submit any comments.
Takeaways for Those Developing Games and Apps for Children
The ways in which games and apps geared towards children monetize may need to change in order to meet growing expectations around privacy for children. Thinking about alternative, more protective, approaches may be a prudent exercise.
You can have a voice in developing the laws as applied to children, as least in one instance by sending the FTC your comments (or working with your lawyer to do so).
Companies that take an aggressive stance on protecting children’s privacy may avoid disastrous consequences that those who take a “wait and see” approach may face.
You May Also Like