What you need to pay attention to when launching a game for children, — says in his column for App2Top.ru Marat Mukhametzyanov, lawyer at VERSUS.legal.
Marat Mukhametzyanov, lawyer VERSUS.legal
At first glance, it seems that games for children have fewer legal risks than “adult” projects. Such games have quite harmless content and, for example, it will be difficult to get into a rating scandal. In many cases, this is indeed the case. But children’s games have their own peculiarities, and in different jurisdictions additional requirements are imposed on them.
Special laws governing the collection of children’s personal data
The protection of children’s personal data is a trend that is as significant as the protection of children from “sensitive” content. Many jurisdictions that pay attention to the protection of personal data have included requirements for the protection of children’s personal data in their legislation.
Such regulation exists in the General Data Protection Regulation of the European Union (GDPR). In the USA, in addition to the general state laws on the protection of personal data, there is a special Law on the protection of Children’s Online Privacy Protection Act (COPPA) at the federal level.
Both of these acts can also be applied outside the EU and the USA – if personal data of EU and US citizens are collected, respectively. And this is not a formal instruction, but a fully valid rule. There are cases of developers and publishers operating outside these countries being held accountable for the illegal processing of children’s personal data..
Example:
The US Federal Trade Commission (FTC) has filed a lawsuit against HyperBeard inc. This is a Mexican developer of applications popular with children. The regulator demanded a large fine for violating COPPA and deleting personal information illegally obtained from children under 13. The developer committed a violation by allowing third-party advertising networks to collect personal information about children without notifying parents or obtaining verified parental consent to use information about their children. In June 2020, HyperBeard Inc. recognized the claims and entered into a settlement agreement with the FTC, which still provided for the payment of a fine of $ 150,000.
How is it lawful to process children’s personal data?
GDPR and COPPA provide for a number of requirements for the lawful processing of children’s personal data.
It is important to understand that GDPR and COPPA assume a broad definition of children’s content. The predominance of “children’s” themes in the game (for example, images of fairy-tale characters, simple mechanics, educational elements) makes it possible to define it within the GDPR and COPPA as children’s.
Therefore, the rules for processing children’s personal data may apply to you, even if you do not position your game as a children’s game.
GDPR
Consent to processing
GDPR provides that only their parents or other legal representatives can give consent to data processing for children under 16 years of age. The regulation allows states that are members of the EU to set their own age limit, before which a child cannot independently give consent. This limit cannot be lower than 13 years. And exactly up to 13 years, this indicator, for example, was reduced by Belgium, Denmark and Finland.
At the same time, GDPR requires the personal data operator to take “reasonable measures, taking into account the available state of the art” to confirm that it was the parent or legal representative of the child who gave consent to the processing of personal data.
GDPR does not disclose the concept of such reasonable measures, but, for example, the Information Security Commissioner of the United Kingdom interprets it this way – a series of closed questions can be used to confirm consent, which together can confirm that the consent is given by a legal representative. In your application, you can also use third-party services that allow you to identify a legal representative. For example, by verifying the details of a credit card opened in his or her name.
Processing principles and recommendations
GDPR establishes that children’s personal data enjoy special protection, since children may not fully understand the consequences of their processing.
Such special protection should be applied if children’s personal data is used for marketing purposes or for profiling. For the developer of a children’s game, this primarily promises problems with targeted advertising in the application.
Targeted advertising is not explicitly prohibited by GDPR. But in order to collect and analyze the data on the basis of which it is sent to users, consent to processing must also be obtained.
To comply with this requirement, you need to describe the process of collecting information used for targeted advertising and a list of such information in your privacy policy. It is also necessary that the child or his legal representative can familiarize themselves with the privacy policy at the very beginning of using the application.
As a rule, developers use third-party SDKs for targeted advertising, which direct advertising to the process. In the privacy policy, we recommend listing SDK developers and providing links to their privacy policies.
Many monetization services, such as Unity Ads, in their SDKs allow the developer to mark the content of the game as children’s. Then the SDK does not collect personal information to direct targeted advertising, but shows contextual advertising, that is, not based on the preferences of a particular user.
To demonstrate compliance with GDPR, it is better to use this function and write about it in the privacy policy.
COPPA
Consent to processing
Like GDPR, COPPA establishes that the consent of a legal representative is required for the processing of personal data of a child under the age of 13. However, the requirements for the form of such consent are much stricter. §312.5 COPPA establishes a list of ways in which consent can be obtained:
- sending a consent form, which must be signed by the parent and returned to the operator by mail, fax or electronic scan;
- using a credit card or other online payment system that provides notification of each individual transaction to the main account holder;
- parents’ call to the operator to confirm consent;
- video conference with parents and operator;
- checking the parent’s identity card against databases;
- sending an e-mail to the parent with a request in a reply letter to consent to processing (available only in cases where the data is not transferred to third parties).
COPPA allows the use of other methods, but describes them extremely vaguely. Therefore, it remains for developers to focus on the approximate list proposed by COPPA.
To date, the FTC has approved two methods of confirming parental consent proposed by Imperium and Riyo.
Imperium’s solution is an authentication system based on personalized questions, the answers to which the child cannot guess. But it is difficult to implement it in practice. For personalized questions, it is necessary to receive prior information from the parent, on the basis of which questions will be asked.
The Riyo version is a verification of the photos of the parent’s identity card and his photo taken on the device’s camera.
Simpler ways
The methods of obtaining parental consent provided for by COPPA are not easy to implement from a technical and commercial point of view – such complex procedures can alienate users and reduce sales. And the profit from the sales of the game will not cover the costs of introducing complex verification systems.
Is everything really lost and we will have to cancel the release of the game on the American market?
In our opinion, simpler ways of complying with COPPA requirements can be used. But it should be borne in mind that only the methods provided for by COPPA or approved by the FTC can fully guarantee the absence of a violation.
The FTC makes a distinction between children’s content and content with a mixed audience for the purposes of applying COPPA. You can change the graphic design for the American market to a less “childish” one and put a higher age rating in the store where the game is distributed. This will increase the chances that the game’s audience will be recognized as “mixed”. Then you will be able to fulfill the requirements of COPPA with the help of age confirmation dialog boxes, as well as mathematical or logical problems that a child under the age of 13 will not be able to solve.
Some companies whose services are directly aimed at a children’s audience also use simpler verification mechanisms without any additional measures. For example, Danish LEGO uses a dialog box with an uncomplicated request to bring a parent. It is replaced by a field for entering the email address to which the activation code is sent. Such a method could be suitable for GDPR compliance, but it is not enough for COPPA compliance.
Example of a page for verifying parental consent by LEGO
Processing principles
The principles of processing personal data under COPPA are generally similar to those described above for GDPR. It is necessary to describe the list of personal data received and the purposes of their processing, the list of persons to whom personal data may be transferred.
In the case of COPPA, we also recommend marking the content as children’s in the SDK of your monetization partners, as well as describing the categories of data and the purposes of their processing in the privacy policy. By the way, it is better to write it in simple and understandable language.
In addition, children and their legal representatives should have the right to access their personal data and request their deletion.
What age rating systems should be considered?
In various jurisdictions, there are special requirements for content accessible to children. The most common rating systems are ESRB (USA and Canada) and PEGI (European Union). Many national and regional rating systems are similar to ESRB and PEGI, but may differ significantly from them both in categories and in the procedure for assigning a rating.
Russia has its own rating system based on the provisions of Federal Law No. 436-FZ of December 29, 2010 “On the Protection of children from information harmful to their health and development“. It received the informal name RARS (Russian Age Rating System).
You should pay attention to the fact that if your game is assigned a certain age rating, then all related content should correspond to it. For example, an advertisement or a game website. If you use targeted or contextual advertising in the app itself, it must also correspond to the age rating of the game.
It should also be borne in mind that some online platforms for the sale of games have their own rating systems, such as the Apple App Store and Google Play.
Other restrictions for children’s games
Personal data and age restrictions for content are not the only features that need to be paid attention to. There are other restrictions.
For example, in November 2019, China introduced restrictions on the time that minors can spend playing online games. On weekdays, you can only play for an hour and a half a day, and on weekends – three. Special software included in the games, firstly, requires registration with verification of the real name to confirm the age; secondly, it tracks the time spent playing. The new rules establish the obligations of developers and publishers to comply with restrictions and take measures to implement them in their games. For violation of these obligations, the state authorities issue orders against developers and publishers to bring games into compliance with the law. And for non-fulfillment, the license for the implementation of the game may be revoked.
A similar law, called the “Cinderella Law“, was adopted in 2011 in South Korea. According to this law, access to online games from 00:00 to 06:00 is restricted for children under the age of 16. To comply with this law, developers and owners of online platforms also needed to include verification tools in their applications.
States often tighten control over the children’s games market, so it’s worth following the news of legislation and not missing the rule change. For example, the Ministry of Health of Russia has recently developed amendments to the federal law “On Basic guarantees of children’s rights in the Russian Federation“, which, if adopted, will allow for the examination of children’s games and prohibit their distribution if, according to experts, they can damage the psyche of children.