Just don’t ask Russell-Pinson which parts of his games his customers — who are four years old and up — like best. The Charlotte, N.C. entrepreneur doesn’t know.
Russell-Pinson has chosen not to collect the analytics — data about how his users interact with the app — because he does not want to accidentally violate the Children’s Online Privacy Protection Act.
COPPA limits what information an online operator may collect from children without parental consent. The law also restricts marketing to children under 13.
As analytics become more important for improving and refining games, the COPPA rules have left open a question about what anonymous user data a developer can collect from children playing the games.
“I’m a little hesitant to innovate because of COPPA,” Russell-Pinson said. “At this point I don’t know what I can and cannot do, and if in doubt you do less.”
For example, at one point Russell-Pinson had considered expanding his apps and allowing kids to play with each other over the Internet. To facilitate the technical requirements of social gaming, “there would have to be some type of sharing — like a screen name or location in order to match up two players,” Russell-Pinson said. “But I’m afraid to do that because I’m uncertain [of potential COPPA violations].”
Russell-Pinson’s hesitancy is not uncommon. Many small business owners lack the resources to hire legal talent that could guide them through the intricacies of COPPA, which could become more complex in the months to come.
COPPA regulations make clear that certain protected data — “personally identifiable” information, like a child’s full name, social security number, and address—is off-limits to operators without parental consent.
Until recently, developers have assumed they could make more use of “persistent identifiers” — numerical code from the device, for example, had been fair game, as long as they weren’t paired with personally identifiable information. This meant that developers could collect usage data tied to persistent identifiers, even if children happened to use the device.
However, in August of this year, the Federal Trade Commission proposed that even persistent identifiers, irrespective of whether they are tied to personal information, will require parental consent for children under 13. The revision is open for comment until September 24, and the FTC aims for the rule to be enacted by the end of the fall, according to FTC senior staff attorney Phyllis Marcus.
The FTC has made an exception for “internal use”, which would allow an operator to pull data tied to persistent identifiers, only if the data is used to improve the app. Data about a user’s progress in an educational app, for example, could only be used to make the app a more effective teaching tool — but could not specifically be passed on to an advertiser.
This could present a problem to app makers who wish to use the information for advertising and monetization purposes.
Though internal use is allowed, some developers might be reluctant to collect analytics “because analytics companies don’t want to get into the mix here — they’re too worried about knowing what kinds of Web sites or online services [data] is being used on,” Marcus said.
However, she emphasized that the FTC would “love to see people stay in this game.”