SAFETY & COMPLIANCE

COPPA & Legal Compliance

The Children's Online Privacy Protection Act (COPPA) is the foundational federal law governing data collection from children under 13 in the United States. For a F2P VR game explicitly targeting kids 8-13, COPPA compliance is non-negotiable. Violations carry massive fines and can shut down a product entirely. This page covers every requirement, data handling rule, and enforcement precedent you need to know.

$50,120
Max Fine Per Violation
Per-violation penalty under COPPA (adjusted for inflation as of 2025). Each individual child's data can constitute a separate violation — fines scale fast.
Under 13
Age Threshold
COPPA applies to children under 13. Since Eggscape targets 8-13, the entire user base falls under COPPA jurisdiction. No exceptions.
7 methods
FTC-Approved VPC Methods
Verifiable Parental Consent methods approved by the FTC for obtaining consent before collecting personal information from children
35+ actions
FTC Enforcement 2020-2026
The FTC has significantly increased COPPA enforcement, bringing 35+ actions since 2020 including record-setting penalties against major tech companies

COPPA Requirements Checklist

Core Compliance Requirements

  • Privacy Policy: Post a clear, comprehensive, and easily accessible privacy policy on your website AND within the app. Must detail what information is collected, how it's used, and disclosure practices. Written in plain language a parent can understand.
  • Direct Notice to Parents: Before collecting ANY personal information, provide direct notice to a parent/guardian describing exactly what data you plan to collect and why. This is separate from the general privacy policy.
  • Verifiable Parental Consent (VPC): Obtain verifiable consent from a parent BEFORE collecting, using, or disclosing personal information from children. The consent method must be reasonably calculated to ensure the person providing consent is actually the parent.
  • Data Minimization: Only collect personal information that is reasonably necessary for the child to participate in the activity. Do not condition participation on disclosing more information than necessary.
  • Data Security: Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of children's personal information.
  • Data Retention Limits: Retain personal information only as long as reasonably necessary to fulfill the purpose for which it was collected. Delete information once it's no longer needed.
  • Parental Access: Give parents the ability to review their child's personal information, request deletion, and refuse further collection.
  • Third-Party Restrictions: Do not disclose children's personal information to third parties unless it's integral to the service, and even then, ensure the third party maintains adequate protections.

Data Collection Rules

This table covers common data types in a kids VR game and how COPPA applies to each. When in doubt, don't collect it.

Data Type Can Collect? Consent Required? How to Handle
Display Name / Username Yes No (if not combined with other PII) Use system-generated or random usernames by default. If allowing custom names, filter for personal information (real names, phone numbers, addresses). A username alone is not PII under COPPA unless it contains identifiable information.
Age / Date of Birth Yes (age only) No (for age-gating purposes) Collect age or age range (not exact date of birth) solely for age-gating. Do not store date of birth persistently. Use neutral age gates — don't coach kids to lie by showing the "correct" birthdate threshold.
Gameplay / Play Data Yes No (if not linkable to identity) Session duration, levels completed, items earned — these are operational data, not PII, as long as they cannot be linked to an identifiable individual. Use anonymized device-level analytics. Avoid persistent identifiers tied to a child's identity.
Chat Logs / Messages Conditional Yes (VPC required) Free-text chat is personal information because children may disclose PII in messages. Options: (1) Use pre-built quick-chat only (no PII risk, no consent needed), (2) Enable filtered text chat with VPC. Retain chat logs only for moderation purposes and delete within 90 days.
Friends List Conditional Yes (VPC required for social features) A friends list constitutes personal information as it reveals social connections. Require VPC before enabling social features. Meta's supervised accounts may satisfy this requirement — verify with legal counsel.
Purchase History Yes No (operational necessity) Purchase records are necessary to deliver purchased items and process refunds. Minimize data — store transaction IDs and items, not payment details (those are handled by Meta's payment system). Parental access to purchase history is required.
Device Identifiers Conditional Yes (if used for tracking/profiling) Persistent device identifiers (IDFA, Android ID, Quest device ID) are considered personal information under COPPA when used to track activity across apps/services. Use them only for internal operations (fraud prevention, frequency capping). Never share with ad networks for targeting.
Location Data Avoid Yes (VPC required) Do not collect precise location data. If needed for regional content (language, event timing), use IP-based country/region lookup only and do not store the IP address persistently. Never collect GPS coordinates from children.

Verifiable Parental Consent (VPC) Methods

The FTC requires that consent mechanisms be "reasonably calculated" to ensure the consenting person is actually a parent. Here are the FTC-approved methods, ranked by practicality for a VR game.

Recommended Methods for Eggscape

  1. Credit/Debit Card Charge (Best option): Charge a small amount ($0.50-$1.00) to the parent's card, which is refunded or credited to in-game currency. This is the most widely used and accepted method. Meta's payment system can facilitate this. Conversion rate: ~60% of parents complete the flow.
  2. Government ID Verification: Parent uploads a photo of their driver's license or passport. AI verification confirms it matches. More secure but lower conversion rate (~35%) due to friction and privacy concerns. Best as a secondary option.
  3. Signed Consent Form: Parent prints, signs, and uploads/mails a consent form. Extremely low conversion (~10%). Not recommended as primary method but must be offered as a fallback for parents without credit cards.
  4. Knowledge-Based Authentication: Parent answers questions pulled from public records databases (e.g., "Which of these addresses have you lived at?"). Moderate conversion (~45%). Less common but increasingly accepted.
  5. Video/Face Verification: Parent records a short video or takes a selfie matched against government ID. Emerging method with high security but significant friction. Consider for premium/high-risk scenarios only.
  6. Email Plus (limited use): Send email to parent, parent confirms by clicking link and providing additional identifying information. Only acceptable for "internal operations" exceptions, not for full data collection consent.

Implementation recommendation: Offer credit card verification as default (highest conversion), with government ID as alternative. Meta's Family Center already handles some VPC flows for supervised accounts — leverage their infrastructure where possible to reduce development burden and improve conversion.

Privacy Policy Requirements

What Must Be Included

  • Name, address, phone number, and email of all operators collecting data (your company + any third parties like analytics providers)
  • Description of what information is collected from children and whether it's collected actively (forms) or passively (cookies, device IDs)
  • How the information will be used
  • Whether information is disclosed to third parties, and if so, the types of businesses and the purpose
  • That a parent can review their child's information, request deletion, and refuse further collection
  • That you do not condition a child's participation on disclosing more information than is reasonably necessary

Where It Must Be Displayed

  • Prominent link on the game's website homepage
  • Visible link in the Quest Store listing
  • Accessible from within the game's settings menu
  • Linked directly in the parental consent notice before any data collection
  • Must be accessible without requiring an account or login

Readability Requirements

  • Written in clear, understandable language — avoid legal jargon
  • No longer than necessary; organize with headers and bullet points
  • Specific to children's data practices — don't bury kids' privacy in a general privacy policy
  • FTC guidance recommends a separate, dedicated children's privacy policy rather than a section within a general policy

FTC Enforcement: Real Examples, Real Consequences

  • Epic Games / Fortnite ($520M, 2022): The largest COPPA-related settlement in history. $275M for COPPA violations (collecting personal information from children without parental consent, enabling harmful voice/text chat by default) plus $245M for dark-pattern billing practices. Key lesson: default settings matter — if chat is on by default for kids, that's a violation. If purchasing is too easy for kids, that's a violation.
  • Google / YouTube ($170M, 2019): YouTube knowingly collected data from children watching kids' content without parental consent. YouTube was forced to create the separate YouTube Kids experience and stop targeted advertising on kids' content. Key lesson: "we're not a kids' service" is not a defense if kids actually use your service.
  • Musical.ly / TikTok ($5.7M, 2019): Collected names, email addresses, and other personal information from children under 13 without parental consent. Required to delete all videos made by children under 13. Key lesson: if you KNOW kids are on your platform and you didn't age-gate, you're liable.
  • Microsoft / Xbox ($20M, 2023): Illegally collected personal information from children who signed up for Xbox Live without notifying parents or obtaining consent, and retained the data beyond what was necessary. Key lesson: even major platform holders aren't immune.

Bottom line for Eggscape: You are building a product explicitly for children. There is zero ambiguity about COPPA applicability. Budget for legal review, build compliance into the architecture from day one, and default every setting to the most protective option. The cost of compliance is a fraction of the cost of enforcement.

COPPA-Compliant Analytics

You CAN still build a data-informed product under COPPA. The key is understanding what qualifies as an "internal operations" exception — data collection that supports the operation of the service without requiring separate parental consent.

What You CAN Track Without Consent

  • Aggregate analytics: Total sessions, total DAU, total revenue, crash rates — as long as data is aggregated and not tied to an identifiable child.
  • Contextual data: What room is most played, what item is most purchased, average session length by age group (not individual).
  • Device-level persistent identifiers for internal operations: Frequency capping (don't show the same tutorial twice), maintaining user preferences (volume settings), ensuring security (fraud detection). Must NOT be used for behavioral advertising.
  • First-party analytics: Build your own analytics pipeline rather than relying on third-party SDKs that may collect additional data. If using third-party analytics (e.g., Unity Analytics, GameAnalytics), ensure they are operating under a COPPA-compliant configuration and under a written agreement that limits their use of data.

Privacy-Preserving Approaches

  • Differential privacy: Add statistical noise to individual data points before aggregation. You get accurate population-level insights without being able to identify any individual child's behavior.
  • On-device analytics: Process behavioral data on the Quest headset and only send aggregated summaries to your servers. Individual play patterns never leave the device.
  • Cohort-based analysis: Group users into behavioral cohorts (e.g., "casual players," "competitive players") on-device. Analyze cohort behavior server-side without individual tracking.
  • Session-scoped identifiers: Use temporary IDs that reset each session for real-time analytics (matchmaking quality, server performance). No cross-session tracking without consent.