Unity Technologies is excited to announce another important milestone - developers of apps directed to children under 13 can now use Unity Analytics. Developers building apps directed to children under 13 in the United States are required to comply with the Children’s Online Privacy and Protection Act (COPPA) https://www.ftc.gov/enforcement/rul...ings/childrens-online-privacy-protection-rule), a federal law that is designed to protect the online privacy of children in the United States. Unity Analytics supports internal operations of gaming services, websites, apps, and games. The Unity Analytics Service can help game developers: Provide game usage and performance analytics Understand game performance and monitor game health and areas of crashing Improve game design and green lighting Deploy future game development resources based on game performance Maintain or analyze the functioning of games, including through maintenance, analysis and analytics Protect the security and integrity of game players Serve contextual advertising and cap the frequency of advertising Ensure legal or regulatory compliance This document is provided for information purposes only and should not be considered legal advice or a substitute for obtaining your own legal advice. Developers must independently ensure their compliance with COPPA of a child directed app. Frequently Asked Questions 1. What information does Unity Analytics collect? In order to provide analytics for your games, Unity Analytics collects and uses in each game built with Unity Editor an anonymized user ID. Each ID is unique to users on each developer’s apps. These IDs cannot be used to track users across apps built by other developers and cannot be mapped between different services, devices, or even different browsers on the same computer. For further information, please review the Unity Privacy Policy: https://unity3d.com/legal/privacy-policy. 2. What is the anonymized user ID used for? The anonymized user ID is used to track the activities of game players in order to help developers: (i) provide game usage and performance analytics; (ii) understand game performance and monitor game health and areas of crashing; (iii) improve game design and green lighting; (iv) deploy future game development resources based on game performance; (v) maintain or analyze the functioning of games, including through maintenance, analysis and analytics; (vi) protect the security and integrity of game players; (vii) serve contextual advertising and cap the frequency of advertising; and (viii) ensure legal or regulatory compliance 3. How will Unity know if my application is directed to children under 13? When developers download the Unity editor and integrate Unity Analytics into their project, they will be required to indicate whether the application they are building is directed to children under 13 as addressed in the Children’s Online Privacy Protection Rule. Developers are solely responsible for making this determination. Developers may seek COPPA guidance from the Federal Trade Commision, who provides a wealth of COPPA resources at: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/children's-privacy 4. If my game is developed outside the United States and not directed to any children located in the United States, what designation should I make? You can select the option “This game is not directed to children under the age of 13 in the United States”. 5. What about my existing apps using Unity Analytics? All existing apps using Unity Analytics will be designated as not directed to children under 13 unless you affirmatively change the designation. 6. Does the Unity Analytics Service ensure that my Unity app/game is COPPA-compliant? Unity Technologies does not make any express or implied warranties or representations that the Unity Analytics Service is COPPA compliant, and you should not rely on the Unity Analytics Service to satisfy your COPPA obligations. It is your responsibility to ensure your Unity app/game is COPPA compliant.
I'd like some clarifications about "directed to children under 13". My game is for all players, whatever age they have, so I guess my game is (also) "directed to children under 13", right ?
Hi @manutoo, You are correct, if your game is directed at an audience of all ages then you must also make the necessary steps to be compliant with COPPA. Here is a link to their FAQ if you would like to read more, https://www.ftc.gov/tips-advice/bus...ying-coppa-frequently-asked-questions#General Questions. Your question was relevant to section 2, Who is covered by COPPA?
@mpinol, thanks for your answer. I did a bit of reading and I found this : http://www.coppalawattorney.com/the-directed-at-children-standard-of-coppa/ . My understanding from it is that actually my game is not directed to children, as its main target is more mature (ie: some mild violence and somewhat mature language), even if it's not impossible for kids to play it. Moreover, Unity Analytics doesn't seem to collect any personal information (even not the IP if I read the FAQ above correctly), so there's no need to comply with the COPPA if I don't personally add collection of personal data.
Both GooglePlay and ESRB.org allow you to self-rate and to have your game as described be rated Everybody wouldn't be allowed according to their descriptions.
Thanks for the great post! But I couldn't find anywhere what the restrictions are when I choose to target children under the age of 13. Less data? And is it needed to make a build for US where the checkbox is selected and another build for all other countries or does UnityADs take care of that? Thanks in advance!
Hi @ayellowpaper https://www.ftc.gov/tips-advice/bus...ying-coppa-frequently-asked-questions#General Questions COPPA deals with the collection of personal information for children under the age of 13. Section A should give you all of the information on what defines 'personal information' and how to be compliant. I can only speak for Unity Analytics so any questions about Unity Ads should be posted on their forums, http://forum.unity3d.com/forums/unity-ads.67/ Hope this helps and let us know if you have any more questions.
This thread didn't help me at all First of, English is not my native language and also I am not very good at law stuff. So here's my question: My game is going to be a simple non-violent casual game which can be played by anyone and it will also have AdMob, UnityAds and Unity Analytics integrated (no additional data is being collected by "me"). I guess I should pick the option that my game is indeed directed to children under the age of 13, right? But do I need to do something if I tick this box or do I have to state that data is being collected in this game? I just don't get the idea behind COPPA and how to be "compliant" ... it's confusing the sh*t out of me Also what changes if I tick the box that my game is directed to children? Do I get less data or what? Any help is appreciated, thanks.
@Fissll Yes, if your game's audience includes children under 13, you should indicate that it is directed at kids under 13. This is required under US law. Ticking the box doesn't change anything for Analytics. You won't get less data. It's simply your agreement with us that you promise to keep your use of data consistent with applicable law. Ads handles COPPA-compliance by not collecting certain types of personally identifying information, and this can diminish ad effectiveness (and therefore potentially impact your income). I recommend you ask on the Ads forum, where someone more knowledgable than myself can be more precise. Now, the particulars of law are highly dependent on your use (what are you showing? which countries are you releasing in? etc) and we're not allowed to give you legal advice, such as "do I have to state that data is being collected?" For that you probably need to ask a lawyer. Hope that helps!
Thank you for your answer @marc_tanenbaum , So basically for the Analytics part I just have to tick the box and I'm good? Because like I said, I will just use the basics of Analytics ... I won't try to get the players name or his address or something like that. Also I think it is kinda odd that you can't change if your game is directed to children or not after you set it once :-/
Hi, I am on the verge of releasing my first game and I just came across the problem of COPPA. I have some open questions regarding COPPA compliance and Unity Analytics which reading through the docs could not answer. Please bear with me, my post is long but I tried to summarize my understanding which may help other developers as well. As far as I see if a developer does not actively implement some data collection (birthdate, userid, gender -> considered optional user attributes in Analytics) the question regarding COPPA complience in connection with Unity Analytics breaks down to the following: - Is the "anonymized user ID" in #1 of the FAQ above (in itself or together with gameplay event data) sufficient to identify the user or his device? Reading through (not always clear) Unity announcements and Privacy Policy I would assume that this ID is hashed therefore not backtrackable to the originating device. Where this hashing is done? Because if on the server side than basically that means UA _is_ collecting PII but not storing it! Is the ID different for different apps of the _same_ developer too? - From my understanding collecting IP address can also be seen as PII. So far I could not find any reassuring information otherwise. Does UA collect _and_ store IP addresses or storage is on a regional, city, or otherwise aggregated level? - I am not really sure if COPPA includes the right for the parent to ask for deletion of _any_ collected or just PII data. And my concern is how the deletion process would look like in case of UA? I suppose the developer needs to ask, but with what ID the developer can refer to the data items in question? Of course based on my first and second point the deletion could be totally unneccessary (since there is no PII stored). - Is there any way a developer could see samples of the raw data sent to Unity Analytics to get reassurance that the packages do not contain any COPPA non-complient information? - Is (or will be) un-aggregated data available on Unity Analytics? So far I could not see such, but as soon as it is available, even more concerns may arise. Thank you in advance for answering my concerns!
Hi @b3ka, Alright, here we go! The anonymized user ID is generated on the device itself and is different across all apps regardless of developer. An example of this is that if a player uninstalls and then reinstalls a particular app, they will receive a newly generated user ID as soon as the app is launched. Yes we collect IP addresses for use in geographic segments, by country, on the Dashboard. Since there is no PII collected there should be no need to delete a particular user's data but if deletion was required, and unless the user ID was known, the entire project would need to be deleted as the only known ID would be the project ID. As of right now I do not believe that there is any way to see the raw data sent to Analytics without using 3rd party software. We are testing a raw data export feature that would give developers access to their raw un-aggregated data but I cannot give you any real time frame of when it will become available to everyone and it also will not contain any personally identifiable information. Let me know if you have any more questions!
hi , I have selected the children under the age of 13 but now I want to change it and I can't find it how , can you help me with this ?
Hi @pouya90, There are some circumstances where we 'lock' a project to a certain COPPA setting. Would you mind PM'ing me your project ID or opening a support ticket, https://analytics.cloud.unity3d.com/support , so that I can take a look?
Just read this on the COPPA faqs https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions Along with the IPs, your privacy policy states that analytics are also collecting device identifiers. This is also part of COPPA faqs As far as I understand, a parent COULD ask the developer to delete the PIIs and with the current state of unity analytics, request of data deletion isn't really supported. Basically, at the moment, it's impossible to use analytics/IAPs and have users of our playerbase be less than 13 without being at risk of legal issues, does that make any sense? Unless I missed/misunderstood something?
Hi @Fujik, Unity Analytics supports internal operations of gaming services, websites, apps, and games. Further along in the FTC FAQ, the FAQ does seem to provide additional information related to how COPPA may apply to using a service like Unity Analytics and collecting "personal information" like IP address and device identifier. In particular, I would check out sections C.6 and I.5-8 that provide more information around what "support for the internal operations of the Web site or online services" means and the resulting implications for your app. Hope that helps! As a reminder, we encourage all our developers to procure their own qualified legal help to understand the various rules and regulations, to ensure compliance with COPPA of a child-directed app. Anything we provide here is for informational purposes only and should not be considered legal advice or a substitute for obtaining your own legal advice.
Dear Unity Support, hopefully you can get some clarification here, I think the very simple question everyone is trying to get an answer for is this: Is Unity Analytics COPPA compliant? Let us assume I create a blank new project in Unity and add Analytics with the setting "This game is directed to children under the age of 13 in the United States." and publish it. I have not added any code whatsoever. Is my application in compliance with COPPA? Are you able to answer this question with a clear yes? Because if you are not able to, as Fujik stated before, no one can use Analytics without being at risk of legal issues... Thanks!
@Marc81 Unity Analytics provides a COPPA-compliant solution for games designated as directed to children under the age of 13. If you flag your game as such when creating a project, Unity Analytics then collects data and operates consistent with COPPA limitations. Determining whether a game is “directed to children under the age of 13” under COPPA has to be made by each developer based on characteristics of the game and its audience. Unity unfortunately cannot make this determination.
Hi @Brutusomega, At the moment COPPA compliance cannot be changed on a project once it's been set. Currently the best workaround available would be to create a new project on the Analytics Dashboard and then re-link your Unity project to the newly created Analytics Dashboard project from the Services window.
So, OK, I am clear now - game rated Everyone+ must choose to follow the COPPA requirements for targeting childen under 13 even if the game isn't marketed to any particular demographic. The wording makes it sound as if you are even if you aren't. At any rate, they would do well to consider raising that age to 18 years old if one is to believe the how the rest of the USA laws on age of consent work.
A question that is still not sufficiently answered here is about the use of IP adresses. @mpinol states that IP adresses are collected but that there is no PII collected. Which is contradicting, since an IP is regarded as personal information according to COPPA. How can the Analytics be compliant with COPPA when IPs are collected and cannot be deleted if a user want's it to?!
@CHG_Eve Unity Analytics provides "support for the internal operations" of your game or app, which is a case the FTC FAQ takes into account. If you have any specific questions about your game and COPPA, we advise you to contact your personal legal counsel.
Hi! How does Unity collect demographics info (gender and age)? I saw these in the Segment Builder section in the Analytics page. Or better, what do I have to implement in order to collect these information?
@roberto_sc, Unity does not automatically collect demographic data. We do have an API that will allow you to link the gender and age demographic data you collect with your Analytics data. https://docs.unity3d.com/Manual/UnityAnalyticsUserAttributes.html
For a troubling analysis of the current state of COPPA compliance and enforcement in the Android marketplace, see the commentary: http://bgr.com/2018/04/16/android-apps-track-children-privacy-violation-study/ and particularly the underlying in-depth app-survey report, done with an instrumented op sys and network traffic analyzer: Irwin Reyes et al,' “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale', Proc. on Privacy Enhancing Techn. ; De Gruyter Open, 2018 (3):63-83. https://petsymposium.org/2018/files/papers/issue3/popets-2018-0021.pdf The latter sheds further light (in 4.3.3) with respect to the Unity Analytics COPPA checkbox. More broadly, the report extensively discusses the transmission of PII including device IDs. As noted above in this thread poster, developers using Unity Personal Edition cannot disable sending of "hardware" device IDs to Unity's server. Sending device IDs is also a prerequisite for using Unity Analytic Services (with both paid and free Unity). Whether the "support for internal operations" loophole makes you feel better or worse is up to you. Probably the Europeans will come up with a system with more teeth. As a hobbyist developer using the Personal Edition and trying to build an unmonetized (no ads or analytics either) game, I'd really like to turn off device ID sending. But not enough to get the paid version of Unity.