Compliance Glossary

A mechanism that verifies a user's age before allowing access to content or features. Required by COPPA for services directed at children and by app stores (Apple DSA, Google Play) for age-restricted content. Must appear before any data collection occurs.

Third-party tools for tracking user behavior and game metrics (Firebase, Amplitude, Unity Analytics). Automatically collect personal data including device IDs, IP addresses, and behavioral patterns. Must be initialized after age verification. Requires proper consent mechanisms.

Monitoring user actions and patterns over time. Includes gameplay behavior, purchase patterns, time spent in-game. Under GDPR, requires explicit consent if not essential to service. Under COPPA, restricted for users under 13. Common issue with analytics SDKs.

Children's Online Privacy Protection Act. A US federal law that requires parental consent before collecting personal information from children under 13. Applies to websites and apps directed at children or those that knowingly collect data from children.

Transfer of personal data from one country to another. GDPR restricts transfers of EU data to countries without adequate data protection. Requires safeguards like Standard Contractual Clauses (SCCs) or adequacy decisions. Compliance challenge for games with global infrastructure.

User interface design that tricks or manipulates users into making unintended decisions. In gaming, this includes confusing purchase buttons, hidden subscription terms, or misleading privacy settings. Illegal in many jurisdictions and specifically cited in Epic Games' $520M settlement.

Unauthorized access, disclosure, or loss of personal data. Under GDPR, must notify supervisory authority within 72 hours if there's a risk to user rights. Must also notify affected users if there's high risk. Requires documentation of breach, impact, and response measures.

Under GDPR, the entity that determines the purposes and means of processing personal data. For game studios, you're typically the data controller for player data in your games, making you responsible for compliance.

GDPR principle requiring you to collect only personal data that's necessary and relevant for your specified purposes. For games, this means avoiding excessive data collection and regularly reviewing what data you actually need. Over-collection increases compliance risk.

GDPR right allowing users to receive their personal data in a structured, commonly used, machine-readable format (like JSON or CSV). Users can request this data to transfer to another service. Must be provided within 30 days of DSAR.

A legally binding contract between a data controller and data processor that defines data processing terms, security measures, and compliance responsibilities. Required by GDPR for any third-party service that processes personal data.

Under GDPR, an entity that processes personal data on behalf of a data controller. Third-party services like analytics providers, ad networks, and cloud hosting are typically data processors. You need Data Processing Agreements (DPAs) with all processors.

How long you keep personal data. GDPR requires you to keep data only as long as necessary for its purpose. Must define and document retention periods for each data type. Retaining data longer than needed increases compliance risk and storage costs.

Digital Services Act. EU regulation requiring digital platforms to implement age verification for minors. Apple enforces DSA-compliant age gates for apps rated 12+ in the EU. Requires neutral, clear age verification before content access.

Data Subject Access Request. A formal request from a user to access, modify, or delete their personal data. Under GDPR, you must respond within 30 days. Under CCPA, you must respond within 45 days. Common requests include data export, deletion, and correction.

Federal Trade Commission. US government agency that enforces consumer protection laws, including COPPA. The FTC issues penalties for privacy violations (e.g., Epic Games' $520M settlement) and creates compliance guidance for online services.

General Data Protection Regulation. EU privacy law that applies to any company processing EU resident data, regardless of company location. Requires lawful basis for data processing, user consent, data security, and honoring user rights. Maximum penalties: €20M or 4% of global revenue.

Common term for GDPR provisions specifically protecting children (the 'K' stands for 'kids'). Requires parental consent for processing personal data of children under 16 (age varies by EU member state, can be as low as 13). Stricter than standard GDPR requirements.

One of six lawful bases for processing data under GDPR. Allows data processing necessary for legitimate business purposes if it doesn't override user privacy rights. Common for game analytics and fraud prevention. Requires documented Legitimate Interest Assessment (LIA).

Verifiable permission from a parent or guardian before collecting personal data from children. Required by COPPA (under 13) and GDPR-K (under 16). Must use verifiable methods like credit card verification, signed forms, or video calls - simple checkboxes are insufficient.

Under GDPR, any information relating to an identified or identifiable person. In games, this includes usernames, email addresses, IP addresses, device IDs, gameplay data, purchase history, and more. Broader definition than US 'PII'.

Personally Identifiable Information. US term for data that can identify a specific individual. Includes names, email addresses, Social Security numbers, but narrower than GDPR's 'personal data'. Many device identifiers and gameplay patterns qualify as PII.

Approach that incorporates privacy and data protection from the earliest stages of system design. Required by GDPR. For games, this means considering privacy implications before implementing features, SDKs, or data collection mechanisms.

Legal document explaining what personal data you collect, why, how it's used, who it's shared with, and user rights. Must be clear, accessible, and specific to your practices. Generic templates are insufficient and may lead to violations.

Also called 'Right to be Forgotten'. GDPR right allowing users to request deletion of their personal data. Must be honored within 30 days unless you have legitimate grounds to retain data (e.g., legal obligations, fraud prevention). Includes data held by processors.

Software Development Kit. Pre-built code libraries for common game functionality (analytics, ads, social features). Each SDK may collect personal data independently. You're responsible for all data collection from SDKs, even if you don't directly control them.

EU-approved contract templates for international data transfers. Required when transferring EU personal data to countries without adequate data protection laws (including US after Privacy Shield invalidation). Must be included in agreements with non-EU processors.

External software libraries integrated into your game (Unity Analytics, Firebase, AdMob, etc.). Each SDK is a data processor that may collect personal data. Common compliance issue: SDKs collecting data before age verification or without proper consent.

Explicit permission from users to process their personal data. Under GDPR, consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes don't count. Must be as easy to withdraw as to give. Required for non-essential data processing like marketing.

COPPA requirement that parental consent must be obtained through a method that reasonably ensures the person providing consent is the child's parent. Methods include credit card verification, government ID check, video conference, or signed form. Simple email confirmation is insufficient.