COPPA rules are very clear, no one else is sweating.

> Rule Summary

> COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

These rules have been in place since the year 2000.

> In December 2012, the Federal Trade Commission issued revisions effective July 1, 2013, which created additional parental notice and consent requirements, amended definitions, and added other obligations for organizations that (1) operate a website or online service that is "directed to children" under 13 and that collects "personal information" from users or (2) knowingly collects personal information from people under 13 through a website or online service. After July 1, 2013, operators must:

> - Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from persons under age 13;

> - Make reasonable efforts (taking into account available technology) to provide direct notice to parents of the operator's practices with regard to the collection, use, or disclosure of personal information from persons under 13, including notice of any material change to such practices to which the parents have previously consented;

> - Obtain verifiable parental consent, with limited exceptions, prior to any collection, use, and/or disclosure of personal information from persons under age 13;

> - Provide a reasonable means for a parent to review the personal information collected from their child and to refuse to permit its further use or maintenance;

> - Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children under age 13, including by taking reasonable steps to disclose/release such personal information only to parties capable of maintaining its confidentiality and security; and

> - Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

> - Operators are prohibited from conditioning a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

Epic just was cheating trying to get more info on kids like TikTok for tracking/fingerprinting.

The COPPA rules are basically this, over 13, ok, under 13, you can collect no data on these users other than anon + ephemeral data. Should they want to buy anything or have anything beyond that, you have to have their parents approve via email and the child's account is essentially their parent.

If you use systems like Apple GameCenter, Google Play Game Services, Steam or other, all of this is already built in.

Epic Games clearly was cheating or didn't have their flows tight on this.