Age Ratings and COPPA: What Indie Studios Need to Know

If your game can be downloaded by a child — which is most games on most platforms — two regulatory frameworks are already watching it. The first is the age rating system: ESRB, PEGI, IARC, and platform-specific equivalents that classify your content and control where it appears in storefronts. The second is COPPA, the federal children's privacy law that governs what data you can collect and from whom. These frameworks interact in ways that catch studios off guard, because a game's rating profile feeds directly into the FTC's analysis of whether it is "directed to children" — and that determination controls whether you need verifiable parental consent before your analytics SDK does anything at all.

This article maps both frameworks for indie studios: what ratings cost and which platforms require them, when COPPA applies and what it actually demands, how enforcement has played out against studios of every size, and what a compliance checklist looks like before and after launch.

How Age Rating Systems Work — ESRB, PEGI, and IARC

Three rating systems govern most of the markets your game will reach: ESRB covers North America, PEGI covers the European Union and UK, and IARC is the global digital-storefront framework that sits underneath both of them. Understanding which system applies to your distribution channel — and what it costs — is the first decision in any rating strategy.

For most indie studios shipping digital-only, IARC (International Age Rating Coalition) is the default starting point. IARC operates a single questionnaire that simultaneously generates ratings across all participating rating authorities. Complete it once and you have ratings for Google Play, Nintendo eShop, the Microsoft Store (Windows and Xbox), PlayStation Store, Epic Games Store, Meta Quest Store, and Amazon Luna — at no cost. Over 119 million games and applications have been rated through the system, making it the largest age-rating infrastructure in the digital games market.

Two major storefronts sit outside IARC entirely. Steam does not participate in IARC and handles ratings separately. Starting November 15, 2024, Steam began hiding unrated games from German customers, and the direction of travel is clear: platform-level rating mandates are expanding, not contracting. The Apple App Store also operates outside IARC, applying its own four-tier system (4+, 9+, 12+, 17+) independently. If Steam or the App Store are part of your launch plan, budget for separate submissions.

For physical retail — still relevant if you are targeting Limited Run Games, retailers, or console manufacturer programs — the cost calculus shifts significantly. ESRB's traditional Long Form review requires submission of video footage covering all pertinent content. For studios with a development budget under $1 million, ESRB offers a value tier at $3,000 for studios that have already received a digital rating through IARC. PEGI physical certification uses a tiered fee structure: €260 for smaller downloadable titles, scaling to €1,155 for mid-budget titles, and €2,100 or more for productions above a €200,000 development budget — with additional per-platform fees on top of the base certification rate.

Rating systems do not just assign an age bracket. They also generate content descriptors — labels like "Cartoon Violence," "Mild Language," or "Animated Blood" that itemize the specific types of content present in the game. These descriptors appear alongside the age category on storefronts and packaging and are inputs into the rating process itself. That distinction matters for more than shelf placement: the FTC's analysis of whether a game is legally "directed to children" under COPPA considers visual content, animated characters, and the nature of in-game activities — the same attributes that produce content descriptors in the first place. A game's rating profile is, in effect, a ready-made exhibit for that analysis.

When COPPA Applies to Your Game

COPPA reaches your game through one of two paths: your game is directed to children under 13, or you have actual knowledge that a child under 13 is using it. These are independent triggers — satisfying either one is sufficient to impose full compliance obligations. The "general audience" label studios often apply to their games addresses neither trigger automatically; it is a starting position in the analysis, not a conclusion.

For general-audience services, the actual-knowledge standard means COPPA obligations attach the moment you learn a specific user is under 13 — through an age gate response, a support ticket from a parent, or age data passed by a platform partner. You do not need to go looking for child users; knowledge, however it arrives, is enough. The harder question for most indie studios is whether their game is directed to children in the first place, because that determination triggers COPPA across all users, not just identified minors.

No single factor is dispositive — the FTC applies all of them together. A game does not need cartoon characters and a young female influencer and child-targeted ads to be "directed to children." The FTC's COPPA FAQ uses dress-up games with young-looking animated characters as a specific example of a game type that can satisfy the test even without explicit age targeting in the marketing. Genre and visual style are sufficient entry points for the analysis.

The January 2025 enforcement action against Genshin Impact developer HoYoverse makes this concrete. The FTC's complaint alleged that HoYoverse actively marketed the game to children and collected personal information from users under 13 without parental consent — this despite Genshin Impact carrying no explicit "kids" branding. The case demonstrates that an anime art style, gacha/loot box mechanics, and marketing that reaches minors can collectively satisfy multiple factors in the 8-factor test at once.

An ESRB "Everyone" rating does not insulate a game from COPPA. It is one data point the FTC may consider under the subject matter and visual content factors, but it is not a safe harbor. The rating system and the privacy law operate on separate tracks: ESRB rates content maturity; COPPA governs data collection from children. A game rated E can still be found directed to children under 13 if the remaining factors point that way.

Age gates deserve the same skepticism. A simple checkbox — "I confirm I am 13 or older" — does not qualify as a neutral age-screening mechanism under FTC guidance. An acceptable gate allows users to freely enter a birth month and year, without a default value that nudges toward an older age. Critically, the FTC recommends using a persistent cookie after a child-identified session to prevent back-button circumvention — because a gate that can be re-entered immediately after a "child" response is effectively no gate at all.

Studios that find their game falls between these poles are likely operating what the law calls a mixed-audience service — the category that captures most games targeting teens or broad demographics. Mixed-audience classification carries its own specific obligation set, covered in Section 4.

What COPPA Compliance Requires

The core obligation under COPPA is straightforward to state and difficult to implement: before collecting any personal information from a child under 13, you must obtain verifiable parental consent (VPC). No opt-out mechanism, no retroactive notice, no implied consent from clicking through an account creation screen. The consent must be affirmative, verifiable, and obtained before collection begins. Under 16 C.F.R. § 312.5, that requirement covers the full scope of how children interact with online services.

"Personal information" under COPPA is broader than most studios expect. The statute covers names, home addresses, email addresses, and phone numbers — but also persistent identifiers such as cookies, device IDs, and IP addresses; precise geolocation data; photos; audio recordings; and chat logs. If your game collects any of these from a player under 13, including passively through a third-party SDK, VPC is required. That last category is where most enforcement actions originate — not from obvious data fields like names, but from device identifiers being harvested silently by an advertising or analytics SDK the developer never fully audited.

The nine FTC-approved VPC mechanisms under 16 C.F.R. § 312.5 give operators flexibility, though none of them are frictionless. The most defensible options include a signed consent form returned by mail, fax, or electronic scan; payment verification using a credit or debit card transaction with a notification to the cardholder; a toll-free staffed telephone call; a live video conference with trained personnel; and government-issued ID verified against a facial recognition image (with immediate deletion of the ID after verification). Knowledge-based authentication — dynamic multiple-choice questions that a child aged 12 or under could not reasonably answer — is also permitted. Each mechanism involves real verification; none permit a checkbox.

The email-plus method — send the parent a notice, then send a confirmation within two weeks — is the simplest on paper, but it carries a significant restriction: operators may use it only if they do not disclose children's personal information to third parties. The moment your game integrates an advertising SDK that passes user data to an external network, email-plus is unavailable. You need a more robust VPC mechanism from the list above.

The 2025 COPPA Rule amendments (see our privacy compliance overview), published April 22, 2025, add two obligations that most studios currently ignore. First, obtaining general account consent does not cover data sharing for targeted advertising — that requires a separate VPC specifically for third-party disclosure, and operators cannot condition service access on obtaining it. Second, data retention is now formally constrained: studios must delete children's personal information when it is no longer necessary for the specific purpose it was collected, and must maintain a written retention policy documenting collection purposes, business justification, and deletion timeframes. Indefinite storage of player data is no longer permissible. Full compliance with these amendments is required by April 22, 2026.

The Mixed-Audience Problem — When Kids Play Your Non-Kids Game

The most dangerous classification for an indie studio is not "directed to children" — it's the gray zone between that and "general audience." A game that pulls in a substantial child userbase can qualify as a mixed-audience service even if you never intended it for kids. Under COPPA's framework, that classification triggers the same core obligations as a fully child-directed game, unless you implement an age gate to screen children out before collecting any data. And "general audience" only stays a safe harbor if the evidence actually supports it.

Three categories of evidence can flip your classification. First, empirical user data: if your analytics show a disproportionate share of users in the under-13 cohort, that data is admissible against you. Second, marketing representations: child-appealing imagery in your app store screenshots, a game mechanic the FTC's test would call "child-oriented," or placement in a family-friendly category are all inputs to the directed-to-children analysis. Third, support channel signals: if parents are consistently opening tickets on their child's behalf, the FTC treats that as evidence you knew who was playing. The FTC's COPPA FAQ is explicit that studios should examine whether their game involves child-oriented activities and whether empirical evidence about actual users brings them within the mixed-audience definition.

If you operate a mixed-audience game, the amended COPPA Rule requires that you not collect personal information from any visitor before determining that visitor's age — using a neutral mechanism that does not default to a set age or encourage falsification. Users who clear the gate are then treated as general-audience. Users who identify as under 13 trigger full COPPA compliance for that session and account. This is not optional architecture; it is the legal condition on which "not directed to children" status depends for mixed-audience operators.

The actual knowledge trigger operates on a separate track. A studio can market a game as general audience and still acquire actual knowledge through indirect channels. The FTC's Microsoft Xbox action establishes the clearest example: when Microsoft notified developers that specific accounts belonged to users under 13, that notification itself constituted actual knowledge — regardless of how the game was marketed. If a platform sends you age data about a user, COPPA compliance obligations for that user attach immediately.

Google Play adds a platform layer on top of federal law. Apps in any category targeting children or a family audience must use only Families Self-Certified Ads SDKs — Google maintains a published list. Using any ad or analytics SDK not on that list is simultaneously a COPPA risk and a Play Store policy violation that can pull your app from distribution. The practical implication applies to every SDK category: advertising, analytics, crash reporting, and attribution SDKs all collect persistent identifiers by default. Before integrating any SDK into a child-directed or potentially mixed-audience game, verify it against a compliance framework that accounts for both federal COPPA requirements and platform-specific certification requirements. That audit is not a one-time event — SDK vendors update their data collection behavior between versions, so the review has to track SDK version changes.

FTC Enforcement — What Actually Gets Studios Fined

The FTC rarely issues advance notice before filing a COPPA action. Studios typically learn they are under investigation when the agency's letter arrives — and by then, the penalty calculation has already started. Courts can hold operators liable for up to $53,088 per violation, and the FTC calculates violations per child affected, per day of non-compliance. That arithmetic compounds fast across even a modest user base.

HyperBeard (June 2020) — The SDK You Didn't Configure

HyperBeard made casual mobile games — KleptoCats, Clawbert, and similar titles clearly directed at children. The company had embedded standard advertising SDKs, including AdColony, to monetize its apps. The problem: those SDKs collected persistent identifiers from child users and used them to serve targeted ads, all without parental notice or verifiable consent. The FTC did not need to show that HyperBeard actively directed the SDK to collect children's data. The collection happened; HyperBeard owned the app; that was enough. The agency assessed a $4 million civil penalty, ultimately reduced to $150,000 because HyperBeard demonstrated inability to pay. The full $4 million remains on the enforcement record.

Epic Games / Fortnite (December 2022) — Scale, Defaults, and Deletion Failures

Epic agreed to pay $275 million — the largest COPPA penalty in FTC history — after a complaint that covered three distinct violation categories. First, Epic collected personal data from players it knew were under 13 without verifiable parental consent. Second, Fortnite enabled live voice and text chat by default, matching minor players with strangers and adults. Third, when parents tried to delete their children's accounts or stop purchases, the flow was designed to make it unreasonably difficult. The settlement required Epic to flip default privacy settings for children and teens: voice and text communications off by default, not on. For indie studios, the deletion-flow finding matters as much as the data-collection finding — the FTC treats dark patterns that obstruct parental rights as independently actionable.

HoYoverse / Genshin Impact (January 2025) — Anime Art and Gacha as Evidence

The most recent major enforcement action targeted Cognosphere (HoYoverse), the developer of Genshin Impact. The FTC's complaint and $20 million settlement carried a specific charge that matters for any studio making games with anime-inspired art or gacha/lootbox mechanics: the FTC cited those design elements as evidence that the game was directed to children, even though it was not marketed exclusively to minors. HoYoverse knew children under 13 were playing and kept collecting their personal information anyway. The settlement went further than data collection — HoYoverse is now prohibited from selling loot boxes to users under 16 without verifiable parental consent, the first time the FTC has imposed an age-gated lootbox restriction in a COPPA settlement.

The Pattern Across All Three Cases

Reading these cases together, the FTC's enforcement targets three recurring patterns. First, collecting data from users the operator knew or should have recognized as children based on the game's own characteristics — under the directed-to-children test, game theme, art style, and marketing materials are the evidence the FTC examines, not just user-entered birthdates. Second, unconfigured or passively embedded advertising SDKs in child-accessible apps — HyperBeard proves that failing to configure a third-party SDK is not a defense. Third, blocking or making it unreasonably difficult for parents to exercise deletion and consent-withdrawal rights — Epic proves this is independently sanctionable, separate from the data collection violation. Studios working through their own privacy compliance obligations should audit against all three vectors before the April 22, 2026 COPPA Rule compliance deadline.

Compliance Checklist for Indie Studios

Whether you are pre-launch or already shipping, this six-step sequence applies — and works best in order, because each step informs the next.

1. Classify your audience. Run the FTC's eight-factor directed-to-children test before you go live. The factors — subject matter, visual content, animated characters, music, age of models, child celebrity appearances, advertising tone, and empirical audience data — do not require all eight to be present. If any meaningful combination applies to your game, treat it as directed to children and proceed accordingly. Marketers who target parents of young children through their game's social media or app store metadata can also trigger the test through the marketing-materials prong, even when the game content itself is ambiguous.
2. Get rated. Submit to IARC first — it is free, and a single questionnaire generates ratings for Google Play, Nintendo eShop, Microsoft Store, Xbox, PlayStation Store, Epic Games Store, Meta Quest, and Amazon Luna simultaneously. Steam and the Apple App Store do not participate in IARC, so those platforms require separate submissions. Steam has its own developer questionnaire; Apple applies a four-tier system (4+, 9+, 12+, 17+) through App Store Connect. If you plan a physical release in North America, budget at least $3,000 for ESRB's Long Form value tier; for European physical distribution, PEGI certification runs from €260 for small downloadable titles up to €2,100 or more depending on budget.
3. Audit your SDKs. Before integrating any advertising, analytics, crash reporting, or attribution SDK into a game that may reach children, verify that each SDK is listed on Google Play's Families Self-Certified Ads SDK list or equivalent. The HyperBeard enforcement action — where the FTC assessed a $4 million penalty against a small studio for passively allowing third-party ad networks to collect persistent identifiers from child-directed game users — is the clearest evidence that SDK liability is not a large-company problem. A terms-of-service clause that purports to shift COPPA responsibility to the SDK vendor will not protect you from FTC enforcement. Audit every third-party dependency, document which children's data each one touches, and disable tracking for child users where parental consent has not been obtained.
4. Implement verifiable parental consent. If children will use your service, a VPC flow must be in place before launch — not patched in after the first complaint. Under 16 C.F.R. § 312.5, there are nine FTC-approved mechanisms: signed consent forms returned by mail, fax, or electronic scan; payment card verification; toll-free telephone with trained staff; video conference with trained staff; government ID verification against a database; knowledge-based authentication; facial recognition against a government ID; email-plus-confirmation; and text-plus-confirmation. The final two — the email and text methods — are only available if your studio does not share the child's personal information with third parties. If your game integrates any advertising or analytics SDK that receives children's data, those low-friction options are off the table, and you need one of the stronger verification mechanisms.
5. Create a data retention policy. The 2025 COPPA Rule amendments prohibit indefinite retention of children's personal information. You must document, in writing, what data you collect, the specific purpose for collecting it, your business justification for the retention period, and the timeline and method for deletion. Automatic deletion procedures — not manual ones that depend on someone remembering to run a query — are the standard the rule is designed to require. Operationally, this means setting deletion triggers in your data pipeline before launch rather than retrofitting them after a regulator asks.
6. Update before April 22, 2026. If your studio is already operating a game that reaches children, audit your existing practices against the 2025 COPPA Rule amendments. The new requirements include separate verifiable parental consent for any third-party data disclosure tied to targeted advertising, expanded privacy notice disclosures (third-party identities, persistent identifier use, audio collection practices, retention timelines), and the data minimization obligation that prohibits conditioning game access on collecting more information than necessary for the feature being used. Building this into your broader privacy compliance program now is significantly less expensive than a retroactive redesign under FTC scrutiny.

Studios that build child-directed games as their core product should also evaluate enrollment in one of the seven FTC-approved COPPA safe harbor programs — CARU, kidSAFE, ESRB Privacy Certified, PRIVO, TRUSTe, iKeepSafe, and Aristotle International. Enrollment means your practices are governed by the program's oversight requirements rather than direct FTC enforcement; if your program is approved and you follow its guidelines, the FTC deems you compliant. That is the strongest liability shield available, and for studios planning long-term in the children's market it is worth pricing out.