Age Ratings and COPPA: What Studios Building Kids' Games Actually Need to Know

The COPPA Trigger: When Is Your Game “Directed to Children”?

Before you can build a COPPA-compliant game, you need to understand what triggers COPPA in the first place. Under 16 CFR § 312.2, a game is “directed to children” based on a totality-of-circumstances test — not any single feature. The FTC considers subject matter, visual content, animated characters, child-oriented activities, music, age of models, child celebrity partnerships, language, and advertising appearing in or around the game. Critically, the FTC also weighs “competent and reliable empirical evidence regarding audience composition” — meaning your own analytics can be used against you.

That last factor is what makes this test genuinely dangerous for studios. Epic Games believed Fortnite wasn’t a children’s game. The FTC disagreed. It found COPPA coverage based on cartoony graphics, celebrity partnerships, licensed toy merchandise, and internal evidence that 53% of children ages 10–12 played Fortnite weekly. The result: a $275 million penalty — the largest ever for violating an FTC rule. Epic’s marketing choices, character designs, and audience data collectively triggered COPPA regardless of what the studio intended.

Here’s the myth that trips up most founders: an ESRB E or E10+ rating does not create a COPPA safe harbor. As ESRB’s own guidance states, its rating categories evaluate content appropriateness — violence levels, language, suggestive themes — criteria “entirely separate from whether marketing or design deliberately targets children.” Content suitability and audience targeting are two entirely different legal questions, and the FTC is only asking the second one.

The practical implication: if your game features bright colors, licensed characters, in-app merchandise, or celebrity tie-ins — and your analytics show a meaningful under-13 user base — the FTC may find COPPA coverage even if you never aimed at children. The test is what the totality of evidence shows, not what you intended.

ESRB Ratings: What They Mean Legally (and What They Don’t)

ESRB ratings are a contractual mechanism, not a regulatory one. The system is voluntary under federal law — no statute requires you to get an ESRB rating. But in practice, it’s effectively mandatory: all major console manufacturers (PlayStation, Xbox, Nintendo) and most digital storefronts require ESRB ratings as a condition of listing. Fail to comply and ESRB can impose sanctions up to $1 million. That’s enforcement through contract, not statute — but the outcome is the same.

The five content categories you need to know: E (Everyone) — minimal cartoon or fantasy violence, mild language; E10+ — suitable for ages 10 and up, may include mild cartoon violence, minimal suggestive themes; T (Teen) — suitable for 13+, may include violence, suggestive themes, crude humor; M (Mature 17+) — intense violence, blood, sexual content, strong language; AO (Adults Only 18+) — prolonged intense violence, graphic sexual content, or real-currency gambling. Note that AO games are effectively distribution-blocked — most retailers and all major consoles refuse to carry them.

Beyond content ratings, ESRB assigns Interactive Elements labels that studios frequently overlook. “In-Game Purchases (Includes Random Items)” — required if your game has loot boxes or mystery-drop mechanics — is a mandatory disclosure on storefronts and packaging. “Users Interact,” “Shares Location,” and “Unrestricted Internet” carry similar requirements. Missing a required label is both an ESRB compliance violation and a signal that can draw FTC scrutiny.

The most important distinction: the ESRB Privacy Certified Kids’ Seal is an entirely separate program from the content rating system. It’s an FTC-approved COPPA safe harbor requiring per-product certification review, verifiable parental consent mechanisms, and an annual membership fee. Studios that conflate the content rating with the privacy seal are operating without COPPA protection they think they have.

PEGI, CERO, and International Age Rating Systems

If you’re launching internationally, age rating compliance gets significantly more complex — and in some jurisdictions, legally binding in ways that carry criminal penalties.

PEGI (Europe): In the UK and several EU member states, PEGI 12, 16, and 18 ratings carry legally binding force. Selling a game to someone below the minimum age is a criminal offense. PEGI 3 and 7 remain advisory in most jurisdictions. The good news for indie studios: most major digital storefronts (PlayStation Store, Nintendo eShop, Microsoft Store, Google Play) use the IARC system, which lets you obtain PEGI and most other international ratings simultaneously through a single questionnaire — at no cost. Physical releases and some platforms still require a separate paid PEGI submission, which runs $300–$400 per platform for games under 450MB, and approximately $1,000 per platform for larger titles. PEGI charges separately per console platform even when content is identical.

Australia: Australia’s Classification Act requires mandatory government classification before sale — there’s no voluntary opt-out. Since September 2024, games containing loot boxes (in-game purchases linked to chance) automatically require a minimum M classification; simulated gambling requires R18+. The maximum corporate penalty for selling restricted content to minors is 250 penalty units. Budget for mandatory classification as a line item before any Australian launch.

Japan (CERO): CERO’s A/B/C/D categories are industry self-regulation. But the Z (18+) rating has statutory backing under prefectural youth development ordinances — retailers are legally prohibited from supplying Z-rated games to anyone under 18. For foreign studios submitting to CERO, the process generally requires a Japanese publisher to sponsor the submission.

The IARC shortcut handles most digital storefronts efficiently. Physical releases, Australia, and Japan require separate planning and budget.

What COPPA Requires from Game Studios

If your game is “directed to children” under the FTC’s test, COPPA imposes a specific set of obligations before you collect a single piece of personal data. Under 16 CFR § 312.5, you must obtain verifiable parental consent before any collection, use, or disclosure of children’s personal information. Approved consent methods include signed consent forms, credit/debit card verification, toll-free phone confirmation, video conference with trained personnel, government ID verification, and knowledge-based authentication using questions children under 12 typically cannot answer.

You must also post a clear, comprehensive privacy policy describing what data you collect, how you use it, and what parents’ rights are. Parents must have the option to consent to data collection without consenting to third-party disclosure — unless that disclosure is integral to the service. The Epic Games enforcement action demonstrated the cost of getting this wrong: the $275 million penalty was grounded in Epic’s “actual knowledge” that children were playing Fortnite combined with years of resisting, deprioritizing, and delaying parental controls and consent mechanisms.

The 2025 COPPA Rule amendments (effective June 23, 2025; compliance deadline April 22, 2026) expand these requirements significantly. Personal information now includes biometric identifiers — voiceprints, facial templates, fingerprints — and government-issued identifiers. Studios must appoint personnel to manage information security programs, conduct annual risk assessments, and publicly disclose written data retention policies.

The amendment most relevant to modern game studios: sharing children’s data with AI vendors or analytics SDKs for model training requires separate, explicit parental consent. The FTC’s commentary is unambiguous — AI training data disclosure is not “integral” to a game service. If your matchmaking, behavior modeling, or personalization runs on third-party ML infrastructure, you need separate consent before any child’s data flows to that vendor.

Platform Age-Gate Policies: Apple, Google, Nintendo, Microsoft, Sony

Each platform has its own children’s data framework layered on top of COPPA. Understanding which rules apply to your distribution channels is as important as understanding the federal baseline.

Apple App Store (Kids Category): Apple’s App Store Review Guidelines § 1.3 prohibit Kids Category apps from sending personally identifiable information or device information to third parties. Behavioral advertising is banned entirely. Third-party analytics may only be used in limited cases where the SDK does not collect the IDFA, date of birth, email address, precise location, or any other identifiable child data. External links and purchasing opportunities must be placed behind a parental gate. Critically: once you place an app in the Kids Category, those requirements persist in all future updates — even if you later deselect the category. You cannot exit compliance by recategorizing.

Google Play (Families Policy): Child-directed apps on Android must use only Google Play Families self-certified ads SDKs. Interest-based advertising and remarketing are prohibited. Apps targeting only children cannot transmit the AAID, SIM Serial, IMEI, MAC address, or any persistent device identifier. Precise location collection is banned for child-only apps. The SDK certification list is maintained in Play Console and changes regularly — studios must reverify at each major release cycle.

Nintendo eShop, PlayStation Store, Microsoft Store, and Epic Games Store: These platforms enforce children’s compliance primarily through ESRB ratings via the IARC system. They do not publish children-specific data policies comparable to Apple and Google, and developer agreements are largely non-public.

Steam: Steam does not participate in IARC and does not require ESRB ratings. There is no platform-level children’s data framework. On Steam, COPPA compliance sits entirely with the studio — no platform infrastructure backstops your obligations.

The Mixed-Audience Problem: Games That Appeal to Kids and Adults

The hardest COPPA scenario isn’t a game clearly built for toddlers — it’s the game that teenagers and adults love but that children play anyway. The FTC’s “mixed-audience” framework offers a path through this, but studios routinely implement it wrong.

FTC guidance permits mixed-audience operators to use a neutral age screen to differentiate under-13 users and apply COPPA only to that identified group. A neutral age screen allows users to freely enter their month and year of birth — no pre-filled dates, no math questions, no hints that encourage falsification, and no re-prompting after a child-indicating entry. If your age gate has any of these features, it doesn’t comply. If a child enters an age under 13, you must then apply full COPPA consent mechanics before collecting any data from that user.

But here’s what studios miss: an age gate defeats COPPA exposure only until you acquire “actual knowledge” that children are using the service anyway. HoYoverse learned this in January 2025. Genshin Impact’s HoYoLAB community forum contained posts from users self-identifying as under 13. HoYoverse removed the posts and muted those players — but it didn’t seek parental consent for the personal information it had already collected from those users, and it didn’t delete the data. The FTC imposed a $20 million penalty.

Fortnite showed the same pattern through internal documents: customer support tickets, developer Slack messages, and marketing analytics collectively established that Epic knew children were playing. Internal communications documenting child user knowledge are litigation-critical evidence, and the FTC will find them in discovery.

The operational requirement: build a documented response protocol for when “actual knowledge” arrives post-gate. When your community manager, support team, or analytics flag an under-13 user, you need a playbook — obtain consent or delete the data immediately. The failure mode isn’t the gate itself; it’s having no procedure for what happens after the gate fails.

Building a COPPA-Compliant Game: Minimum Viable Compliance Checklist

Start with a decision tree. Your compliance path depends on which category you’re in.

Branch 1 — Fully child-directed game: Apply COPPA from day one. No personal data collection before verifiable parental consent. Post a COPPA-compliant privacy policy with a short-form notice at every data collection point. Implement one of the FTC’s approved consent methods (credit card verification, signed form, video confirmation). Consider the ESRB Privacy Certified Kids’ Seal — it’s an FTC-approved COPPA safe harbor that requires per-product certification and annual membership, but it provides the lowest-friction compliance path and audit protection if the FTC comes knocking.

Branch 2 — Mixed-audience game: Implement a neutral age gate (free date-of-birth entry, no pre-fills, no re-prompts). Maintain separate data infrastructure for your identified under-13 user pool — don’t let child data commingle with general user data. Build and document an “actual knowledge” response protocol: when your team receives evidence that an under-13 user bypassed the gate, the response must be immediate — obtain consent or delete the data, not “remove the post and move on.”

Branch 3 — Not child-directed: Document your factual basis now, before the FTC asks. Preserve evidence of your design decisions, marketing materials, audience data, and the absence of child-targeting factors. Your documentation is your defense.

SDK audit — all branches: The FTC’s position is unambiguous: outsourcing functionality does not outsource liability. Inventory every SDK in your game. Confirm each vendor’s COPPA compliance posture in writing. Disable AAIDs, IDFAs, and persistent device identifiers for under-13 users. Require contractual COPPA flow-down obligations from every vendor. Reverify at each release cycle.

Under the 2025 amendments, compliance with these requirements is mandatory by April 22, 2026. If you’re building a game with any children’s audience risk, that deadline is already approaching.