From Arcade-Style Games to AI-Powered Play: Celebrating 25 Years of ESRB Privacy Certified
Every successful video game franchise or toy brand faces the same challenge: how to keep players and fans engaged as entertainment trends evolve, technology disrupts the status quo, and regulatory pressures and monetization shifts reshape the landscape. The answer is to keep leveling up. Here at ESRB Privacy Certified (EPC), we’ve been advancing our privacy compliance and certification program for a quarter century, powering up our game to meet today’s demands.
Technically, EPC (originally known as Privacy Online) dates back to 1999, not 2001. The program’s real breakout moment, though, came on April 19, 2001, when the Federal Trade Commission (FTC) awarded EPC “Safe Harbor” status under the Children’s Online Privacy Protection Act (COPPA). Following that key moment, EPC shifted into high gear.
We’re marking that milestone later this week with an ESRB-wide party. (Even cake and champagne weren’t enough to bring us into the office on the actual anniversary, which fell on Sunday.) As part of the celebration, we’re unveiling a new 25th anniversary logo (see above), publishing a consumer-facing blog on the main ESRB website, and taking stock of our privacy compliance quest so far. We’ll start with a nostalgic look back to Level 1 (aka 2001) and then advance onwards, highlighting the challenges, changes, and upgrades that have shaped EPC into the program it is today.
Pressing Start on EPC’s Privacy Compliance Program
When the FTC announced ESRB’s Safe Harbor approval on April 19, 2001, the video game industry was almost unrecognizable from today’s perspective. In 2001, a video game was usually something you bought in a box. The dominant platforms were cartridge and disc-based consoles and Microsoft had just entered the console market with the Xbox. (Check out the Entertainment Software Association’s video game history timeline. It starts in 1889!) Online console connectivity was a novelty and mobile gaming barely existed. Today’s continuous online live service models, free-to-play games with microtransactions, and other data-dependent innovations were only beginning to emerge.
COPPA itself was also still new. Enacted by Congress in 1998 and implemented through an FTC Rule that wasn’t issued until April 2000, COPPA was designed to protect the privacy of children under the age of 13 by restricting companies from collecting, using, or disclosing children’s personal information without parental consent. It wasn’t until the first anniversary of the COPPA Rule, in April 2001, that the FTC released its first COPPA enforcement actions.
ESRB’s COPPA Safe Harbor designation was also a first of its kind. While one other organization had obtained FTC approval just months earlier, ESRB was the first industry-specific self-regulatory organization to receive authorization under COPPA’s Safe Harbor provision. That provision automatically deems companies compliant with COPPA if they adhere to an approved program’s guidelines, which must provide protections for children’s personal data equal to or greater than COPPA requires. For companies willing to undergo rigorous, independent third-party oversight, it’s a significant benefit.
The program ESRB launched was ambitious. Although COPPA compliance formed its core, its scope was never limited to it. From the outset, EPC was committed to helping its members navigate a broad range of privacy laws and expectations, providing a framework for industry-tailored strong, responsible, and transparent privacy practices that incorporated “privacy by design” solutions tailored to each member company’s online products and services. To do so, EPC built a compliance program that combined technical product testing, privacy disclosure review, ongoing monitoring, and adjacent services to support compliance.
EPC also structured certification around individual products and services, not entire companies. This choice has proven especially sound now, when a single video game publisher may offer dozens of titles with different data collection practices across a wide range of platforms that now includes consoles, PCs, mobile devices, virtual reality (VR) systems, cloud-based gaming services, and connected devices such as smart TVs and toys.
Expanding EPC’s Scope from Websites to Mobile and More
When the FTC granted EPC Safe Harbor status in 2001, the program focused primarily on reviewing its members’ websites. In the years that followed, increasing broadband penetration, the rise of massive multiplayer online games, and eventually the smartphone revolution transformed video gaming, creating new uses for players’ personal data. The launch of app stores by Apple and Google in 2008 further changed the ecosystem, affecting relationships between video game publishers and developers, app storefronts, advertising networks, analytics and measurement providers, cloud and infrastructure services, payment processors, and players. As a result, video game companies increasingly collected and used not only players’ standard personal information, such as names and email addresses, but also a broader range of identifiers, including IP addresses, device identifiers, advertising IDs, and location data to deliver gameplay as well as to enable product personalization, improve services, and support revenue generation. EPC responded to these developments by expanding its reviews and extending its certification services to mobile app developers.
EPC also began to assess “Internet of Things” (IoT) products, especially toys. The toy industry’s embrace of internet connectivity through products such as app-connected learning tablets and toy cars and trains brought COPPA directly into the physical product space. A toy that connects to an app is not just a toy; it’s also a data collection device. As a result, EPC’s Kids Seal now explicitly covers internet-connected products and IoT devices, a category that did not exist in the program’s earliest years.
Video game business models also shifted during this period, moving from an industry centered on premium disc sales for gaming consoles to a broader market with free-to-play mobile games with in-app purchases and subscription-based models. These monetization models increasingly depended on the collection and use of personal data. The FTC took notice, bringing a series of enforcement actions between 2014 and 2016 against Apple, Google, and Amazon alleging that they unlawfully permitted children to make purchases in mobile apps without parental consent. Although not solely focused on video games or COPPA, EPC took note of these developments and the growing intersection between COPPA’s verifiable parental consent requirements and parental consent frameworks for in-app purchases.
Entering a New Era of Privacy Regulation and Enforcement
In 2001, apart from COPPA, the United States had no comprehensive consumer-focused privacy regimes. Indeed, before 2018, EPC’s compliance program was centered on COPPA for its Kids Seal, and a mixture of FTC enforcement actions and policies, limited state and international developments, platform requirements, and self-regulatory standards for its broader, general Privacy Certified seal. The European Union’s 2016 General Data Protection Regulation (GDPR), which became enforceable in May 2018, dramatically changed this landscape, including EPC’s privacy program. The GDPR did not just change European law, it jumpstarted a new era of global privacy regulation, influencing how companies around the world design and implement their data privacy programs.
In the United States, California was the first state to continue this trend, enacting the California Consumer Privacy Act (CCPA) in June 2018, with an effective date of January 1, 2020. (California later amended the CCPA in 2020 through the California Privacy Rights Act (CPRA), which is now integrated into the CCPA framework.) The UK added a child-focused overlay to the GDPR framework through its Children’s Code (also known as the Age Appropriate Design Code (AADC)), which came into force in September 2021. The AADC has traveled beyond the UK, influencing COPPA enforcement and state laws in the U.S.
Although the United States still does not have a comprehensive federal privacy law, more than 20 states have followed California by enacting comprehensive privacy statutes. Many others have passed targeted laws focused on online safety and privacy for children and teens. This patchwork of state-specific requirements governing consent standards and interfaces, sensitive data collection and use, and consumer data rights (including opt-outs from behavioral advertising and profiling), and children’s and teens’ privacy and safety, has made privacy compliance operationally demanding and complex. More legislation is on the way, at both the federal and state levels in the United States, covering privacy-adjacent issues such as age verification and assurance, online safety and duty-of-care standards, platform design and default settings, and AI chatbots and other AI systems.
COPPA has changed, too. Although Congress has yet to update the original statute, the FTC has updated the rule twice since 2000, first in 2013 and again in 2025 to keep pace with technological and marketplace changes. The amended COPPA Rule, which went into effect in June 2025 and will reach its enforcement compliance deadline this Wednesday (April 22), made several significant amendments to the rule. Among other changes, it broadened the definition of “personal information,” introduced a mandatory, separate opt-in consent requirement for targeted advertising, imposed stricter data retention limits, required enhanced transparency from businesses and Safe Harbor programs, and strengthened data security requirements. (See our analysis of the Rule’s most important changes on the IAPP’s website.)
Separate from the laws and regulations themselves, enforcement has intensified – and become more expensive – over the past 25 years. Back in April 2001, the first three companies charged with COPPA violations by the FTC paid a combined total of $100,000 in fines. Since then, the FTC has brought dozens of enforcement actions against major companies – including Amazon, Disney, Epic Games, HoYoverse, TikTok, VTech, Weight Watchers, Xbox, and YouTube, several of them video game and toy companies – charging them with COPPA violations. Beyond multi-million dollar fines, FTC settlements with these companies have included a broad range of conduct remedies requiring them to delete improperly collected data, destroy algorithms, and file compliance reports for periods of up to 20 years. In several COPPA cases, the FTC has also imposed broad “fencing-in” relief designed to prohibit future unlawful conduct beyond the immediate COPPA violations.
Outside of COPPA, the FTC has also brought numerous enforcement actions for alleged privacy and data security violations against companies including Facebook, Google, Twitter, Uber, and Zoom, resulting in settlements reaching into the multi-millions and even billions of dollars. State enforcers have stepped up as well, with California and Texas leading on privacy enforcement, including many actions focused on protecting the personal data and online safety of children and teens.
Modernizing EPC for Today and Beyond
Twenty-five years is a long run, especially in the video game and toy industries, where technology, business models, platforms, and the rules of the game keep changing. In many ways, EPC today would be recognizable to anyone who was there at the start – the same commitment to strong, responsible, and transparent privacy practices, the same industry expertise, the same drive to help member companies get compliance right. Companies in the video game and toy industries still turn to us to help them comply with privacy and data security laws and to go beyond what the law requires to build trust with players, parents, and consumers.
But EPC’s game doesn’t look quite the same as it did at launch. Like many modern games (and some older ones), EPC has seen updates and additions. Over the past few years, we’ve taken on new challenges and unlocked new levels, spurred by emerging technologies and a regulatory landscape that has gone from sparse to sprawling. In the last two years, EPC has modernized its certification requirements for both its ESRB Privacy Certified General Seal and its Kids Seal.
In 2025, ESRB updated the General Seal Requirements to reflect federal and state legislative developments, global best practices, and lessons learned from more than two decades of compliance work in the video game and toy sectors. The modernized General Seal requirements retain ESRB’s focus on core data privacy principles such as transparency, data minimization, and accountability, while adding new provisions on sensitive data handling, consumer data rights, and teen-specific protections.
In 2026, EPC completed a corresponding rewrite of its Kids Seal Requirements. The revised Kids Seal requirements (which are currently pending before the FTC for formal authorization) reflect the new requirements of the amended COPPA Rule, incorporating its strengthened requirements on transparency, consent, data retention, and data security. They also contain new provisions based on state privacy laws and other child-focused standards that go beyond COPPA, providing enhanced protection for children’s personal data.
Alongside these comprehensive program requirement rewrites, EPC has expanded its compliance tools and services. We’re taking advantage of new AI-powered technologies to enhance our audit findings and using modern project management and issue-tracking tools to manage our compliance assessments and provide feedback to members. We’ve brought in experts on AdTech and digital marketing to help unpack complex issues. And we’ve begun to explore the data governance and privacy issues around the use of AI in video games and toys.
These innovations have helped EPC keep pace with the complex privacy challenges facing video game and toy companies today. Technologically sophisticated and fast-moving products, global users that include children and teens, and an ever-increasing web of regulatory obligations and oversight make privacy compliance and certification programs like EPC more critical now than ever. EPC still has a lot of evolving to do – but first, we’re going to dig into that cake and champagne to celebrate our 25 years.
For more information about ESRB Privacy Certified membership, program benefits, and our certification services, visit www.esrb.org/privacy/ or contact us at privacy@esrb.org. We’d love to hear from you.
