FTC and DoJ Take Action Against Cognosphere Impact Developer for COPPA Breaches in Data Collection Practices

US Authorities Address Alleged Privacy Failures by Cognosphere Affecting Children’s Online Data

The Federal Trade Commission (FTC) and Department of Justice (DoJ) have issued a proposed consent order targeting Cognosphere, the maker of the popular game Genshin Impact, over allegations of violating the Children’s Online Privacy Protection Act (COPPA).

The proposed settlement, announced on 17 January 2025, includes a $20 million penalty and strict compliance requirements for Cognosphere, pending federal judicial approval.

Genshin Impact Game Developer Will be Banned from Selling Lootboxes to Teens Under 16 without Parental Consent, Pay a $20 Million Fine to Settle FTC Charges

The maker of the video game Genshin Impact has agreed to pay $20 million and to block children under 16 from making in-game purchases without parental consent to settle Federal Trade Commission all

Federal Trade CommissionBrad Albert and Hannah Lamb, Bureau of Competition

Allegations of COPPA Violations

The complaint accuses Cognosphere of knowingly collecting personal data from children under the age of 13 without verifiable parental consent, a direct breach of COPPA regulations.

Personal data, including persistent identifiers used for tracking online behaviour, was allegedly shared with third-party advertisers, further compounding the violations.

COPPA mandates strict guidelines for collecting data from minors, aiming to ensure their online privacy and protect them from exploitative practices. The FTC and DoJ allege that Cognosphere failed to meet these requirements, opting instead for practices that jeopardised children’s privacy.

By sharing children’s data with advertisers, Cognosphere not only breached federal law but also raised ethical concerns about how personal information was being used to target vulnerable users.

Key Requirements of the Proposed Order

Under the proposed consent order, Cognosphere is required to take immediate and far-reaching steps to address its alleged violations. Among the key measures outlined are:

1. Parental Notifications and Consent: Cognosphere must notify parents about its data collection practices, secure verifiable parental consent for any future data collection from minors, and ensure that these practices align with COPPA requirements.
2. Deletion of Unauthorised Data: The company is ordered to delete any personal data previously collected from children without parental consent. This includes data shared with third parties, unless explicit consent is obtained retroactively.
3. Enhanced Privacy Safeguards: Cognosphere must implement robust mechanisms to ensure ongoing compliance with COPPA, including establishing clear privacy policies, conducting regular audits, and appointing a dedicated compliance officer to oversee adherence to the terms of the order.

These measures aim to enforce greater accountability within Cognosphere and protect minors from future data exploitation.

Children’s Online Privacy Protection Rule (“COPPA”)

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

Federal Trade CommissionBrad Albert and Hannah Lamb, Bureau of Competition

Broader Implications for the Gaming Industry

This case serves as a reminder of the regulatory challenges facing gaming companies operating in a highly competitive market. Genshin Impact, known for its widespread popularity and intricate gameplay, appeals to players across all age groups, including minors.

However, its developer’s alleged failure to comply with privacy regulations underscores the risks that arise when companies prioritise user engagement over legal compliance.

The $20 million penalty reflects the seriousness of these allegations, signalling that federal authorities are stepping up enforcement efforts against companies failing to protect children’s privacy.

Furthermore, the proposed order’s inclusion of detailed compliance requirements demonstrates a commitment to ensuring long-term accountability.