Pokemon Go, the augmented reality game that is the most popular mobile game in US history, initially asked users to sign a Gastly privacy policy. The game requested full access to a user’s Google account, allowing it to read and write emails on behalf of users as well as access Google Drive. By nature of the walking gameplay, the game could and still does collect GPS data on users.
The privacy policy has been updated to reduce the scope of data collection, but a large portion of the game’s user base is still under 18—students. According to education privacy lawyer and Fagen, Friedman and Fulfrost (F3) partner Gretchen Shipley, administrators are worried that students will access the game in a way that will leave them and their schools vulnerable: with their district issued-Gmail addresses.
Administrators, educators and policymakers are concerned that the game is taking more from students than it’s giving. Senator Al Franken, D-Minn, patron saint of data privacy, pressed Pokemon Go developer Niantic on why it needed so much information about its users. Common Sense Media penned a letter indicting the game because “the desire to score a big and lucrative hit outweighed considerations of the privacy, security and physical safety of users, in particular the many users who are children.” Players have incurred serious injuries from playing the game, most notably the two Californians who walked off a cliff and the young players who were shot at.
Shipley said that Pokemon Go has largely alleviated concerns over with the updated policy, but cybersecurity experts say that the game is still vulnerable to hacking, and hackers themselves have issued threats against Niantic and users.
Districts are concerned over the safety of their students’ data, especially districts that allow students to bring their own devices to school because privacy protections aren’t uniform across the wide range of available products. Districts that issue their own devices are not completely safe, either. Students who bring their devices home may be playing Pokemon Go on insecure networks.
Schools are liable for protecting students’ data. The Children’s Online Privacy Protection Act (COPPA) prohibits the collection of data on children under 13 and restricts the data collected on minors. Legal challenges to the collection of geolocation data are not common under COPPA, according to Shipley, despite the act's far-reaching jurisdiction. She’s not sure if Pokemon Go's collection of GPS data will clash with the prohibition of collecting under-13 data, but she does think schools should understand how to shield themselves by writing more expansive privacy policies. Schools are not in great legal danger, according to her, but a lawsuit, even a flimsy one, isn’t great for public relations.
"Because the law hasn’t caught up with the technology, there isn’t a lot of legal ground for a case against the updated privacy policy,” Shipley said. “Just because someone doesn't have a strong claim, though, doesn't mean they'll be quiet."
So far, Shipley said, no school has updated its privacy policy with a specific Pokemon Go clause, but her office has fielded hundreds of questions about what the game will mean for the upcoming school year. Most of them concern potential disruptions.
"Is recess going to turn into mobs of kids running around looking for Pokemon?” Shipley asked. “Each school will address the craze differently. Some administrators have mentioned finding Pokemon at their schools, which notified us that they're playing the game, too."
Despite the furor, the debate over Pokemon Go’s collection of data isn’t new.
“It’s a push and pull: the more you want to provide individualized learning, the more you have to use individualized data,” Shipley said. “It’s true of so many technologies.”
Correction: An earlier version of this story stated that COPPA did not prohibit the collection of geolocation data.