Even children in restricted Cabined Accounts have their IP address, device IDs, and gaming platform account IDs collected by Epic for operational and analytics purposes, though Epic states these identifiers are technically restricted from being used for other purposes.
This analysis describes what Unreal Engine's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Persistent identifiers collected from children, including IP addresses and device IDs, are sensitive data categories under COPPA and equivalent laws, and the sufficiency of the asserted technical controls determines whether this practice complies with those frameworks.
Interpretive note: Whether the analytics use of children's persistent identifiers qualifies as a permissible internal operations exception under COPPA's 2024 amended rule is a contested legal question that depends on FTC interpretation and enforcement posture.
Parents should be aware that even before granting any consent, their child's IP address, device ID, and gaming platform account ID are collected by Epic when a child creates a Cabined Account, and that these identifiers are used for analytics to improve the Epic Services in addition to strictly operational purposes.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
If you do not have a social security number you may still be eligible to open a limited Revolut personal account. Depending on your immigration status, we may ask you to provide us with a copy of your supported U.S. visa and may limit your access to certain products and features.
Monitoring
Unreal Engine has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"persistent identifiers of the child like IP address, Epic account ID, gaming platform account IDs, device IDs, and similar data collected with website tracking technologies to provide and maintain the Epic Services (including analytics to improve them), authenticate users, protect the security and integrity of users and the Epic Services, comply with legal and regulatory requirements, facilitate personalization, and maintain user driven preferences (e.g., game advancement and avatar choice). We use technical and organizational means designed to ensure that those persistent identifiers of Cabined Accounts are not used for other purposes.— Excerpt from Unreal Engine's Epic Games Privacy Policy
REGULATORY LANDSCAPE: This provision directly implicates COPPA (16 CFR Part 312), including the FTC's 2024 amended rule, which expanded the definition of personal information to include persistent identifiers and tightened restrictions on their use without verifiable parental consent. It also engages GDPR Article 8 and the UK Children's Code (Age Appropriate Design Code) for EEA and UK users. The FTC is the primary federal enforcement authority for COPPA violations. The provision's assertion that analytics use of children's persistent identifiers is permissible under the internal operations exception to COPPA's consent requirement may face scrutiny given the breadth of the stated analytics purpose. GOVERNANCE EXPOSURE: High. The collection and analytics use of children's persistent identifiers prior to parental consent sits in a contested area under COPPA's 2024 amendments. While the internal operations exception may cover some analytics, the policy's language authorizing use for 'analytics to improve' the services is broader than purely operational use, and the FTC has signaled heightened scrutiny of analytics as a basis for pre-consent data collection from children. A gap between the asserted technical ring-fencing and actual data flows would constitute a material violation. JURISDICTION FLAGS: United States (COPPA, FTC enforcement), EU/EEA (GDPR Article 8, national DPA enforcement), United Kingdom (UK Children's Code, ICO enforcement), Brazil (LGPD provisions on children's data), South Korea (PIPA). California's CPRA and the California Age-Appropriate Design Code Act also create heightened obligations for children's data. The UK ICO has historically been active in enforcement actions related to children's data in gaming contexts. CONTRACT AND VENDOR IMPLICATIONS: Epic's disclosure of Cabined Account data to gaming console operators (PlayStation, Xbox, Nintendo) and cloud storage providers requires confirmed COPPA-compliant data processing agreements limiting those parties' use of children's data. Procurement teams should verify that all sub-processors handling children's persistent identifiers are contractually restricted from secondary use and are subject to audit rights. COMPLIANCE CONSIDERATIONS: Compliance teams should (1) verify that the technical controls asserted for Cabined Account identifier isolation are documented, tested, and auditable; (2) confirm that analytics use of children's persistent identifiers falls within COPPA's internal operations exception as interpreted under the 2024 amended rule; (3) review data processing agreements with all third parties receiving Cabined Account data; and (4) assess whether the UK Children's Code's data minimization requirements are satisfied by the current collection scope.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Persistent identifiers collected from children, including IP addresses and device IDs, are sensitive data categories under COPPA and equivalent laws, and the sufficiency of the asserted technical controls determines whether this practice complies with those frameworks.
Parents should be aware that even before granting any consent, their child's IP address, device ID, and gaming platform account ID are collected by Epic when a child creates a Cabined Account, and that these identifiers are used for analytics to improve the Epic Services in addition to strictly operational purposes.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Unreal Engine.