Even children in restricted Cabined Accounts have their IP address, device IDs, and gaming platform account IDs collected by Epic for operational and analytics purposes, though Epic states these identifiers are technically restricted from being used for other purposes.
This analysis describes what Unreal Engine's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Persistent identifiers collected from children, including IP addresses and device IDs, are sensitive data categories under COPPA and equivalent laws, and the sufficiency of the asserted technical controls determines whether this practice complies with those frameworks.
Interpretive note: Whether the analytics use of children's persistent identifiers qualifies as a permissible internal operations exception under COPPA's 2024 amended rule is a contested legal question that depends on FTC interpretation and enforcement posture.
Parents should be aware that even before granting any consent, their child's IP address, device ID, and gaming platform account ID are collected by Epic when a child creates a Cabined Account, and that these identifiers are used for analytics to improve the Epic Services in addition to strictly operational purposes.
How other platforms handle this
Replit does not knowingly collect personal information from children under 13. Users between the ages of 13 and 18 may use the platform with parental or guardian consent. If we learn we have collected personal information from a child under 13 without verification of parental consent, we will delete...
You are responsible for maintaining the confidentiality of your account and password and for restricting access to your computer, and you agree to accept responsibility for all activities that occur under your account or password. Amazon does sell products for children, but it sells them to adults, ...
YOU MUST BE AND HEREBY AFFIRM THAT YOU ARE AN ADULT OF THE LEGAL AGE OF MAJORITY IN YOUR COUNTRY OR STATE OF RESIDENCE. If you are under the legal age of majority, your parent or legal guardian must consent to this agreement.
Monitoring
Unreal Engine has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"persistent identifiers of the child like IP address, Epic account ID, gaming platform account IDs, device IDs, and similar data collected with website tracking technologies to provide and maintain the Epic Services (including analytics to improve them), authenticate users, protect the security and integrity of users and the Epic Services, comply with legal and regulatory requirements, facilitate personalization, and maintain user driven preferences (e.g., game advancement and avatar choice). We use technical and organizational means designed to ensure that those persistent identifiers of Cabined Accounts are not used for other purposes.— Excerpt from Unreal Engine's Epic Games Privacy Policy
REGULATORY LANDSCAPE: This provision directly implicates COPPA (16 CFR Part 312), including the FTC's 2024 amended rule, which expanded the definition of personal information to include persistent identifiers and tightened restrictions on their use without verifiable parental consent. It also engages GDPR Article 8 and the UK Children's Code (Age Appropriate Design Code) for EEA and UK users. The FTC is the primary federal enforcement authority for COPPA violations. The provision's assertion that analytics use of children's persistent identifiers is permissible under the internal operations exception to COPPA's consent requirement may face scrutiny given the breadth of the stated analytics purpose. GOVERNANCE EXPOSURE: High. The collection and analytics use of children's persistent identifiers prior to parental consent sits in a contested area under COPPA's 2024 amendments. While the internal operations exception may cover some analytics, the policy's language authorizing use for 'analytics to improve' the services is broader than purely operational use, and the FTC has signaled heightened scrutiny of analytics as a basis for pre-consent data collection from children. A gap between the asserted technical ring-fencing and actual data flows would constitute a material violation. JURISDICTION FLAGS: United States (COPPA, FTC enforcement), EU/EEA (GDPR Article 8, national DPA enforcement), United Kingdom (UK Children's Code, ICO enforcement), Brazil (LGPD provisions on children's data), South Korea (PIPA). California's CPRA and the California Age-Appropriate Design Code Act also create heightened obligations for children's data. The UK ICO has historically been active in enforcement actions related to children's data in gaming contexts. CONTRACT AND VENDOR IMPLICATIONS: Epic's disclosure of Cabined Account data to gaming console operators (PlayStation, Xbox, Nintendo) and cloud storage providers requires confirmed COPPA-compliant data processing agreements limiting those parties' use of children's data. Procurement teams should verify that all sub-processors handling children's persistent identifiers are contractually restricted from secondary use and are subject to audit rights. COMPLIANCE CONSIDERATIONS: Compliance teams should (1) verify that the technical controls asserted for Cabined Account identifier isolation are documented, tested, and auditable; (2) confirm that analytics use of children's persistent identifiers falls within COPPA's internal operations exception as interpreted under the 2024 amended rule; (3) review data processing agreements with all third parties receiving Cabined Account data; and (4) assess whether the UK Children's Code's data minimization requirements are satisfied by the current collection scope.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Persistent identifiers collected from children, including IP addresses and device IDs, are sensitive data categories under COPPA and equivalent laws, and the sufficiency of the asserted technical controls determines whether this practice complies with those frameworks.
Parents should be aware that even before granting any consent, their child's IP address, device ID, and gaming platform account ID are collected by Epic when a child creates a Cabined Account, and that these identifiers are used for analytics to improve the Epic Services in addition to strictly operational purposes.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Unreal Engine.