In an example of successful industry self-regulation, the website DorkDiaries.com revised its privacy practices for children’s data, following an inquiry from the Children’s Advertising Review Unit (CARU).
CARU, the children’s arm of the advertising industry’s system of self-regulation, monitors advertising to children in all media. As part of that effort, it examines websites and apps for compliance with CARU’s Self-Regulatory Program for Children’s Advertising—which includes guidelines on online privacy protection—and the federal Children’s Online Privacy Protection Act (COPPA).
CARU’s inquiry focused on the DorkDiaries website’s “fan club” section and e-newsletter. Registration for both the fan club and the e-newsletter required that children enter, among other details, their full names and birthday information, which qualify as “personal information” under COPPA. Registration for the fan club, but not the e-newsletter, also required a parent’s email address. Both the fan club and the e-newsletter registration also required that users check two boxes. The first stated “I confirm that I am over 13 years old” and the second stated “I confirm that I have asked my parent/guardian to read this notice. If you are a parent/guardian of the entrant and you consent to the retention and use of the entrant’s personal details for the purposes of these newsletters, please click this box.”
CARU claimed these features fell short of complying with COPPA and CARU’s guidelines in two respects:
- Neutral Age Screening. The Federal Trade Commission, which enforces COPPA, has published FAQs that set forth best practices for COPPA compliance—one of which is that operators take care to design age screening mechanisms in a manner that does not encourage children to falsify their ages to gain access to the site or service. CARU’s guidelines similarly provide that operators should ask screening questions in a neutral manner so as to discourage inaccurate answers from children trying to avoid parental permission requirements. CARU claimed that the first checkbox was not age neutral.
- The Notice Requirement. COPPA requires operators of websites or online services directed to children that collect, use, or disclose personal information online from children to provide notice of their children’s privacy practices and to obtain verifiable parental consent. CARU indicated that it did not consider the message in the second check box as effectively fulfilling the notice requirement in COPPA and CARU’s guidelines. CARU noted that a child visiting the site could easily check the box without actually notifying a parent. (Had appropriate notice been provided offering the child’s parent an opportunity to opt out, COPPA’s multiple-contact exception would have applied and verifiable parental consent would not have been required.)
The operator of DorkDiaries.com has since updated the site’s age-verification system and parental notification practices to bring them in line with COPPA and CARU requirements and also agreed to participate in CARU’s self-regulatory program.