Privacy Initiatives: Blog
Age Ain’t Nothing but a Number, Unless You Are Collecting It for Age-Screening Purposes
The Federal Trade Commission (FTC) is asking the same thing in its recent review of the regulations for the Children’s Online Privacy Protection Act (COPPA). In its last review in 2013, the FTC added a new category to the definition of “an online service directed to children” that allows operators that do not target children as their primary audience to age-screen and only comply with notice and consent requirements for users under 13. COPPA does not tell operators how to age-screen but does provide guidance in its publication, “Complying with COPPA: Frequently Asked Questions.” In the current review, the FTC asks whether the Rule should be more specific about the appropriate methods for determining the age of users.
The BBB National Programs’ Children’s Advertising Review Unit’s (CARU) guidelines on online privacy were designed to go beyond COPPA. They provide details on how to age-screen using a neutral method that does not let kids easily evade the process. Although CARU’s Guidelines have been around for decades, operators continue to have difficulty understanding these seemingly easy requirements, and this issue remains the most prevalent among CARU’s online privacy case decisions.
CARU believes that age-gates are still effective for preventing younger children from getting access to services not meant for them and should remain in the COPPA Rule, but having an age gate should be the lowest bar for compliance with the law.
Companies should incorporate privacy-by-design and systematic procedures of trust and safety from the ground up. In its recent decision on the social media app SnapChat, CARU recognized the value of the company’s detailed and documented program which include effective in-app reporting tools and a robust compliance team to regularly monitor for underage users on the service.
New state and international laws show that the trend in privacy is to collect the least amount of information necessary to carry out the intended purpose. This has led CARU to reconsider its own recommendations which currently advise that age should be determined by collecting a full date of birth. Once the FTC has completed its review of the COPPA Rule, CARU will revise its own online privacy protection guidelines and continue to set high standards in the industry for best practices when collecting data from children online. CARU, in its capacity as an FTC-approved COPPA Safe Harbor, submitted comments to the FTC’s request for comments to the Rule which you can read here.