BBB National Programs Archive

CARU Recommends Roblox Modify Child-Directed Site To Better Protect Children’s Privacy

New York, NY – Feb. 16  2009 – The  Children’s Advertising Review Unit of the  Council of Better Business Bureaus (CARU) has recommended that Roblox modify its Website,, to better protect the privacy of child visitors. The company has done so.

CARU, the children’s advertising industry’s self-regulatory forum, monitors Websites for compliance with CARU’s Self-Regulatory Program for Children’s Advertising, including guidelines on Online Privacy Protection, as well as with the federal Children’s Online Privacy Protection Act (COPPA).

The Website came to the attention of CARU through a consumer complaint.

The Website is an online, virtual world where children can “exercise their creativity in a safe, moderated, online environment.”  Users can create a virtual character, play games and interact with other users through in-game chat, personal messaging, and user forums. Visitors can play some games without registering.

Upon its initial review of the site, CARU determined that ROBLOX did not have a neutral age-screening mechanism in place. Registrants were given the option to identify as “Under 13” or “13 or Older.”

CARU determined that visitors who elected the “13 or Older” option were able to disclose personally identifiable information (PII), including full name, email address, telephone number and street address, to other users of the  site’s chat, personal messaging and forums functions.

CARU found that visitors who clicked on “Under 13,” were asked to create a username and password and were allowed, but not required, to enter a parent’s email address. If a visitor entered a parent’s email address, a notice was sent to the parent.

However, CARU determined that there was no tracking mechanism in place and visitors were able to click the back button and change the age category to “13 or Older” in order to avoid parental notification.

Visitors who identified as “under 13,” but did not enter a parent’s email address at registration were only able to communicate through menu-chat mode (a form of canned chat) in the forums.

However, visitors who attempted to post a comment were provided access to a function that allowed the creation of a “Parent Account,” where privacy settings could be adjusted.  CARU determined that the site had no control in place to stop a visitor under the age of 13 from using his or her own email address to set up the “Parent Account.”

Following its review, CARU was concerned by the absence of neutral age-screening at registration, the absence of a tracking mechanism in conjunction with the neutral age-screening process, adequacy of notice sent to parents regarding disclosure of PII and adequacy of the  method used to ensure that the person providing consent is the parent.

In response to CARU’s inquiry, the site operator removed the leading language and images regarding the age-threshold from the registration process. The operator now asks registrants to submit a date of birth and has put in place a tracking mechanism.

The operator replaced language that may have tempted visitors to adjust the privacy settings. Further, the operator now sends parents who create a Parental Account a notification that explains what information the Website collects, what information their children can disclose and instructions on reviewing or modifying their child’s account. The notification email also contains the operator’s contact information, and a link to the Website’s privacy policy.

The company, in its advertiser’s statement, said that “protecting kids online and providing a COPPA compliant site is a core part of what we do at ROBLOX.  We are pleased to work with CARU and others to achieve these important goals.”