BBB National Programs Archive

CARU Refers Website Operator Club Penguin Planet To FTC For Further Review

New York, NY – May 4, 2011 – The Children’s Advertising Review Unit (CARU) of the Council of Better Business Bureaus, Inc., has referred Website operator Club Penguin Planet to the Federal Trade Commission (FTC), following the operator’s refusal to participate in a CARU review of its privacy practices.

The Website came to CARU’s attention through CARU’s routine monitoring. CARU monitors Websites for compliance with CARU’s Self-Regulatory Program for Children’s Advertising, including guidelines on Online Privacy Protection, as well as with the federal Children’s Online Privacy Protection Act.

The Website features characters from Club Penguin, along with a series of forums with topics ranging from “General Club Penguin Discussion” to “Game Updates.”   Visitors to the Website can discuss the site, find “cheat codes,” and share information about different Club Penguin characters.  The Website also features a profile page, a way to “invite friends,” and messaging functions.

CARU determined, upon its initial review of the site, that visitors were required to register by entering a username, password, and email address. Once registered,  visitors could use chat and messaging features and freely type and disclose personally identifiable information (PII), such as full name, street address, phone number, etc.  In addition, visitors could enter any PII on a profile page and some of that information would be visible alongside a visitor’s forum post.  Many of these posts included age information, with many of the ages being listed as under 13.

The site did not have a posted privacy policy.

Both COPPA and the Online Privacy Protection section of CARU’s guidelines provide that when a Website collects PII from children under 13 or allows its disclosure, the operator must obtain verifiable parental consent prior to the collection or disclosure.  In this case, the operator collected children’s email addresses at registration, without obtaining verifiable parental consent.  In addition, the activities available on the Website included freely sharing and disclosing personally identifiable information on the member’s own profile pages and on the site’s many forums.

Further, both the guidelines and COPPA require that operators post a privacy policy wherever personally identifiable information is requested or can be disclosed.  

Following its review, CARU determined that the Website operator should implement a neutral age screening process, obtain verifiable parental consent before allowing a child under the age of 13 to register for the Website and post a valid privacy policy everywhere that PII is collected or can be disclosed.

The operator did not provide a substantive written response to CARU’s inquiry. Pursuant to CARU’s policies and procedures, the matter has been referred to the FTC for further review.