BBB National Programs Archive

CARU Reviews ‘Pottermore’ Site, Works with Operator to Address Certain Privacy Practices

New York, NY – Sept. 15, 2015  – Pottermore, Ltd., has revised the site’s privacy policy and added a session cookie to its registration process, following an inquiry from the Children’s Advertising Review Unit.

CARU is an investigative unit of the advertising industry’s system of self-regulation. It is administered by the Council of Better Business Bureaus. CARU monitors advertising to children in all media. CARU also examines websites and apps for compliance with CARU’s Self-Regulatory Program for Children’s Advertising – which includes guidelines on online privacy protection – as well as with the federal Children’s Online Privacy Protection Act (COPPA)., a website that features the characters and stories from the Harry Potter books by J.K. Rowling, came to the attention of CARU through CARU’s routine monitoring.

According to the “About Pottermore” page, the website “is a place to explore more of the magical world of Harry Potter. Users can explore the Harry Potter series, follow the story and compete for the Pottermore House Cup.”

At the time of CARU’s initial review, registered site users could create profiles and post comments and status updates. The site had links to the Pottermore Shop, where the Harry Potter digital audio books were for sale, and to a blog, “The Pottermore Insider,” which occasionally featured social media promotions.

Following its initial review, CARU questioned whether the website complied with its guidelines and COPPA.

Specifically, CARU questioned the following:

  • Whether the age-screening mechanism was used in conjunction with technology, e.g., a session cookie, to help prevent underage children from going back and changing their age to circumvent age-screening;
  • Whether the Operator obtained proper verifiable parental consent prior to the collection or disclosure of personally identifiable information;
  • Whether there were persistent identifiers on the website that could be used to recognize a user over time and across different websites; and
  • Whether the website’s Privacy Policy contained all necessary information as required by COPPA.

 Upon receipt of CARU’s inquiry, the operator agreed to improve the site registration process by removing registrant’s ability to change his or her age and by adding a session cookie to restrict the ability of child users to attempt to circumvent the system.

CARU determined that the website’s “collection” of information did not rise to a level that would require verifiable parental consent. However, the operator informed CARU that because there may be users who attempt to circumvent the screening process, it has disabled the functions that allowed users to post comments, status updates or images.

At the time of CARU’s initial review, the site’s Privacy Policy indicated that Pottermore used online behavioral advertising cookies, a practice that requires verifiable parental consent and complete information or links to information about third parties that collect persistent identifiers.

In response to CARU, the operator stated the Privacy Policy did not accurately reflect the site’s actual practices and noted that the site did not use online behavioral advertising cookies. The site operator has updated its Privacy Policy to accurately reflect its actual practices.

Finally, at the time of CARU’s initial review, Pottermore’s general Privacy Policy did not list an email or valid phone number, as required by COPPA, but only listed a physical address. In addition, the Privacy Policy did not prominently display a separate child’s Privacy Policy as required by COPPA; instead the operator set out its practices in relation to child privacy in a document that was entitled “Child Safety Policy.”

In response to CARU’s review, the operator has now clearly and more fully set out the children’s privacy practices in its renamed Child Privacy & Safety Policy, which includes all required information.  The Child Privacy & Safety Policy is accessible both from a link in the general Privacy Policy as well as from a separate link on the homepage in the footer. The operator also noted that it made both the “Contact Us” link and the “Child Privacy & Safety Policy” link larger, bolder, and in a different color from the other links so they are easier to find.

CARU noted in its decision that it appreciated the operator’s efforts bring the site’s privacy practices into compliance with CARU’s guidelines and COPPA.

In its operator’s statement, Pottermore said that it “welcomed the opportunity to work with CARU.   We are pleased that CARU recognized our commitment to online safety and we’re grateful for their input especially during a period when we were already changing our website and instituting new security measures and policies.”