BBB National Programs Archive
CARU Reviews ‘Pottermore’ Site, Works with Operator to Address Certain Privacy Practices
CARU is an investigative unit of the advertising industry’s system of self-regulation. It is administered by the Council of Better Business Bureaus. CARU monitors advertising to children in all media. CARU also examines websites and apps for compliance with CARU’s Self-Regulatory Program for Children’s Advertising – which includes guidelines on online privacy protection – as well as with the federal Children’s Online Privacy Protection Act (COPPA).
Pottermore.com, a website that features the characters and stories from the Harry Potter books by J.K. Rowling, came to the attention of CARU through CARU’s routine monitoring.
According to the “About Pottermore” page, the website “is a place to explore more of the magical world of Harry Potter. Users can explore the Harry Potter series, follow the story and compete for the Pottermore House Cup.”
At the time of CARU’s initial review, registered site users could create profiles and post comments and status updates. The site had links to the Pottermore Shop, where the Harry Potter digital audio books were for sale, and to a blog, “The Pottermore Insider,” which occasionally featured social media promotions.
Following its initial review, CARU questioned whether the website complied with its guidelines and COPPA.
Specifically, CARU questioned the following:
- Whether the age-screening mechanism was used in conjunction with technology, e.g., a session cookie, to help prevent underage children from going back and changing their age to circumvent age-screening;
- Whether the Operator obtained proper verifiable parental consent prior to the collection or disclosure of personally identifiable information;
- Whether there were persistent identifiers on the website that could be used to recognize a user over time and across different websites; and
Upon receipt of CARU’s inquiry, the operator agreed to improve the site registration process by removing registrant’s ability to change his or her age and by adding a session cookie to restrict the ability of child users to attempt to circumvent the system.
CARU determined that the website’s “collection” of information did not rise to a level that would require verifiable parental consent. However, the operator informed CARU that because there may be users who attempt to circumvent the screening process, it has disabled the functions that allowed users to post comments, status updates or images.
CARU noted in its decision that it appreciated the operator’s efforts bring the site’s privacy practices into compliance with CARU’s guidelines and COPPA.
In its operator’s statement, Pottermore said that it “welcomed the opportunity to work with CARU. We are pleased that CARU recognized our commitment to online safety and we’re grateful for their input especially during a period when we were already changing our website and instituting new security measures and policies.”