Case Study: Getting to Compliance with CARU and COPPA

May 12, 2022 by TickTalk with Mamie Kresses, Vice President, Children’s Advertising Review Unit, BBB National Programs

In a recent case, the Children’s Advertising Review Unit (CARU) worked with TickTalk to help them achieve compliance with CARU’s Privacy Guidelines and the Children’s Online Privacy Protection Act (COPPA). CARU sat down with TickTalk once the case had closed to discuss their experience as well as some of the privacy challenges many companies face in the children’s space. 

Here Mamie Kresses, Vice President, Children’s Advertising Review Unit, BBB National Programs, talks with TickTalk about their experience. 

 

Q. Tell us a little about TickTalk and your intent in creating the TickTalk 4 Smartwatch phone and app.

A. TickTalk 4 is a children’s smartwatch phone for ages 5-12 that was created to solve a problem parents and guardians of young children face--wanting to stay connected to their children when they are apart, but not necessarily ready to give them a cell phone. By providing all the positive aspects of a smartphone but with no internet, games, or social media, we are guided by the idea that staying connected to a child shouldn’t mean that a parent or guardian has to sacrifice peace of mind. We have a corresponding app with 30+ controls that allow parents and guardians to see their child’s location, approve who their child is contacting, block unknown callers, and more. The purpose of our products is to give families a safe cell phone alternative while giving children the tools to develop lifelong healthy habits.

 

Q. How does your product work in terms of a family set-up?

A. Our products are purchased, set up, and overseen primarily by guardians for their child’s use. Parents or guardians must set up an account for themselves and their child plus agree to our Terms & Conditions on the app before they can allow their child to use our smartwatch. Any contacts who want to message and call their child must also download our app, agree to our Terms & Conditions, and request permission from the parent or guardian to be added as a contact to protect children’s private information.

 

Q. So, you received an inquiry letter from CARU. What were your thoughts?

A. To be honest, we were very surprised to find out we were not in compliance with COPPA or CARU’s Guidelines. We were under the impression we had taken all the necessary steps, and then some, to provide clear notice to parents or guardians, get appropriate consent, and protect children’s data. 

We have strict internal rules and procedures regarding children’s privacy and data protection, but after being contacted by CARU, we realized this was not clearly stated in our policies for customers to easily find and understand. We pride ourselves on being as transparent as possible with our customers, and we understand the need for as much clarity as possible for parents and guardians to make informed decisions about their child’s personal information.

 

Q. Readers may appreciate understanding the process you went through with CARU. Can you describe that a bit?

A. Prior to receiving CARU’s inquiry letter, we were familiar with COPPA but not familiar with CARU. We never advertise directly to children, so when we were contacted by the CARU team, we were a bit confused. CARU informed us that our website came up in their routine monitoring of privacy practices affecting children, and asked for more information on how our products work, the features and functionalities of our smartwatch and app, and who can access children’s personal information through the phone and app. We promptly responded with all the requested information and copies of our policies to CARU to review as family and children’s safety are incredibly important to us.

 

Q. After you received the final decision from CARU, what steps did you take?

A. We immediately connected with their team to discuss the steps we could take to address any and all concerns. We drafted a detailed plan of the steps we would take to come into compliance along with timelines, such as:

  • Becoming familiar with CARU’s Privacy Guidelines and sharing these rules of the road for the collection, use, and disclosure of children’s data with our internal teams. 
  • Partnering with an FTC-approved COPPA Safe Harbor Program to help us become not only COPPA compliant, but also fully COPPA certified.
  • Developing a clear method of obtaining parental consent and providing clear and consistent direct notice to parents and guardians on both the website and the app of the children’s information we collect, how and why we collect it, who can view that information, and more prior to parents or guardians being able to activate their child’s smartwatch or TickTalk collecting any information from children.
  • Adding an age requirement in our TickTalk App sign up process to get parental consent for any child under a certain age who want to message or call a child’s TickTalk smartwatch from their personal cell phone.
  • Allowing the majority of children’s personal information to be optional for parents or guardians to enter, including name, gender, and birth date, so that they can make the best decision for their family.
  • Expanding and clarifying our Privacy Policy and Terms of Use on both our e-commerce website and Parent App to be completely transparent and consistent about our information collection and data security practices.
  • Placing our policies in multiple and easy to find places on our website and app and adding consent mechanisms to our checkout process on our e-commerce website.

 

Q. What advice can you offer other brands and companies that may be able to relate to your situation?

A. This generation of children will be the first to have their entire lives documented online and we--as the protectors of that information--need to take as many precautions as possible to safeguard their personal information. Any website or product dealing with children’s data has a moral and legal obligation to secure that information at the highest level. For companies like us, who thought they were complying and taking all the right steps, we recommend:

  • Be familiar with CARU’s Privacy Guidelines and COPPA’s rules and regulations. Understand how they relate to your product or service. For example, COPPA applies to all commercial online services but your specific responsibilities under COPPA will vary depending on what types of information you may collect, use, and/or disclose from children under 13. You know your product best, how it works, what information about children it collects, uses and/or discloses, so be informed and diligent of the steps and precautions you should be taking. 
  • Confirm you’re getting adequate parental consent to comply with COPPA and CARU’s Privacy Guidelines. Are you giving parents and guardians a form to sign and return? What about using an email with a follow-up email to provide notice and confirm consent? Are you using a parent’s government ID to confirm their identity? There are numerous ways to collect verifiable parental consent, but you should know which method is adequate for your specific data collection practices.
  • Be as transparent as possible. When it comes to your company’s data collection, use, and disclosure practices affecting children, give parents and guardians a clear and complete picture of the information you’re collecting and how that information is used. Provide as much information as possible about what and why you are collecting children’s personal information, who can view the child’s information, how parents or guardians can delete their child’s information from your database, and everything in-between.
  • Partner with an FTC-approved COPPA Safe Harbor Program, like CARU, to ensure your practices and policies are clear, compliant, and up to date as the laws and regulations are constantly evolving.

 

We are grateful to have had the opportunity to work closely with CARU and our FTC-approved Safe Harbor Program to become compliant with COPPA as quickly as possible.

Suggested Articles

Blog

Defining The 'S' In ESG And Navigating Disclosures

For businesses interested in making robust ESG disclosures, not only can the sheer number of frameworks and standards make ESG performance reporting seem overwhelming, the frameworks themselves can be a bit fuzzy on how they define and measure the "S" of ESG.
Read more
Blog

BBB AUTO LINE Marks a Milestone: 40 Years of Lemon Law Dispute Resolution

As the largest and longest-running vehicle dispute resolution program in the United States, BBB AUTO LINE’s 40 years of experience will drive its future course. Together, automakers and BBB AUTO LINE will keep paving the way to make neutral, mutually trusted, out-of-court resolution solutions accessible to consumers.
Read more
Blog

The Next Phase of Privacy Shield

A new Trans-Atlantic Data Privacy Framework (TADPF) is on its way, lifting a cloud of uncertainty that has been hanging over Privacy Shield. TADPF serves as a foundation for a US adequacy decision reinstituting trans-Atlantic data flow. Here our Global Privacy Division highlights several key details regarding the substance of TADPF and the EU’s adequacy decision process.
Read more
Blog

Protecting Consumer Health Data Privacy Beyond HIPAA

Many are taking advantage of apps and other technologies to keep better track of our health in some shape or form, but it is not always clear how the personal information we input is collected, safeguarded, and shared online.
Read more