Case Study: Getting to Compliance with CARU and COPPA

May 12, 2022 by TickTalk with Mamie Kresses, Vice President, Children’s Advertising Review Unit, BBB National Programs

In a recent case, the Children’s Advertising Review Unit (CARU) worked with TickTalk to help them achieve compliance with CARU’s Privacy Guidelines and the Children’s Online Privacy Protection Act (COPPA). CARU sat down with TickTalk once the case had closed to discuss their experience as well as some of the privacy challenges many companies face in the children’s space. 

Here Mamie Kresses, Vice President, Children’s Advertising Review Unit, BBB National Programs, talks with TickTalk about their experience. 

 

Q. Tell us a little about TickTalk and your intent in creating the TickTalk 4 Smartwatch phone and app.

A. TickTalk 4 is a children’s smartwatch phone for ages 5-12 that was created to solve a problem parents and guardians of young children face--wanting to stay connected to their children when they are apart, but not necessarily ready to give them a cell phone. By providing all the positive aspects of a smartphone but with no internet, games, or social media, we are guided by the idea that staying connected to a child shouldn’t mean that a parent or guardian has to sacrifice peace of mind. We have a corresponding app with 30+ controls that allow parents and guardians to see their child’s location, approve who their child is contacting, block unknown callers, and more. The purpose of our products is to give families a safe cell phone alternative while giving children the tools to develop lifelong healthy habits.

 

Q. How does your product work in terms of a family set-up?

A. Our products are purchased, set up, and overseen primarily by guardians for their child’s use. Parents or guardians must set up an account for themselves and their child plus agree to our Terms & Conditions on the app before they can allow their child to use our smartwatch. Any contacts who want to message and call their child must also download our app, agree to our Terms & Conditions, and request permission from the parent or guardian to be added as a contact to protect children’s private information.

 

Q. So, you received an inquiry letter from CARU. What were your thoughts?

A. To be honest, we were very surprised to find out we were not in compliance with COPPA or CARU’s Guidelines. We were under the impression we had taken all the necessary steps, and then some, to provide clear notice to parents or guardians, get appropriate consent, and protect children’s data. 

We have strict internal rules and procedures regarding children’s privacy and data protection, but after being contacted by CARU, we realized this was not clearly stated in our policies for customers to easily find and understand. We pride ourselves on being as transparent as possible with our customers, and we understand the need for as much clarity as possible for parents and guardians to make informed decisions about their child’s personal information.

 

Q. Readers may appreciate understanding the process you went through with CARU. Can you describe that a bit?

A. Prior to receiving CARU’s inquiry letter, we were familiar with COPPA but not familiar with CARU. We never advertise directly to children, so when we were contacted by the CARU team, we were a bit confused. CARU informed us that our website came up in their routine monitoring of privacy practices affecting children, and asked for more information on how our products work, the features and functionalities of our smartwatch and app, and who can access children’s personal information through the phone and app. We promptly responded with all the requested information and copies of our policies to CARU to review as family and children’s safety are incredibly important to us.

 

Q. After you received the final decision from CARU, what steps did you take?

A. We immediately connected with their team to discuss the steps we could take to address any and all concerns. We drafted a detailed plan of the steps we would take to come into compliance along with timelines, such as:

  • Becoming familiar with CARU’s Privacy Guidelines and sharing these rules of the road for the collection, use, and disclosure of children’s data with our internal teams. 
  • Partnering with an FTC-approved COPPA Safe Harbor Program to help us become not only COPPA compliant, but also fully COPPA certified.
  • Developing a clear method of obtaining parental consent and providing clear and consistent direct notice to parents and guardians on both the website and the app of the children’s information we collect, how and why we collect it, who can view that information, and more prior to parents or guardians being able to activate their child’s smartwatch or TickTalk collecting any information from children.
  • Adding an age requirement in our TickTalk App sign up process to get parental consent for any child under a certain age who want to message or call a child’s TickTalk smartwatch from their personal cell phone.
  • Allowing the majority of children’s personal information to be optional for parents or guardians to enter, including name, gender, and birth date, so that they can make the best decision for their family.
  • Expanding and clarifying our Privacy Policy and Terms of Use on both our e-commerce website and Parent App to be completely transparent and consistent about our information collection and data security practices.
  • Placing our policies in multiple and easy to find places on our website and app and adding consent mechanisms to our checkout process on our e-commerce website.

 

Q. What advice can you offer other brands and companies that may be able to relate to your situation?

A. This generation of children will be the first to have their entire lives documented online and we--as the protectors of that information--need to take as many precautions as possible to safeguard their personal information. Any website or product dealing with children’s data has a moral and legal obligation to secure that information at the highest level. For companies like us, who thought they were complying and taking all the right steps, we recommend:

  • Be familiar with CARU’s Privacy Guidelines and COPPA’s rules and regulations. Understand how they relate to your product or service. For example, COPPA applies to all commercial online services but your specific responsibilities under COPPA will vary depending on what types of information you may collect, use, and/or disclose from children under 13. You know your product best, how it works, what information about children it collects, uses and/or discloses, so be informed and diligent of the steps and precautions you should be taking. 
  • Confirm you’re getting adequate parental consent to comply with COPPA and CARU’s Privacy Guidelines. Are you giving parents and guardians a form to sign and return? What about using an email with a follow-up email to provide notice and confirm consent? Are you using a parent’s government ID to confirm their identity? There are numerous ways to collect verifiable parental consent, but you should know which method is adequate for your specific data collection practices.
  • Be as transparent as possible. When it comes to your company’s data collection, use, and disclosure practices affecting children, give parents and guardians a clear and complete picture of the information you’re collecting and how that information is used. Provide as much information as possible about what and why you are collecting children’s personal information, who can view the child’s information, how parents or guardians can delete their child’s information from your database, and everything in-between.
  • Partner with an FTC-approved COPPA Safe Harbor Program, like CARU, to ensure your practices and policies are clear, compliant, and up to date as the laws and regulations are constantly evolving.

 

We are grateful to have had the opportunity to work closely with CARU and our FTC-approved Safe Harbor Program to become compliant with COPPA as quickly as possible.

Suggested Articles

Blog

American Privacy Rights Act: A Primer for Business

Was it the recent series of natural phenomena that prompted Congress to move on a bipartisan, bicameral federal privacy bill? We can’t say with certainty, but we can outline for you what we believe to be, at first glance, the most compelling elements of the American Privacy Rights Act of 2024 (APRA).
Read more
Blog

Take Care of Your “Health-Lite” Claims

Some advertisers believe they can avoid scrutiny when making health-related claims by making their claim “softer.” But context is key. Health benefit claims must comply with the FTC’s Health Products Compliance Guidance. The substantiation bar is not lowered by changing the approach to the health-related claim.
Read more
Blog

Bullish but Cautionary: A Balanced Way to Approach the Impact of AI

Business and nonprofit leaders in the U.S. may not feel so weighty a responsibility in assessing the global impact of AI, but we must realize AI’s power to impact our organizations, our local economies, our sectors, and our nation.
Read more
Blog

New Rules of the Road Can Sustain US Leadership on Interoperable Digital Data Flows

President Biden closed February 2024 with an EO that signaled an important development for how the U.S. plans to position and guard itself from global adversaries, and speaks volumes about how the U.S. views the next-generation impacts of data flows on the digital economy and how our nation can be better equipped as a global leader. Read our takeaways and future considerations.
Read more