Case Study: Getting to Compliance with CARU and COPPA

May 12, 2022 by TickTalk with Mamie Kresses, Vice President, Children’s Advertising Review Unit, BBB National Programs

In a recent case, the Children’s Advertising Review Unit (CARU) worked with TickTalk to help them achieve compliance with CARU’s Privacy Guidelines and the Children’s Online Privacy Protection Act (COPPA). CARU sat down with TickTalk once the case had closed to discuss their experience as well as some of the privacy challenges many companies face in the children’s space. 

Here Mamie Kresses, Vice President, Children’s Advertising Review Unit, BBB National Programs, talks with TickTalk about their experience. 

 

Q. Tell us a little about TickTalk and your intent in creating the TickTalk 4 Smartwatch phone and app.

A. TickTalk 4 is a children’s smartwatch phone for ages 5-12 that was created to solve a problem parents and guardians of young children face--wanting to stay connected to their children when they are apart, but not necessarily ready to give them a cell phone. By providing all the positive aspects of a smartphone but with no internet, games, or social media, we are guided by the idea that staying connected to a child shouldn’t mean that a parent or guardian has to sacrifice peace of mind. We have a corresponding app with 30+ controls that allow parents and guardians to see their child’s location, approve who their child is contacting, block unknown callers, and more. The purpose of our products is to give families a safe cell phone alternative while giving children the tools to develop lifelong healthy habits.

 

Q. How does your product work in terms of a family set-up?

A. Our products are purchased, set up, and overseen primarily by guardians for their child’s use. Parents or guardians must set up an account for themselves and their child plus agree to our Terms & Conditions on the app before they can allow their child to use our smartwatch. Any contacts who want to message and call their child must also download our app, agree to our Terms & Conditions, and request permission from the parent or guardian to be added as a contact to protect children’s private information.

 

Q. So, you received an inquiry letter from CARU. What were your thoughts?

A. To be honest, we were very surprised to find out we were not in compliance with COPPA or CARU’s Guidelines. We were under the impression we had taken all the necessary steps, and then some, to provide clear notice to parents or guardians, get appropriate consent, and protect children’s data. 

We have strict internal rules and procedures regarding children’s privacy and data protection, but after being contacted by CARU, we realized this was not clearly stated in our policies for customers to easily find and understand. We pride ourselves on being as transparent as possible with our customers, and we understand the need for as much clarity as possible for parents and guardians to make informed decisions about their child’s personal information.

 

Q. Readers may appreciate understanding the process you went through with CARU. Can you describe that a bit?

A. Prior to receiving CARU’s inquiry letter, we were familiar with COPPA but not familiar with CARU. We never advertise directly to children, so when we were contacted by the CARU team, we were a bit confused. CARU informed us that our website came up in their routine monitoring of privacy practices affecting children, and asked for more information on how our products work, the features and functionalities of our smartwatch and app, and who can access children’s personal information through the phone and app. We promptly responded with all the requested information and copies of our policies to CARU to review as family and children’s safety are incredibly important to us.

 

Q. After you received the final decision from CARU, what steps did you take?

A. We immediately connected with their team to discuss the steps we could take to address any and all concerns. We drafted a detailed plan of the steps we would take to come into compliance along with timelines, such as:

  • Becoming familiar with CARU’s Privacy Guidelines and sharing these rules of the road for the collection, use, and disclosure of children’s data with our internal teams. 
  • Partnering with an FTC-approved COPPA Safe Harbor Program to help us become not only COPPA compliant, but also fully COPPA certified.
  • Developing a clear method of obtaining parental consent and providing clear and consistent direct notice to parents and guardians on both the website and the app of the children’s information we collect, how and why we collect it, who can view that information, and more prior to parents or guardians being able to activate their child’s smartwatch or TickTalk collecting any information from children.
  • Adding an age requirement in our TickTalk App sign up process to get parental consent for any child under a certain age who want to message or call a child’s TickTalk smartwatch from their personal cell phone.
  • Allowing the majority of children’s personal information to be optional for parents or guardians to enter, including name, gender, and birth date, so that they can make the best decision for their family.
  • Expanding and clarifying our Privacy Policy and Terms of Use on both our e-commerce website and Parent App to be completely transparent and consistent about our information collection and data security practices.
  • Placing our policies in multiple and easy to find places on our website and app and adding consent mechanisms to our checkout process on our e-commerce website.

 

Q. What advice can you offer other brands and companies that may be able to relate to your situation?

A. This generation of children will be the first to have their entire lives documented online and we--as the protectors of that information--need to take as many precautions as possible to safeguard their personal information. Any website or product dealing with children’s data has a moral and legal obligation to secure that information at the highest level. For companies like us, who thought they were complying and taking all the right steps, we recommend:

  • Be familiar with CARU’s Privacy Guidelines and COPPA’s rules and regulations. Understand how they relate to your product or service. For example, COPPA applies to all commercial online services but your specific responsibilities under COPPA will vary depending on what types of information you may collect, use, and/or disclose from children under 13. You know your product best, how it works, what information about children it collects, uses and/or discloses, so be informed and diligent of the steps and precautions you should be taking. 
  • Confirm you’re getting adequate parental consent to comply with COPPA and CARU’s Privacy Guidelines. Are you giving parents and guardians a form to sign and return? What about using an email with a follow-up email to provide notice and confirm consent? Are you using a parent’s government ID to confirm their identity? There are numerous ways to collect verifiable parental consent, but you should know which method is adequate for your specific data collection practices.
  • Be as transparent as possible. When it comes to your company’s data collection, use, and disclosure practices affecting children, give parents and guardians a clear and complete picture of the information you’re collecting and how that information is used. Provide as much information as possible about what and why you are collecting children’s personal information, who can view the child’s information, how parents or guardians can delete their child’s information from your database, and everything in-between.
  • Partner with an FTC-approved COPPA Safe Harbor Program, like CARU, to ensure your practices and policies are clear, compliant, and up to date as the laws and regulations are constantly evolving.

 

We are grateful to have had the opportunity to work closely with CARU and our FTC-approved Safe Harbor Program to become compliant with COPPA as quickly as possible.

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more