Age Ain’t Nothing but a Number, Unless You Are Collecting It for Age-Screening Purposes

Jan 14, 2020, 09:45 AM by BBB National Programs

Many of today’s tech-savvy children know that you must be at least 13 years old to use certain websites or mobile apps. This begs the question, is there a point to online age screening at all? 

The Federal Trade Commission (FTC) is asking the same thing in its recent review of the regulations for the Children’s Online Privacy Protection Act (COPPA). In its last review in 2013, the FTC added a new category to the definition of “an online service directed to children” that allows operators that do not target children as their primary audience to age-screen and only comply with notice and consent requirements for users under 13. COPPA does not tell operators how to age-screen but does provide guidance in its publication, “Complying with COPPA: Frequently Asked Questions.” In the current review, the FTC asks whether the Rule should be more specific about the appropriate methods for determining the age of users.

The BBB National Programs’ Children’s Advertising Review Unit’s (CARU) guidelines on online privacy were designed to go beyond COPPA. They provide details on how to age-screen using a neutral method that does not let kids easily evade the process. Although CARU’s Guidelines have been around for decades, operators continue to have difficulty understanding these seemingly easy requirements, and this issue remains the most prevalent among CARU’s online privacy case decisions.

CARU believes that age-gates are still effective for preventing younger children from getting access to services not meant for them and should remain in the COPPA Rule, but having an age gate should be the lowest bar for compliance with the law.

Companies should incorporate privacy-by-design and systematic procedures of trust and safety from the ground up. In its recent decision on the social media app SnapChat, CARU recognized the value of the company’s detailed and documented program which include effective in-app reporting tools and a robust compliance team to regularly monitor for underage users on the service.

New state and international laws show that the trend in privacy is to collect the least amount of information necessary to carry out the intended purpose. This has led CARU to reconsider its own recommendations which currently advise that age should be determined by collecting a full date of birth. Once the FTC has completed its review of the COPPA Rule, CARU will revise its own online privacy protection guidelines and continue to set high standards in the industry for best practices when collecting data from children online. CARU, in its capacity as an FTC-approved COPPA Safe Harbor, submitted comments to the FTC’s request for comments to the Rule which you can read here

 
The Children’s Advertising Review Unit (CARU), an investigative unit of the advertising industry’s system of self-regulation, has two missions: (1) to protect children from deceptive or inappropriate advertising in all media, and; (2) to ensure that, in an online environment, children’s data is collected and handled in a responsible manner. CARU is the first FTC-approved Safe Harbor Program and helps all companies protect the privacy of children online and meet the requirements of the Children's Online Privacy Protection Act (COPPA).

Other Blog Articles

Blog

Defining 'Child-Directed' and Addressing New Technology: Discussing COPPA Updates at CARU 2020

On September 22, the 2020 CARU Conference kicked off the Fall Series with a keynote from the Federal Trade Commission’s (FTC)'s Peder Magee, and Phyllis Marcus, a Partner at Huton Andrews Kurth and one of the original authors of the Children's Online Privacy Protection Act (COPPA).
Read more
Blog

What Parents Need to Know About Mobile App and Device Permissions

If there is one thing most parents know, it’s that Kids. Love. Apps. But how do you determine what apps are "safe" for your child to download? If you want to evaluate an app to determine how safe your child’s data will be if they use it, let's start by understanding the permissions the app asks for.
Read more
Blog

Schrems II: What Do Privacy Shield Businesses Need to Know?

The July 16 decision from the CJEU, known as Schrems II, addressed two mechanisms for transferring EU individuals’ personal data outside the EU. As the situation continues to develop, and before making changes to their practices around international data transfers, businesses should pause to review their data flows, contracts, and substantive commitments, and their current chain of compliance and accountability for data received from the EU.
Read more
Blog

CARU’s Summer Series Wrap-Up: The Need-to-Know Takeaways from our Expert Speakers

Now at the halfway point of the CARU Conference 2020, it seems like a good time to reflect on the four sessions of the Summer Series that are under our belt and the key takeaways from our expert speakers.
Read more