The effective screening of visitors to ensure that personal information is not collected from children under 13 without parental consent has become a matter of increasing concern, especially at general audience sites.

As the self-regulatory arm of the children's advertising industry, the Children's Advertising Review Unit (CARU) of the Council of Better Business Bureaus has responsibility for monitoring Web sites for compliance with COPPAas well as CARU's Self-Regulatory Guidelines for Children's Advertising (the Guidelines). CARU's program was approved by the FTC as the first "safe harbor" under COPPA. Safe harbor programs are industry self-regulatory programs whose participant Web sites, if they comply with its guidelines and procedures, are deemed to be in compliance with COPPA.

In the course of its monitoring, CARU has observed a variety of privacy practices that fall short of what is necessary to protect children's privacy online.

COPPA was enacted to help ensure that when personal information is collected online from children under 13, there is parental notification and consent. Personal information includes such items as an email address, a home address, a phone number, one's name or any other identifier that enables the operator of an online service or Web site to contact a child.2 COPPA's provisions apply to an operator of an online service or Web site that is directed to children, or where an operator has actual knowledge that it is collecting personal information from a child under 13.3

COPPA requires Web sites to conspicuously post comprehensive privacy policies that describe their practices in collecting personal information from children.4 It also mandates that, in most instances, verifiable parental consent must be obtained before such information is collected. In situations such as chat room activity, where kids could potentially disclose personal information to total strangers, an operator must take one of several prescribed extra measures to ensure that it has indeed obtained the consent of a bona fide parent or guardian before allowing a child to participate.5

COPPA also enables parents to have the choice of consenting to the operator's collection of personal information while barring the disclosure of such information to third parties, requires that parents have access to their children's information suffi-cient to review it and/or delete it, and prohibits Web sites from collecting more information than is reasonably necessary for a child to participate in a particular online activity.6

One privacy practice employed by some Web sites in response to COPPA is the prominent display of a warning that children under 13 are prohibited from using the site's services and products. This is typically located on a registration page where personal information is collected and where there is no age-screening question of any kind.

A similar problematic practice on some Web site registration pages is that, although a visitor is asked to submit his or her birth date, right next to the birth-date sign-up is a statement such as the following: "You must be at least 13 years old to register," or "A parent or guardian must send in a signed permission form before a user under 13 can register."

However, in interpreting COPPA, the FTC has expressly stated, "A children's site cannot avoid COPPA's requirements by:

• Disclaimers that 'children under 13 cannot visit' or that 'the FTC does not permit visitors under 13'…
• Asking for age information in a way that invites children to falsify age."

Similarly, CARU's Guidelines expressly state (with respect to sites that are not childdirected but that have a reasonable expectation that a significant number of children will be visiting), "Care should be taken so that screening questions are asked in a neutral manner so as not to encourage children to provide inaccurate information to avoid obtaining parental permission."

Recently, in one of its first enforcement actions under COPPA, the FTC brought a case against an e-mail service operator based, in part, on the operator's use of such inappropriate and inadequate "screening" provisions on its registration page. The sign-up process for this e-mail service, located on a children's-directed Web site, stated, "You must be at least 13 years old or have your parents' permission to join this program."

The problematic practices described above effectively negate what COPPA was designed to accomplish. This can be remedied very easily at general audience sites by simply asking for a visitor's birth date, period. If the visitor indicates he or she is under 13, a parental consent process should kick in or the visitor should be barred from registering altogether, depending on the privacy policy and the intended audience of the individual Web site. At sites that are unquestionably child-directed, the operator should assume that the vast majority of visitors are under 13 and thus must implement an appropriate parental consent process from the outset.

The attempt to identify under-age children, whether to secure the requisite consent or to prevent their access, has led to a different type of problem at some Web sites. While some sites have initially rejected a child due to age restrictions, all a visitor has to do to successfully register just moments later is simply hit the back button and provide a different birth date. To allow an 11- or 12-year-old child to so easily circumvent the system could be construed as having actual knowledge that a child under the age of 13 is visiting one's site and providing personal information without parental consent.

Would anyone suggest that it is OK for a movie theater to bar preteen children from going through the main entrance to see an R-rated movie, but then fail to keep an eye on a side door that enables those same children to gain admission? The failure to institute a tracking mechanism, such as a session cookie, to help prevent kids from successfully re-registering at Web sites raises similar concerns.

Accordingly, CARU has taken the position that age-screening procedures cannot be deemed in compliance with the Guidelines unless some kind of reasonable tracking mechanism has been implemented in circumstances such as those described above. While CARU recognizes this solution is not a panacea, it will help achieve COPPA's goals and at the same time protect the interests of the business community. Our experience with a number of companies, who have agreed to comply with the Guidelines, has been that a tracking mechanism can be put into place at a manageable cost and without any real difficulty.

And while the FTC has not yet taken a formal position here, this issue has raised serious concerns.

Another major issue that has developed since COPPAwent into effect is the question of what constitutes a site or online service that is directed to children. In making such a determination, the FTC has stated it will consider a Web site's "subject matter, visual or audio content, age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition; evidence regarding the intended audience; and whether a site uses animated characters and/or child-oriented activities and incentives." 7

The emergence of the tween market, in particular, has resulted in a number of preteens visiting sites that are not necessarily targeted at children, but where personal information is being collected as part of the registration process for activities such as chat rooms. After a careful evaluation of this situation and consultation with its advisory board, CARU has recently amended its Guidelines to address this reality. The Guidelines now state, "In Websites where there is a reasonable expectation that a significant number of children will be visiting, age-screening mechanisms should be employed to determine whether verifiable parental consent or notice and opt-out is necessitated per the Data Collection section of the Guidelines."

This is a common sense approach that is within the spirit of COPPA; it unquestionably helps protect Web site operators in their efforts to collect personal information in an appropriate manner.

And, in adopting this position, once again CARU has encountered virtually no resistance from the corporations it has dealt with on this matter. Recently, entertainment and sports industry leaders including the Fox Entertainment Group, Paramount Pictures, MGM, Universal Studios, Warner Brothers, Sony Pictures Entertainment, the National Football League, the National Basketball Association, and the National Hockey League have all agreed to implement neutral age-screening mechanisms at their general audience Web sites. These entities and others have readily accepted this as a reasonable solution to issues raised by the possible collection of information from the tween market.
By Elizabeth Lascoutx and Fred Cantor 1 15 U.S.C. 6501, et seq 2 16 C.F.R. §312.2 3 16 C.F.R. §312.3 4 16 C.F.R. §312.4 5 16 C.F.R. §312.5 6 16 C.F.R. §312.5-312.7 7 16 C.F.R. §312.2 Elizabeth Lascoutx is Director of CARU and Fred Cantor is Senior Attorney.