In fact, in 1996, two years before the passage of a federal legislation, CARU modified its Guidelines to include a section (Interactive Electronic Media) governing the privacy and safety of children under age 13 on the Internet. The basic requirements of these sections involve giving parents notice of what their children can do on a particular site (for example give personally identifiable information to the site's operator in order to have a request for homework help answered, or actually be able to share personal information with strangers); an opportunity for the parent to decide whether or not to grant permission, including the option to consent to the collection of their child's personal information without consenting to the disclosure of that information to third parties; and, a meaningful way for the parent to grant consent that ensures that it is the parent that is actually supplying the consent. These three elements were codified into law in 1998, in the federal Children's Online Privacy Protection Act ("COPPA").

The Guidelines were to apply to Websites that are "intentionally targeted to children under 13, or where the Website knows the visitor is a child." Similarly, COPPA, which is modeled on the Interactive Electronic Media sections of the Guidelines, is directed to operators of commercial Websites [or portions thereof] that are targeted to children under 13 or any operator who has "actual knowledge that it is collecting or maintaining personal information from a child…" While the Guidelines have always required neutral age screening to determine whether there is a need for parental consent, COPPA does not. In fact, FTC staff has interpreted COPPA to assume that all visitors on sites "targeted to children under 13" are children under age 13, and therefore, prohibit age screening on such sites.

While these formulations are useful for young children, i.e., those children under age eight and for sites that are either of interest only to young children (or those that are of absolutely no interest to them), they are not effective for the sizeable number of children ages eight through twelve ("tweens") and the many teen sites to which they are attracted. The demographic of tweens is very large and important to advertisers, as noted by the number of conferences on the tween audience. It is well known that children in the "tween" years (i.e., eight to twelve), especially girls, often prefer to see themselves as capable of participating in the activities, and sharing the interests, of teenagers. This is readily seen in the area of "teen" magazines, whose subscribers are made up in large part by tweens. There is no reason to distinguish the behavior of tweens when using the Internet.

Soon after the rule implementing COPPA became effective in April of 2000, CARU discovered that indeed, children under 13 often found their way to sites that were targeted at teens, and hence not covered by the protections of the Guidelines or COPPA. To remedy this situation, CARU revised the Guidelines in December 2001 to include language stating,

"In Websites where there is a reasonable expectation that a significant number of children will be visiting, age screening mechanisms should be employed to determine whether verifiable parental consent or notice and opt-out is necessitated per the Data Collection section of the Guidelines."

The impetus for this change was by no means to broaden CARU's purview by raising the age of the audience to whom our Guidelines applied. Rather it was to address the very real phenomenon of tweens flocking to teen-targeted and certain general audience sites.

While the FTC has not gone as far as CARU by changing the Rule implementing COPPA, FTC staff has stated (in response to the question "I have a website that targets teens. How does COPPA affect my practices?") in Frequently Asked Questions about the Children's Online Privacy Protection Rule, Volume I,

"At a minimum, however, you should identify which visitors are under 13 - for example, simply ask age (or birth year) when you invite visitors to provide personal information or to create their log-in user ID."

Again, mirroring the words of CARU's Guidelines, the FAQs continue,

"Most importantly, ask for age in such a way as not to invite falsification."

In order to give meaning to age screening and secure its effectiveness, CARU has asked Website operators to employ some form of a tracking mechanism to prevent underage users from changing their age to correspond to one 13 or above in order to avoid the need for parental consent. CARU believes that many underage users when told that they needed to be 13 or older to participate, or that they first needed parental permission, would merely press the "back" button, change year of birth to correspond to an age of 13 or older, and immediately talk in unmonitored chat room or post messages or pictures on message boards.

CARU believes that once a child enters an age of less than 13 years, the operator has actual knowledge that a visitor who requires prior parental consent is on the site and that the operator should take reasonable steps to prevent that visitor from hitting the "back" button and changing his age. Use of a tracking mechanism would help prevent this problem. Although many Website operators have agreed to the use of a tracking mechanism, such as a "session" cookie, which tracks the user only for the time s/he is signed on the Internet, or a timed cookie, which can last for any specified amount of time, others have not been willing to do so. CARU therefore believes that it is time, once again, to lead the way by making this recommendation in our Guidelines. Again, though the FTC has not made a formal change in its Rule, it has stated in the FAQ referred to above,

"You can also use a session cookie to prevent children from back clicking to change their age once they realize that parental consent is required to collect their information for the activity.

This is the way our Guidelines have always evolved. Working with the industry we discover solutions and best practices to address particular issues, and raise the best practices to Guidelines requirements. Once again, self-regulation works to both level the playing field and raise the bar for industry practice.