Know Your Audience or Pay the Price
Websites, apps, games and connected devices, all considered “online services,” that are directed to or attract children, often assume they know their audience. Think again! What may appear to be clear is not always the case.
In the world of COPPA, child directed services come in two flavors. Child directed primary audience which includes children ages 7-12. Child directed mixed audience which includes preschool audience (young children & parents), properties engaging 7-15-year olds and the general audience online services that accommodate children. Understanding mixed audience status isn’t simple, so get it right for success and avoid a violation from the FTC and/or a State Attorney General.
Child Directed Primary Audience Overview
Where children are the primary audience, we must assume that all users are children initiating the registration process. An age gate is not appropriate. You can collect parent online contact information like the parent email from the child in order to notify the parent and seek consent if needed, which can include offering a proper “parent with me” registration completion process when a child does not know their parent online contact information.
You can talk to parents on a child directed online service but include a clearly directed parent section where you can address the grown-ups. If the online service is for parents and there are COPPA triggers such as interest-based ads or remarketing then don’t make this your entry point for kids. That would make the online service mixed audience and all entry points would have to behave as if they were child directed.
Properties with ecommerce are considered general audience unless you begin to embed them in the child directed site and begin the process of allowing authenticated kids to browse, create wish lists, create a shopping cart and ability to share their wish list with family, all of which is perfectly reasonable within the current rules. If a child is authenticated, then you can't collect credit card info without a parent’s consent. This can be a tricky, but highly rewarding approach to monetization that is parent approved. Kids can be authorized for purchases, but you will want to provide a simplified and streamlined permissioning process for both the child and parent to avoid drop-off.
If you begin to track usage across the brands and the various entry points and you want to serve up recommendations based on clicks and activities, then you trigger COPPA. So an orphaned kid account becomes rather useless for promotional marketing. The goal should be to get the parent through the process for a fully engaged experience with your brands.
NOTE: Parent gates are not allowed on services directed to children ages 7-12.
Child Directed: Mixed Audience Overview
Mixed audience does not mean you can simply age screen users and then offer the younger ones a different experience. If your users are in majority 13 and older then you can use a mixed audience gate, but you need to prove your composite audience. There is no bright line to follow.
Children cannot be blocked from a mixed audience site, app or online service using an age gate. Age gates were introduced by the FTC as a mechanism for services where children are not the primary audience to accommodate them.
If the child enters a date of birth 12 years or under, parent online contact information can be collected from the child to notify the parent and also seek consent if needed to allow the child to engage further. Online services must provide mechanisms that restrict a child from trying to re-register and circumvent parental consent. For example, once a user tells you they are 10 years old, you cannot deny them access and simply tell them to get a parent, hence starting the process over with an adult. It has to continue to recognize the child-initiated status.
Age gates also allow the service to provide a restricted non-COPPA triggering service for younger users until they obtain the proper level of parental consent. If you have as many younger users as older then you need to review your age gate strategy. Role gates maybe a better solution (i.e. grown-up path and a child path).
Pre-school directed apps and sites are considered mixed audience where you can have parents and young children go through a role gate or age gate.
If a registered parent chooses to add/create a child account, then the account must not become active, where passive and active data can be collected from the child, until the parent goes through all the proper notice and consent channels. For example, a parent adds an 8-year old account with no more than a display name and password. Then that child’s actions derive both passive and active data if linked to the parent’s account profile, forcing all data in the combined accounts to be considered personal and protected under COPPA.
NOTE: Apple parent gates are not compliant age gates – beware and seek guidance.
About the Author
Claire Quinn is VP of Compliance for PRIVO. PRIVO is at the heart of developments in this space and will be updating its GDPRkids™ Privacy Assured Program to ensure it remains relevant and mapped to the regulation, the latest guidance and codes. For more information on the program, which demonstrates compliance in relation to children, contact us!