CARU’s basic activities are the review and evaluation of child-directed advertising in all media, and online privacy practices as they affect children. When these are found to be misleading, inaccurate, or inconsistent with CARU’s Self-Regulatory Guidelines, CARU seeks change through the voluntary cooperation of advertisers.

CARU’s Guidelines contain a section that highlights issues, including children’s privacy, that are unique to the Internet and online sites directed at children age 12 and under. The following is an overview of these guidelines:

1. Advertisers must clearly disclose all information collection and tracking practices, all information uses, and the means for correcting or removing the information. These disclosures should be easily accessible before any information is collected.

2. Advertisers should disclose why the information is being requested and whether the information will be shared, sol or distributed outside of the collecting company. This disclosure should be written in language easily understood by a child.

3. Advertisers must obtain prior “verifiable parental consent” when they collect personal information (such as email addresses, screen names, addresses or phone numbers) that will be publicly posted. The definition of “verifiable parental consent” in the Children’s Online Privacy Protection Rule applies.

4. For activities that involve public posting, advertisers should encourage children not to use their full names or screen names that correspond with their email address, but choose an alias (e.g., “Bookworm,” “Skater,” etc.) or use first name, nickname, initials, etc.

5. Advertisers should not require a child to disclose more personal information than is reasonably necessary to participate in the online activity (e.g., play a game, enter a contest, etc.).

6. When an advertiser collects personal information only for its internal use and there is no disclosure of the information, the company must obtain parental consent, and may do so through the use of email, coupled with some additional steps to provide assurance that the person providing the consent is the parent.

7. To respect the privacy of parents, advertisers should not maintain in retrievable form information collected and used for the sole purpose of obtaining verifiable parental consent or providing notice to parents, if consent is not obtained after a reasonable time.

8. If an advertiser communicates with a child by email, there should be an opportunity with each mailing for the child or parent to choose by return email or hyperlink to discontinue receiving mailings.

9. When performing age-screening, advertisers should ask screening questions in a neutral manner so as to discourage inaccurate answers from children trying to avoid parental permission requirements.

10. Since hyperlinks can allow a child to move seamlessly from one site to another, operators of Websites for children or children’s portions of general audience sites should not knowingly link to pages of other sites that do not comply with CARU’s Guidelines.

Resources: www.caru.org

What you should know about COPPA:

1. You must comply with COPPA, if you operate a commercial website or an online service directed to children under 13 that collects personal information from children, or if you operate a general audience website and have actual knowledge that you are collecting personal information from children.

2. COPPA is self regulated. The Federal Trade Commission (FTC) has the authority to issue regulations but they choose to designate safe harbor provision and encourage industry self-regulation.  Currently the FTC has granted safe harbor to four companies; TRUSTe, ESRB, CARU and Privo.

3. Data collection of any of the following apply to COPPA: Full name, Home address, email address, telephone number or any other information that would allow someone to identify or contact the child.
Also included are other types of information such as hobbies, interest and information collected through cookies or other tracking mechanisms (when they are tied to individually identifiable information).

4.  The website operator must post a link to a notice of its information practices on the home page of its website and at each area where it collects perusal information.

5. Direct notice to parents must be given and needs to contain the same information included on the notice on the website. In addition, the parent or guardian must give consent to collect, use and disclose the information.

6. Exceptions to obtaining parental consent cover popular online activities for kids including contests, online newsletters, homework help and electronic postcards.

7. With the exception for popular online activities, it is a violation to require more information then needed to participate in the activity.

8. Most recognized non-profit organizations are exempt from most of the requirements of COPPA.

9. In the event the site changes how the information is collected, used or disclosed, a new, verifiable parental consent must be obtained and, of course, the written policy must be changed on the site.

10.  At anytime a parent may revoke their consent, refuse to allow an operator to further use or collect their child’s personal information, and direct the operator to delete the information.  In turn, the operator may terminate any service being provided to the child.

*COPPA is sometimes confused with COPA, the Child Online Protection Act, which concerns the exposure of children to online pornography and sexually explicit materials.   COPA is not currently active, and remains under injunction, being it has been declared as unconstitutional, violating the First and Fifth Amendment of the United States Constitution.