Chuck E. Cheese Web Site Needs Greater Privacy Protections
The Children's Advertising Review Unit (CARU) recently recommended that CEC Entertainment, the operator of Chuck E. Cheese's Web site, take steps to better protect the privacy of children, as it has a reasonable expectation that children under 13 years of age would visit its site.
The matter came to the attention of CARU through its routine monitoring practices. A Chuck E. Cheese television commercial, which aired during children’s programming, encouraged viewers to visit the Web site, http://www.chuckecheese.com/, to play games and win tickets to redeem for prizes at the restaurant. CARU was concerned that visitors to the site could also sign up for an “Email Club” by providing an e-mail address and a year of birth. If a visitor entered a year corresponding to an age below 13, he or she received an error message, but if the visitor closed the message and entered a new birth year over the age of 13, the visitor could complete the registration process in which he or she would provide personally identifiable information, including a name, state, zip code, gender and e-mail address.
CARU expressed concern that the age-screening process was flawed and did not effectively identify children under age 13. Specifically it asked only for a year of birth, as opposed to month and day, and failed to make use of technology that helps prevent underage children from changing their age in order to enter the site.
Although the operator argued that the Web site was intended for parent viewing, CARU found “this intention is not controlling,” and determined that there was a reasonable expectation that a significant number of children younger than age 13 would visit the site based on the subject matter, content of the site and the ads directing children to the site. Specifically, CARU noted that “children were specifically directed by [the operator] to the website via a television commercial, which aired during children’s programming. It used language that invited children to visit the website.” CARU also noted that the homepage contained child-friendly images, that children were invited to play child-friendly games, and that the company also featured a tagline “where a kid can be a kid.”
After deciding that there was a reasonable expectation that a significant number of children would be visiting the site, CARU found the current method of age screening to be insufficient and recommended that the site enhance the screening process by adding the month and day of birth and employing a session cookie so that the visitor could not change the year of birth and continue to sign up for the Email Club after he or she had first entered an under 13 date of birth.
“The guidelines do not envision a second bite of the apple and [the current method in place] cannot rectify a registration process that does not immediately track a user who states he is under 13 years of age,” CARU said.
To read CARU’s press release about the decision, click here.
Update: NJ Settles COPPA SUIT
Only weeks after filing its first suit alleging violations of the Children’s Online Privacy Protection Act, the Office of the New Jersey Attorney General and Division of Consumer Affairs reached a settlement with 24x7, a children’s mobile app developer.
The state had contended that 24x7 violated COPPA by failing to obtain consent before compiling the names and unique device identifiers from underage users and sharing the information with a third-party data analytics company.
The consent decree requires 24x7 to destroy all data previously collected and transmitted to third parties. In addition, the app developer agreed to comply with COPPA going forward and receive parental consent prior to collecting and transmitting children’s data.
“This is a clear victory for children’s privacy in the age of mobile devices and the easy transfer of personal information,” New Jersey Attorney General Jeffrey S. Chiesa said in a press release about the settlement.
To read the consent decree in Chiesa v. 24x7, click here.
Why it matters: Children’s privacy is a hot issue and companies should expect additional developments in the area this year, as the FTC’s long-anticipated update to its online privacy rule for children is due out this fall. In the meantime, the CARU decision serves as an important reminder for companies that have a reasonable expectation a significant number of children will visit a Web site. They should employ neutral age-screening mechanisms used in conjunction with technology (e.g., a session cookie) to determine whether verifiable parental consent or notice and opt out is required. In addition to protecting children’s privacy online, the New Jersey settlement serves as a reminder that regulators are closely watching for possible privacy violations in the mobile sphere as well. In fact, AG Chiesa mentioned that his office was investigating other apps for potential privacy violations.