HarperCollins Publishers Ltd., operator of the RubyRedfort.com website, has agreed to modify how it interacts online with children under 13 in response to concerns raised by the Children’s Advertising Review Unit (CARU), a self-regulatory group. CARU routinely monitors websites directed to children for compliance with its Self-Regulatory Guidelines and the Children’s Online Privacy Protection Act (COPPA), and recently found that RubyRedfort.com collected personally identifiable information from children under 13 from the United States without first obtaining verifiable parental consent. The site encouraged visitors to sign up for a chance to win prizes through a process that required a username, email address, first and last name, and full street address. Users then selected one of several check-boxes, which included the following options: “I am over 16.”; “I am under 16 and have permission from my parent or guardian to sign up to the Ruby Redfort website and enter the competition.”; and “I am under 16 but my parent does not know that I am signing up for this.” CARU expressed concern with the site’s method of ascertaining a visitor’s age, noting that simply asking if he or she is under or over a specific age is not adequate. CARU further found that asking a visitor to declare if he or she has permission to provide personally identifiable information was not sufficient consent under its guidelines or COPPA. HarperCollins has agreed to implement a system for obtaining verifiable parental consent that conforms to the guidelines and the COPPA Rule and, in the meantime, will block the collection of personal information from U.S. children under 13. In addition, the site now asks for a visitor’s age in a neutral manner and employs a session cookie to prevent children from going back and changing their age to avoid parental permission requirements.

Tip: Under the COPPA Rule, online sites and services directed at children must obtain permission from a child’s parents before collecting personal information from that child. Companies that have age-screening on their sites as part of a registration process should make sure they ascertain a visitor’s age in a neutral manner, and then obtain verifiable parental consent using one of the acceptable methods outlined in the Rule.