Self-reg council: App producer failed to implement rigorous consent procedures
Kudos is a mobile application developed to give children “the courage to express themselves, to create, to co-exist, connect and to respect one another.” The app has a familiar look and feel to Facebook and its lesser known brethren and includes common social media features such as profiles, friends, posts/comments, interest groups and image sharing. But like any app aimed at children, Kudos is charged by law and by the advertising industry with maintaining a high standard of privacy and security.
The Children’s Advertising Review Unit (CARU) ran across Kudos in the course of its regular monitoring activities, and found the app wanting in several ways.
Does Your Mother Know?
The Kudos registration process, as described by CARU, begins with a selfie that the child must provide to Kudos before moving forward. Next comes a request for a birthdate, user ID and password. Users who claim to be under 13 are forwarded to a page requesting a parent’s email address; but if a child clicks the “back” button, he or she can increase the age number and avoid the parent email request.
Parents whose children stick to the under-13 designation will receive an email explaining the app and asking parents to click a link to consent to the child’s use of the app.
CARU cast a suspicious eye on these practices, determining that they fell short of its own standards as well as strictures mandated by the Children’s Online Privacy Protection Act (COPPA). COPPA requires operators such as Kudos that collect children’s personal information to obtain verifiable parental consent prior to collecting or disclosing a child’s information.
Parental consent was the tripwire; CARU determined that the app targeted children as its primary audience, and as such, Kudos was required to obtain parental consent from all users, not just those under the age of 13.
Further, CARU took issue with the content of the notice sent to parents to obtain their verifiable parental consent. To comply with COPPA and CARU’s Self-Regulatory Program for Children’s Advertising, an operator must tell parents that it collects the parent’s online contact information, that parental consent is required for the collection of a child’s personal information, and that the company will not collect, use or disclose any of that personal information if the parent does not provide consent. Further, notices must describe the types of personal information it will collect and the opportunities for disclosure of that information if the parent consents. Finally, the notices must indicate that parental contact information will be deleted should parents fail to respond within a prescribed period. CARU found that Kudos’ notices did not comply with these requirements.
CARU also took issue with the method by which parents could provide consent – clicking a link in an email. Kudos claimed that the company did not require consent through a credit card transaction or a government ID because it did not want to exclude children whose parents did not have access to either. CARU was not persuaded, and determined that the method of consent was not sufficient to ensure that an actual parent was providing the required consent, noting that there are several other methods of obtaining consent that do not involve the use of credit cards or IDs.
Kudos agreed to CARU’s recommendations that it join an FTC-approved Safe Harbor program, which would provide certification and ensure that Kudos is compliant with COPPA.
Companies intending to collect personal information from children should tread carefully and ensure compliance with COPPA and other industry guidance. And certainly, companies must make sure that any parental consent is verified as such.