On March 8th, the Children’s Advertising Review Unit (“CARU”), a FTC-approved safe harbor organization that monitors compliance with the Children’s Online Privacy Protection Act (“COPPA”), announced it had found TickTalkTickTalk––a children’s smart watchmaker and one of CARU’s member organizations—in violation of COPPA and CARU’s privacy guidelines.
COPPA safe harbors, like CARU, publish an approved set of guidelines that guarantee at least the same level of protection guaranteed under COPPA. Safe harbors are responsible for monitoring and assessing member organizations’ compliance and issuing disciplinary action for non-compliance. This action comes on the heels of a January letter from two members of Congress to all of the COPPA safe harbor administrators inquiring about the transparency and adequacy of the disciplinary process. This post has detailed background on that inquiry.
CARU’s routine monitoring of its member’s privacy practices found that TickTalk failed to provide a compliant privacy notice and offer a method of verifiable parental consent prior to collecting personal information from children. CARU found thatTickTalk’s privacy policy was not posted in a clear and conspicuous location on the company’s website and notice of the company’s collection practices was not provided to parents prior to purchasing the smart watch product. Further, TickTalk’s privacy policy and terms of service contained inconsistent and confusing statements that made it difficult for parents to understand what information the company was collecting from children and with whom that information was shared. Because information about collection and disclosure of children’s’ personal information was unclear, parents could not provide meaningful consent to collection and disclosure even if TickTalk had offered one.
As a result of CARU’s determination, TickTalk agreed to implement several corrective actions recommended by CARU. First, TickTalk agreed to implement a privacy policy that adequately explains its collection and disclosure practices with respect to children’s personal information, and post that policy in a prominent location on the company website and applications. Second, the company also agreed to create a means of verifiable parental consent prior to completion of the registration process, in addition to providing information about use of the service prior to registration.
Takeaways:
- Unclear and confusing privacy notices are likely to create a compliance issues for your organization. As this action demonstrates, an unclear privacy policy can undermine or invalidate consent to collection.
- Children’s privacy is currently a focal point of privacy enforcement. President Biden called on Congress to ban targeted advertising directed towards children in his State of the Union. With COPPA safe harbors are already under Congress’ magnifying glass, expect to see more disciplinary action from these self-regulatory groups moving forward.