By now, operators of online games for children should be aware of the restrictions imposed by the Children’s Online Privacy Protection Act (COPPA), with regard to parental permission and data collection. These restrictions were recently highlighted by the self regulatory group, the Children’s Advertising Review Unit (“CARU”), which expressed concern over GirlsGoGames.com, a site operated by SPIL Games, BV. CARU monitors websites directed to children for compliance with COPPA its Self Regulatory Guidelines and the Children’s Online Privacy Protection Act.
The site allows members to create profiles and avatars, play and rate games, make friends, and view other member profiles. During the registration process, the site asked users for their age, and requested an e-mail address for parental verification purposes for those would-be users under the age of 13. All well and good, but the site did not take into account the common practice of “aging up.” Much like it sounds, aging up involves a child falsifying her age if a site blocks registration without parental consent.
If a user under age 13 correctly gave her age while registering and was required to obtain parental consent, they were able to avoid this restriction by changing their age to 13 or older. CARU expressed concern not only with this loophole, but with the fact that the site failed to inform users that children would be able to disclose personal information with other players in the game comments area and in personal profiles, and also allowed users to hyperlink to social media site that were not intended for children under 13.
SPIL Games agreed to modify its website and registration practice to: (1) install a session cookie in its age-screening process to prevent children under 13 from going back and changing their ages; (2) for under-13 members, disable the ability to post user-generated content and change the user names to pre-defined, white-listed, or randomly generated names; (3) not accept any new registrations from under-13 children in the future; and (4) remove the feature allowing member login through social media platforms and remove links to Twitter.
As a self-regulatory body, CARU does not have any enforcement authority. However, children’s website operators should take note that CARU often refers companies that fail to adhere to its guidelines to the FTC, which gives priority to matters referred to it by CARU.
The message is certainly clear: The government is serious about COPPA, and children’s website operators should take special care to employ methods to prevent kids from “aging up,” or otherwise circumventing registration and usage restrictions.