Responsible Interactive Advertising And Children: Understanding And Complying With COPPA And The CARU Guidlelines

Monday, January 1, 2007 - 01:00

Children in this digital age receive more commercial impressions than ever before. Many companies whose products are directed towards a general audience may find that, by default, they are "youth marketers," since their product or their marketing message not only reaches children, but is appealing to them as well. As a result, these companies will find themselves subject to the scrutiny of federal and state regulators, as well as industry self-regulatory groups, consumers, and consumers' advocacy groups. Indeed, there has been recent activity in the last few months that suggests that now, more than ever before, companies whose products are appealing to children should be well versed in the Children's Online Privacy Protection Act1(and the FTC's Final Rule implementing that Act2 ) and the Children's Advertising Review Unit Guidelines.


The Children's Online Privacy Protection Act is not new, although general audience companies were recently reminded of it when the FTC recently settled with for $1 million, the largest COPPA settlement to-date. COPPA regulates the online collection of personally identifiable information obtained from children under 13. To adhere to COPPA, companies that host web sites for children under 13, or sites that may be appealing to children under 13, must follow five basic requirements: (1) notify parents prior to collecting information from their children; (2) obtain parental consent prior to collecting personal information from children; (3) maintain control of the child's information; (4) not condition the child's participation on the submission of excessive information; and (5) maintain the security of personal information submitted by the child.

Over the years since COPPA was passed, the FTC has brought actions against companies for a variety of violations of the Act. The cases have stemmed primarily from the companies' failure to obtain verifiable prior parental consent, either through a misunderstanding of what constitutes consent, a misperception that the Act did not apply, or a simple lack of awareness of the law. For example, in a case brought by the FTC against Ohio Art in 2002, the FTC entered into a settlement with the entity, which owns Etch-a-Sketch brand and operates a web site promoting the product. Ohio Art allowed children to register for an online birthday club, and as part of registration, required children to give personal information. Although the company told children to "ask your parent's permission first," it failed to take steps to ensure that verifiable parental consent came directly from the parent. The FTC's suit alleged that telling children to "go ask your parents permission" did not constitute verifiable parental consent. Similarly, in 2003 the FTC settled with Hershey Food, which had directed children on its web site to "go get your parent" to fill out the online registration form.

Most recently, the FTC has looked not at sites directed to children, but instead to sites appealing to children. For example, in 2004 the FTC found fault with the music distributor UMG's general audience web sites, which the FTC found were clearly popular with children. At those sites, visitors were able to register - including children who affirmatively indicated that they were under the age of 13. Although some sites sent notices to parents, these notices were inadequate as they were sent after personally identifiable information had been collected from children. The FTC collected $400,000 in fines from UMG. The FTC settled another case at the same time with Bonzi. In that case, the FTC had alleged that Bonzi's BonziBUDDY software was appealing to children, yet when downloading the free software, the online registration form requested both personally identifiable information and the visitor's age. Even if a visitor indicated that he or she was under 13, Bonzi nevertheless collected personal information and sent the software, without first obtaining parental consent. Bonzi paid $75,000 in civil penalties.

Following these cases, in 2006 the FTC indicated to Congress that it was taking steps to ensure a safe online experience for children at social networking web sites. Shortly after the report, the FTC announced a settlement with, a social networking site directed towards adults but also appealing to children, for alleged COPPA violations. As part of the settlement, agreed to pay a $1 million civil penalty, the largest COPPA penalty to date. According to the FTC, had actual knowledge that children under 13 were registering at its web site. In particular, although asked birth date during the registration process, it did not block children under 13 or obtain prior verifiable parental consent as required by COPPA.

The settlement followed the FTC's decision in the spring of 2006 to retain its Final Rule without modification. In doing so, the FTC retained the sliding-scale approach to obtaining verifiable parental consent. Under the sliding scale approach, companies that collect children's information solely for internal purposes - i.e., they do not share the information with third parties, nor do they give children a forum to share their information - may obtain parental consent by e-mail, as long as the companies follow up, for example, through a delayed follow up e-mail, phone call, or snail mail (frequently referred to as the "email-plus consent" mechanism). Companies that share, or allow children to share, personal information must obtain verifiable parental consent through a more secure mechanism, such as through a signed and faxed consent, over the phone, or by provision of a credit card number. Originally, the Rule had contemplated a phase out of the "email-plus" consent.

Many companies have found interpreting and following COPPA to be difficult. The drafters of the Rule anticipated this, and created in the Rule a "safe harbor." Under safe harbor, companies that adhered to FTC-approved third-party programs are presumed to be in compliance with COPPA. Some of the entities whose programs have qualified under the COPPA safe harbor provision include CARU, ESRB, and TRUSTe.

CARU Guidelines

The Children's Advertising Review Unit is a self-regulatory body funded by companies that advertise to children, or whose products are appealing to children. As part of its self-regulatory mission, CARU publishes the CARU Self-Regulatory Guidelines, which were revised in November 2006. The Guidelines touch on all aspects of marketing and advertising to children, including interactive and online marketing campaigns, and contain within it guidelines on Interactive Electronic Media. It is this section that most clearly mirrors COPPA, although it contains more details than the Act. This is understandable, however. Because the Guidelines are a self-regulatory approach, they are easier to change than federal or state laws, and can more easily be adapted to address new and emerging technologies.

As revised, the basics of the Guidelines have remained the same, although the updated version has given CARU greater ability to pursue not only misleading advertising, but also advertising deemed "unfair." Under the revised Guidelines, companies are directed not to engage in advertising that "blurs the distinction between advertising and program/editorial content in ways that would be misleading to children." The revised version also includes a new section on advergaming, requiring that "if an advertiser integrates a commercial message into the content of a game or activity, then the advertiser should make clear, in a manner that will easily be understood by the target audience, that it is an advertisement."

CARU has been active in policing the industry for violations of the Guidelines on Interactive Electronic Media, and examines online web site information collection pages for violations of both the Guidelines and COPPA. In instances where advertisers fail to cooperate with CARU, under its stated procedures, CARU refers those entities to the FTC for government action. For example, in a recent decision, CARU referred 1 Chat Avenue, the operator of two chat sites that included free chat rooms for children, to the FTC. CARU found in its review that children under 13 were identifying themselves by age in the chat rooms, and adults were "whispering" the children into private chat rooms, often for conversations that were sexual in nature. In response to CARU's request that 1 Chat Avenue create a parental consent mechanism, the operator declined, indicating that it did not need to comply with COPPA or the Guidelines as its site was not directed to young children, and did not collect information from users. The FTC has not yet indicated whether it will take action against 1 Chat Avenue.

Other companies investigated by CARU for similar issues have cooperated with the entity to show their support for industry self-regulation. For example, the operator of the web site, which collected personal information as part of an online registration process, agreed to include an age-screening mechanism in that process. CARU had requested the screening mechanism as the site was advertised in children's media, namely Sports Illustrated for Kids . CARU felt that given the placement of these ads, the operator should have had a reasonable belief that children would attempt to register on the site.

In another case, Delia's Corp. (which markets clothing and accessories to young girls), agreed to adopt neutral web site screening procedures in response to CARU's finding that the site tipped off underage visitors that if they provided false birth date information, they could bypass the parental permission requirement. The Guidelines provide specific guidance on this issue, stating that language such as "you must be 13 or older to register" will tip children off and encourage them to provide incorrect age information. To avoid this, the Guidelines require website operators to use neutral screening questions designed to elicit accurate answers.

Interactive advertising and marketing in the digital age does not only include web sites with registration, information collection, or chat-type features. Recently marketers have begun to explore the world of text message advertising. For example, some have designed advertising campaigns that encourage consumers to send text messages to the advertiser. If these campaigns are directed to or appealing to children, they should be viewed with caution, if not avoided altogether. This lesson was learned in a recent CARU decision surrounding the advertising campaign of Glomobi, which advertised a service called "You Can Text Fun" during children's programming on Nickelodeon. In the ad, children were told that they could receive free jokes on their cell phones by texting the number displayed. However, after the child texted the number, he or she was signed up for a fee-based joke service. In its public statement about the case, Glomobi "acknowledged that this product is not appropriate for the child audience."


While your company may not target children, it is quite possible that its message not only reaches the country's technologically savvy children, but is also appealing to them. If so, you will be responsible for following both the requirements of the Children's Online Privacy Protection Act and the Children's Advertising Review Unit Guidelines. Ensure that you have a mechanism in place when engaging in interactive programs with consumers to comply with the Act and the Guidelines, including requirements such as obtaining parental consent before collecting personally identifiable information from children.

1 15 U.S.C.6501-6506.

216 C.F.R.312 et seq. (2000).

Liisa M. Thomas is a Partner in Winston & Strawn's advertising group. She focuses her practice on trademark, promotions and advertising law, with a particular emphasis on youth marketing and privacy law.

Please email the author at with questions about this article.