Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

CARU orders app company to correct violations of children’s privacy rules

Privacy/Cyber Risk & Data Security Enforcement COPPA CARU FTC

Privacy, Cyber Risk & Data Security

On March 8, the Children’s Advertising Review Unit (CARU) announced that a smart watch phone operator has agreed to take actions to correct alleged violations of the Children’s Online Privacy Protection Act (COPPA) and CARU’s Self-Regulatory Guidelines for Children’s Online Privacy Protection. According to the press release, CARU is the nation’s first FTC-approved COPPA Safe Harbor Program and is tasked with monitoring online services for compliance with COPPA and CARU’s privacy guidelines to make sure the collection of children’s data is handled responsibly. CARU examined the company’s data handling and sharing practices and found that the company, among other things, “failed to provide clear and complete, and non-confusing, notice of its children’s information collection practices in its privacy policy and failed to provide any notice that would constitute a direct notice to parents as required by COPPA.” The company also failed to offer a method for parents to provide verifiable consent to its data gathering practices prior to its collection of information from children, CARU stated, adding that the company’s privacy policy, terms of service, and other online disclosures also included “inconsistent, confusing and/or contradictory statements about its collection, use, or disclosure of children's personal information.”

CARU noted that the company submitted a “detailed plan” outlining measures to remedy the concerns and agreed to correct the violations in order to comply with CARU’s privacy guidelines and COPPA. The company will also update its privacy policy to include information on how parents can prohibit the use of their child’s data or have it deleted and will obtain verifiable parental consent prior to completing the registration process. CARU also recommended that the company revise its website and app to provide parents with “direct notice of what personal information the operator can collect from children through their use of the service, both passively and actively, and how such personal information can be used and disclosed, together with a clear and prominent link to its privacy policy.”