Websites, apps, games and connected devices, all considered “online services”, that are directed to or attract children, often assume they know their audience. However, target audience does not always translate into actual audience. Your service maybe targeting older users, but it could turn out it’s attracting a high volume of children. Do your product and marketing teams really understand the difference between a primary child directed or child directed mixed audience service? Do you know what a general audience site can and can’t do if it gains knowledge of a child user? Defining audience is key to understanding how to ensure your service is compliant with child privacy regulations.
In the world of COPPA (the US Federal Children’s Online Privacy & Protection Act), child directed services come in two flavors. Primary child directed and mixed audience. Primary child directed means children from preschool age up to the age of and including 12 years old. Mixed audience is exactly that, a mix of user ages with a significant number of them aged 13 and older. If that number is to low, then the service is primary child directed. A mixed audience service can take a different approach to children. Understanding audience isn’t as simple as it sounds but if you get it right not only do you protect children’s privacy and safety but you also protect your brand.
Child Directed Primary Audience Overview
Where children are the primary audience, it is necessary to assume that all users are children. In these circumstances an age gate is not appropriate or compliant. If the service requires consent for the child to use it or has a registration and account creation then collect a parent email address from the child to notify the parent and seek consent.
If there is content for a parent on a primary child directed service include a clearly directed parent section where you can address the grown-ups. If the online service is for parents and there are COPPA triggers such as interest-based ads or remarketing, then don’t make this your entry point for children.
Ecommerce sites and services are considered general audience. This will change if you embed a shop in a child directed site and allow children to browse, create wish lists, create a shopping cart and ability to share their wish list with family, all of which is perfectly possible but must be done compliantly. A parent could authorize a child to make purchases, but this requires a simplified and streamlined permission process, such as the PRIVO iD Platform. This will also help avoid drop off and support conversion.
If you begin to track users across your brand (sites and apps) to serve recommendations based their activity you trigger COPPA. Therefore, it is vital to engage the parent and seek consent which in turn builds lifetime value and engagement both of which lead to revenue generation. At the same time the brand is protected from the damage caused by a violation and the child has a safer and privacy enhanced experience building trust and loyalty with the parent.
Child Directed Mixed Audience Overview
A mixed audience must be justified. Do you know your composite audience figures? How many children and older users do you have? Who are you targeting in your marketing materials? It is possible to use a compliant neutral age gate in a mixed audience service to screen younger users and provide a restricted and compliant experience or to seek parent consent for them to use the unrestricted version.
Children cannot be blocked from a mixed audience site, app or online service using an age gate. Age gates were introduced by the FTC as a mechanism for mixed audience services to accommodate children.
Measures must be put in place to ensure the age can be freely entered and there is no language that signals to a child that if they were older, they would have a better experience. The gate must be neutral. It is also vital to ensure the child cannot circumvent the age gate. If they enter a DoB 12 and under drop a cookie to prevent them changing it in that session or keep the it “frozen” for a period. Don’t allow the child to back button once birth date is entered.
Many services that use a mixed audience age gate to screen for age have no way to age up users that turn 13, this is not a good user experience or good for business. There are ways to collect the age or a marker of age and then allow the user to access the appropriate experience once they reach 13 under. Seek guidance on how to do this and don’t lose your user base, undermine your business or prevent a child from accessing the full experience once they are old enough.
Note: App store parent gates are not compliant age gates – beware and seek guidance.
General Audience Overview
A General Audience service is intended for users at or above the age of 13 under COPPA. These services offer experiences that are not intended for children, for example ecommerce sites. They are not required to investigate the age of the user. However, if such a platform, site or app gains actual knowledge that a child is using the service then appropriate action needs to be taken. This could be closing the child’s account and deleting all collected personal data, or it is also possible to offer that child a privacy enhanced and compliant experience. If a service chooses to age screen the user, it can then rely on that age and is not responsible if the user has “gamed” the age gate. Therefore, it is vital to have a robust age gate as outlined above. Again, if the service gains actual knowledge that a user is a child, the appropriate action outlined above must be taken.
There are ways to achieve business objectives without impacting the safety and privacy of children and without blocking them from experiences while staying compliant with COPPA and other child privacy regulations. Do your research, work with a compliance partner and safe harbor such as PRIVO to support engagement and help your business grow.
This blog was originally posted on September 14, 2016 and was updated on July 30, 2019 and then on March 31, 2020.