CARU Recommends Kudos Modify Privacy Practices to Better Protect Children’s Privacy, Company Agrees to Do So

New York, NY –  April 26, 2018 – The Children’s Advertising Review Unit (CARU) has recommended that Kudos & Co., modify its privacy practices to bring them into compliance with CARU’s Self-Regulatory Program for Children’s Advertising – including CARU’s privacy guidelines – and the federal Children’s Online Privacy Protection Act (COPPA). The company has agreed to do so.

The Kudos mobile application came to CARU’s attention through CARU’s routine monitoring practices. CARU is an investigative unit of the advertising industry’s system of self-regulation. It is administered by the Council of Better Business Bureaus.

CARU monitors websites and digital platforms for compliance with CARU’s Self-Regulatory Program for Children’s Advertising, including guidelines on privacy protection and with COPPA.

Kudos’ informational website describes the app as a social community for kids where they can explore and share their interests with friends. Children can share pictures and drawings, explore their friends’ posts, make comments and share reactions. Kudos states that it has content moderators on duty 24/7 to review shared information and that inappropriate content will be removed. It also states that parents are notified of children’s posts and comments after they are made.

One must register to use the app and the first step in the registration is to provide a photo.

The registrant is then prompted to take a selfie and must approve a profile photo before moving forward.

The next prompt asks for a username, password, first and last name as well as a birthday. If a date of birth corresponding to an age below 13 is chosen, the following screen asks for a parent’s email address.

Users can click the back button and change their date of birth to one that corresponds to an age of 13 years of age or above. If the registrant does change his or her date of birth to one that corresponds with an age over 13, the next screen asks for the child’s email address instead of the parent’s.

If the child does not click the back button and instead pursues registration with a date of birth corresponding to an age under 13, an email providing information on the app and its functionality is sent to the email address provided by the child.

Upon initial review, CARU questioned whether the app targeted children as its primary audience, whether the direct notice to the parent to obtain verifiable parental consent was sufficient under COPPA and the guidelines and whether the operator obtains proper verifiable parental consent prior to the collection and/or disclosure of personally identifiable information.

CARU determined that the app did target children as its primary audience, which requires the app operator to obtain verifiable parental consent for every visitor.

After reviewing all of the evidence in the record, CARU determined that the app’s method of obtaining parental consent was insufficient for its information collection practices and did not meet COPPA’s requirements.  Where children’s personal information can be disclosed publicly, COPPA and the guidelines require that services use a reliable method of parental consent.

Further, CARU determined that Kudos’ practices did not comply with the guidelines or COPPA because the company failed to state in its direct notice that it collected parents’ online contact information, that parental consent is required for the collection of personal information from children and that the operator will not collect, use or disclose any personal information from the child if the parent does not provide such consent. Further, the direct notice did not stipulate that if the parent did not respond within a reasonable period of time the operator would delete the parent’s contact information from its records.

CARU considered but was not persuaded by the operator’s argument that it did not require the use of a credit card transaction or verification of a government-issued ID as the method to verify parental consent because it wanted to ensure that even children whose families did not have credit cards or IDs were able to use the app. CARU noted that there are several methods of obtaining parental consent that do not involve the use of a credit card transaction or ID, which Kudos could have safely used.

Kudos agreed to participate in a Safe Harbor program to bring its app into compliance with the guidelines and COPPA. In its advertiser’s statement, the company said it acknowledges “the issues you documented in your report and have moved to correct them. Kudos agrees to comply with CARU’s recommendations. To do so, Kudos joined and completed certification through an FTC-approved Safe Harbor program.”