HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Did you know a revised COPPA [US] took effect in 2013?

I ran into this information while researching a customer request. Not only does COPPA now only target sites "directed at children" but using an age gate to prevent access by folks under 13 is expressly not in compliance with the rule.

https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions#Web sites and online

The amended Rule sets out a number of factors for determining whether a website or online service is directed to children. These include subject matter of the site or service, its visual content, the use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the website or online service, or whether advertising promoting or appearing on the website or online service is directed to children. The Rule also states that the Commission will consider competent and reliable empirical evidence regarding audience composition, as well as evidence regarding the intended audience of the site or service.

And on age screening in general on sites that target children:

Because of its very nature, in most instances, a website or online service (such as an app) directed to children must treat all visitors as children and provide COPPA’s protections to every such visitor. This means that for the most part, a website or online service directed to children may not screen users for age.

So the takeaway is: If you're running a kid's website, you need to treat every user as a COPPA user. If you're not, there's nothing extra you need to do. An age gate step misses the point on both sets of guidance.


  • Options
    LincLinc Detroit Admin

    If my reading of this is correct, it's actually even worse than that to use an age gate:

    Can I block children under 13 from my general audience website or online service?

    Yes. COPPA does not require you to permit children under age 13 to participate in your general audience website or online service, and you may block children from participating if you so choose.


    In addition, consistent with long standing Commission advice, FTC staff recommends using a cookie to prevent children from back-buttoning to enter a different age. Note that if you ask participants to enter age information, and then you fail either to screen out children under age 13 or to obtain their parents’ consent to collecting these children’s personal information, you may be liable for violating COPPA.

    The very act of adding an age gate makes you liable for not then properly enforcing the results of said age gate, even tho you had no responsibility to add one in the first place.

    tl;dr never use an age gate.

  • Options
    LincLinc Detroit Admin
    edited January 2017

    My not-lawyerly guidance is:

    1. If you have a product or service targetting kids, you need your own login system that handles a COPPA workflow. You can then connect to Vanilla with SSO.
    2. If you do not target kids, your responsibility is to take action (contact parent or ban) anyone who makes it clear on a moderated forum that their age is under 13.
    3. An age gate does not mitigate #1 in any way, and it adds liability for #2 where there was none before (by compelling folks to reveal age). Therefore, don't do it.
  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP

    This has been around for several years now. I actually mentioned it during the time when that 10 year old child troll was hanging around. You need to obtain written permission from the parent for a child under 13. And you need to keep their personal info private. Facebook has many problems with this issue. They rely on reports from other users to catch and delete accounts from children. Sometimes the parents themselves make them an account even, but fail to secure it properly. And doing that violates the TOS .

    Asking people what their age is relies on the user's honesty and children would totally lie and say they are 13 or older. It is the responsibility of the site owner to detect these and it is a difficult process . Measuring the maturity level of a user is time consuming.

    Posting a warning that the site is for people 18 + and having a potential user click a button that certifies they are 18+ without any way to verify it , is merely symbolism to give the idea that the site somehow keeps children away.
    It is not enough in my opinion. And if a child gets in and the parents find out, there could be severe legal problems.
    How can any site verify the age of a user ? Then how to get parental permission or to let parents know what their child has been up to ?

    It is best to make sure that you don't allow children at all. The parents need to control what their children do.

    I suppose one can use meta tags that would alert that it is adult oriented and it would trigger the parental controls in the child's computer and redirect or block the site ?

  • Options
    LincLinc Detroit Admin

    @vrijvlinder said:
    It is the responsibility of the site owner to detect these and it is a difficult process .

    No, it is not. That was exactly the point of my posts. You have no responsibility to ask or "detect" ages. You only have a problem if 1) you ask in the first place or 2) they tell you they're under 13.

Sign In or Register to comment.