Many brand owners use their websites to promote their goods and services, as well as to promote their brands. Brand owners also frequently use social media to promote their brands. Indeed, it’s common for a website to include links to social media platforms such as Twitter and Pinterest. But if your site is directed to children, linking your site to social media platforms could be problematic.

Any website directed to children is potentially subject to the Children’s Online Privacy Protection Act (COPPA), and the Federal Trade Commission’s (FTC) regulations. COPPA and its regulation impose restrictions on companies that operate websites or provide online services directed at children under the age of 13, and those companies that have actual knowledge that they are collecting personal information online from children under 13. Among those requirements is a neutral age-screening mechanism to enable a website operator to obtain COPPA-required parental consent prior to collecting personal information from a child under the age of 13. The FTC recognized that children might attempt to evade age-screening devices, and recommended that site operators use “a temporary or a permanent cookie to prevent children from back-buttoning to enter a different age.”

The Build-A-Bear website permitted a visitor to create an account in order to play bear-themed games, among other things. In order to create an account, the user must enter an e-mail address, password, and birthdate (personal information under COPPA). Although Build-A-Bear later stated that its age-gate cookie was overwritten during a site update, when the Better Business Bureau’s Children’s Advertising Review Unit (CARU)[1] reviewed the site, users were able to use the back-button to enter a different age to avoid any age limitation on site content.

In addition, even before a user created an account, the website’s front page included links to Twitter and Pinterest. These two social media sites are not directed towards children under 13 and do not age-screen. The Build-A-Bear site, however, is directed towards children and therefore these two links raised a potential issue under COPPA. As a result of CARU’s inquiry, Build-A-Bear restored the age-gating cookie and removed the links to Twitter and Pinterest from its front page. See ASRC Press Release (May 14, 2013).

It is important to keep in mind that, under the FTC’s recently amended COPPA regulations—which go into effect on July 1, 2013—operators of child-directed websites are strictly liable if the operator allows other online services—plug-ins or advertising networks—to collect personal information through the child-directed site.

This matter demonstrates the importance of coordinating a brand’s advertising and a company’s website for compliance. If a company decides not to participate in CARU’s self-regulatory program or if it refuses to change its advertising after an adverse decision, the matter can be referred to the Federal Trade Commission. The FTC takes children’s privacy matters very seriously, as demonstrated by the $800,000 civil penalty paid by Path, Inc. in February with respect to its social networking app impermissibly collecting children’s information. See FTC Release (Feb. 1, 2013).

Sue Ross ( /+ 1 212 318 3280) of Norton Rose Fulbright’s Privacy, competition and data protection practice.

[1] CARU is administered by the Council of Better Business Bureaus; the unit routinely monitors websites for compliance not only with federal law relating to children’s privacy but also with CARU’s self-regulatory program.