Skip to main content

Complaint from BBB Triggers HarperCollins COPPA-Compliance Measures

Written by Julia Siripurapu

The Children’s Advertising Review Unit (CARU) announced that  it has recommended that HarperCollins Publishers Ltd. (the “Company”) modify its information collection practices on its Ruby Redfort child-directed website (the “Site”) to better protect the privacy of children under 13  (“Children”) and that the  Company has agreed to do so. CARU is the children's arm of the advertising industry's self-regulation system and is administered by the Council for Better Business Bureau.

The Site, and the Company’s faulty information collection practices, came to CARU attention in the course of CARU’s routine monitoring of websites for compliance with CARU’s Self-Regulatory Program for Children’s Advertising, including guidelines on Online Privacy Protection, as well as with the Children’s Online Privacy Protection Act (COPPA). As described in CARU’s press release, in order to become a Site user and enter to win prizes on the Site, children were asked to provide personal information such as their first and last name, e-mail address, full street address and a username and to check a box to indicate whether: (1) they are over 16, (2) they are under 16 but have permission from a parent or guardian to sign up as  a user of the Site and enter the competition, or (3) they are under 16 and a parent is not aware of their signing up as a Site user and entering the competition. However, the Company did not take any additional steps to verify parental consent for children that selected option 2, as required by COPPA. The fact that the Company is a U.K.- based entity does not affect its COPPA-compliance obligations: the  Site is not only directed to Children located in the U.S. (among children from other countries), but the Company is also knowingly collecting information from Children located the U.S. 

In response to CARU’s investigation, the Company agreed to take steps to comply with COPPA, including to implement a system for obtaining verifiable parental consent. When we visited the Site today, we noticed that the Company has implemented an age-neutral verification mechanism and is currently blocking the collection of information from Children on the Site. If a prospective user indicates that she/he is under 13 and then selects either the “My parent or guardian has given me permission to sign up to this” button or the “My parent or guardian does not know I’m signing up for this” button, the individual receives the following message: “ERROR: Sorry, but you are not eligible to sign up at this time.” The Company has also implemented a session cookie to prevent Children from going back and changing their age.

Is you COPPA-compliance house in order? We can help!


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.