CARU, Google Collaborate To Ensure Children’s Privacy Protection On

 New York, NY – August 11, 2009 – In a collaborative effort to better protect the privacy of children, Google has agreed to modify registration for its Gmail email service, following a recommendation from the Children’s Advertising Review Unit of the Council of Better Business Bureaus.

CARU, the children’s advertising industry’s self-regulatory forum, monitors Websites for compliance with CARU’s Self-Regulatory Program for Children’s Advertising, including guidelines on Online Privacy Protection.

Google’s Gmail account features a user-friendly design that categorizes emails in a conversational style to facilitate searching and organizing information.  Gmail accounts also contain “invite-a-friend” and chat features so that users can correspond via instant messaging with other Gmail contacts, as well as “Google Talk,” which allows Gmail members to talk to one another in real time.

When CARU first reviewed the Gmail Website, potential members were asked to enter their first name, last name, desired email address, a password, and secondary email account.  There was no request for a date of birth during the registration process.  Users were asked to read and accept the “Terms of Use,” which stated “Due to the Children’s Online Privacy Protection Act of 1998…, you must be at least thirteen (13) years of age to Use this Service.  Users then needed to click on a box stating “I accept.  Create my account.” 

CARU’s guidelines provide that, if a Website has a reasonable expectation that a significant number of children under 13 would visit the site to create accounts, it should employ a neutral age-screening mechanism to determine if it is necessary to obtain verifiable parental consent, before the collection of personally identifiable information. The CARU guidelines exceed the requirements under the Children’s Online Privacy Protection Act, which requires age-screening and verifiable parental consent if the operator of a general audience website has actual knowledge that it is collecting information from children under 13.  Google’s compliance with COPPA was not at issue in CARU’s inquiry.

After reviewing the evidence, CARU determined that the company should have had a reasonable expectation that a significant number of children under 13 would visit the site to create Gmail accounts, and therefore should employ a neutral age-screening mechanism.

In reaching its decision, CARU looked to standard industry practices. CARU noted in its decision that Google was, at the time of CARU’s initial inquiry, the only major email Website that did not employ neutral age screening during the registration process.

In response to CARU’s inquiry, Google maintained that the Gmail service was not directed to children and that the company did not have a reasonable expectation that a significant number of children under 13 would visit the site. Google stated that it genuinely values the work that CARU has done to protect the privacy and safety of children online, and based on its review of CARU’s analysis, would implement a neutral age-screening mechanism for Gmail registration.

Google, in its operator’s statement, said that the company has agreed to screen future registrants for age. 

“This was not an easy decision for Google because we have strong reservations about collecting user information that is otherwise unnecessary for providing Gmail services.  Google does not target Gmail to children, nor do we ask users to provide a date – or even a year — of birth.  In fact, Google strives to collect a minimal amount of personal information from users during the Gmail account registration process,” the company said. “Nonetheless, based on the CARU recommendations, we will include a field in the account registration user interface that asks for one of:  birth date, birth month/YEAR or birth year.  If a user enters a date that would indicate that user is under 13, then a session cookie would be set to block the user from re-registering during the session.”