Last week, the United States Federal Trade Commission levied a fine of $450,000 on Yelp, the popular online review website. The fine stems from alleged violations of the Children’s Online Privacy Protection Act (commonly referred to by its Schwarzenegger-sounding abbreviation, COPPA) in which the site collected registration information from minors under the age of 13.
Get to the COPPA!
Under COPPA, the collection of any personal information from persons under 13 without verifiable parental consent is prohibited. COPPA’s definition of “personal information” is fairly broad, as it should be in the case of minors. Everything from the basics (just a first name counts) to the actually specific (a Social Security number, which is obviously personal info) is included. Any sort of location information counts, as well—not just addresses, but also city or town names, even the state of residence qualifies.
COPPA also specifies “verifiable parental consent.” It includes “any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator’s personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, if applicable, of personal information and the subsequent use of that information before that information is collected from that child.” Not exactly layman’s terms, but certainly not the most complex technical jargon I’ve ever seen, either.
From 2009 to 2013, the FTC argues, Yelp collected personal information for site registration purposes from an undisclosed number of minors under 13 without proper parental consent. As Yelp’s registration process requires a birth date be provided, they were aware that these users were underage.
Granted, underage users are able to use the site (and/or its associated app) without registering. This, however, would not have been a violation of COPPA—it doesn’t say anything regarding letting kids use the site. The fact that the information was collected is what’s at issue.
“Yelp failed to implement a functional age-screen in its apps, thereby allowing children under 13 to register for the service, despite having an age-screen mechanism on its website,” the FTC said in a statement. “In addition, the complaint alleges that Yelp did not adequately test its apps to ensure that users under the age of 13 were prohibited from registering.”
Lazy Adults to Blame?
By way of explanation, Yelp posted on their blog that “only about 0.02% of users” who registered on the site in the FTC’s timeframe provided an underage birth date, and they “have good reason to believe that many of them were actually adults.”
Basically, they’re saying that a lot of the supposedly underage registrants did not provide their actual birthdate when registering. If one were to dig deeper into the available info, one would likely find that a good number of “under 13” users’ supplied birthdates are the same as the date they signed up for the site. It seems entirely possible that that field would be passed over—how many of us fill in all (or any) of the non-required information when signing up to use a website?
However, it seems that Yelp could have taken some very, very easy steps to maintain COPPA compliance before this even became an issue. If you’re not supposed to be collecting info from those under age 13, make birthdate a required field in your registration process. Sure, underage users could just fudge the date to complete the process, but it would also compel lazy adults to provide their actual birthdate, thereby eliminating some of the statistical noise.
Adults are lazy, kids are stupid (not exactly relevant here, but true), the FTC don’t take no $#!t, and Yelp’s wallet is almost a half-million bucks lighter.