Taking candy from babies: HarperCollins illegally gathered personal information from children

By Carmel DeAmicis , written on February 21, 2014

From The News Desk

What's easier and creepier than taking candy from babies? Nabbing some of their personal data.

This week a unit from Better Business Bureaus (BBB) took HarperCollins to task for collecting "personally identifiable" information from children under the age of 13 without their parents' consent.

When kids visited a HarperCollins' site they would find a page encouraging them to share personal information:

Screen Shot 2014-02-21 at 12.36.26 PM

According to the BBB press release:

To sign up to enter and win prizes a visitor had to enter a username, email address, first and last name, and full street address and then choose from one of several options:
  •  I am over 16.
  •  I am under 16 and have permission from my parent or guardian to sign up to the Ruby Redfort website and enter the competition.
  •  I am under 16 but my parent does not know that I am signing up for this.
  • Please send me the newsletter and other information about Ruby Redfort.
  • We would like to let you know about other similar new titles by Harper Collins. If you’re happy for us to do so please tick the box.
Such behavior is against the law under the newly updated federal Children’s Online Privacy Protection Act (COPPA), which went into effect this past summer. COPPA requires that websites have safeguards in place to vet that an actual parent is giving their consent for data release.

One way COPPA recommends for websites to make sure parents give consent is by asking so-called "knowledge-based" questions where "the questions used are of sufficient difficulty that it would be difficult for a child in the household to figure out the answers." Clearly the writers of COPPA are fans of "Are You Smarter Than a 5th Grader."

When reached for comment, a HarperCollins spokesperson told PandoDaily, "HarperCollins UK created a site that was compliant with UK and EU law. When it learned that its site was not compliant with US law, it quickly took steps to also meet US law as well."

Unfortunately, the steps HarperCollins UK took are pretty half-assed. It put up a data block method, but only for website visitors from the United States. U.S. visitors encounter the same data capture page, but no matter what age they enter they receive a message: "Sorry, but you are not eligible to sign up at this time.."

Of course, if you're smart enough to just pick a different country on the dropdown menu than the U.S., you can get around the block.

It's clear HarperCollins doesn't feel particularly compelled to go out of its way to ensure parental consent for children's data release. If it did, it would expand protective measures to all website visitors, not just in the US.

[Illustration by Hallie Bateman for Pando]