• by Wendy Davis  @wendyndavis, May 3, 2019

The self-regulatory watchdog Children's Advertising Review Unit has found that Facebook didn't comply with the “spirit” of a federal privacy law, because the company's mobile app allowed children to easily bypass an age-gate.

“CARU looked exclusively at whether Facebook employed technology sufficient to prevent underage children from circumventing the age-screening process,” the watchdog wrote in an opinion released this week. The Better Business Bureau-administered organization concluded that the app's registration process didn't comply with CARU's guidelines, or with the spirit of the Children's Online Privacy Protection Act. That law prohibits companies from knowingly collecting personal data from children younger than 13 without their parents' permission.

Facebook -- which revised its app after CARU raised concerns -- officially doesn't allow anyone under 13 to create an account. The company's mobile app asked new users for their birthdate; if users indicated they were 12 or under, their attempt to register was rejected. But until recently, the app didn't employ any technological measures to enforce that ban, according to CARU. Instead, children could simply return to the registration page and enter a different birthdate. 

On non-mobile sites, Facebook attempts to use cookies to prevent children who enter a birthdate showing they're under 13 from trying again with a different birthdate. But the company told CARU that the same cookie-based technology isn't practical for mobile apps.

The watchdog told Facebook that it nonetheless must use some type of “tracking mechanism” to block registration by users who say they're under 13.

Facebook agreed to revise its procedures by preventing people who said they were under 13 from registering via app for at least two hours after their initial registration was rejected, or until the app was “force-closed,” or uninstalled and reinstalled.

“CARU believes that implementing a tracking mechanism in the mobile space is of the utmost importance in order to comply with the guidelines and maintain the spirit of COPPA in a mobile environment, which is undeniably the way of the future,” the group wrote. “As technology develops, children become even savvier, and age-screening techniques must evolve as well.”