Two members of Congress recently issued a letter to the six Children’s Online Privacy Protection Act (COPPA) safe harbor programs seeking information regarding each program’s business and compliance practices. This letter comes on the heels of a former Federal Trade Commission (FTC or the Commission) commissioner’s recommendations for updating and strengthening the safe harbor framework and in the midst of the Commission’s multiyear review of the COPPA rule, which began in 2019.
- Background
The Children’s Online Privacy Protection Act COPPA remains the only comprehensive federal privacy legislation in the United States. COPPA requires websites and operators of online services directed toward children under the age of 13 or those that have actual knowledge of children under the age of 13 using the websites or services to obtain verifiable parental consent before collecting, using, or disclosing personal information provided by the children. The following explains some key features of the COPPA rule.
- Verifiable parental consent: The rule requires operators to make reasonable efforts to provide notice of and obtain parental consent to the operator’s use, disclosure, and collection practices.
-
Websites or services directed toward children: In determining whether a website is directed toward children, the rule directs the FTC to consider subject matter, visual content, use of animated characters or celebrities that appeal to children, and evidence regarding the actual and intended audience of the website.
-
Safe harbors: COPPA safe harbor programs comprise industry groups that self-regulate their member-operators and establish their own guidelines and requirements that must guarantee the same or greater protection for children as the standards set forth in the COPPA rule. There are currently six approved safe harbor programs: Children’s Advertising Review Unit (CARU); Entertainment Software Ratings Board (ESRB); iKeepSafe; kidSAFE; Privacy Vaults Online, Inc. (PRIVO); and TRUSTe. Safe harbor programs must demonstrate mechanisms for ensuring compliance with their guidelines, including annual reviews of the member-operators in addition to a disciplinary protocol that allows for public reporting of actions taken against operators, payments made to the U.S. treasury for violations, and referral to the FTC for repeat offenders. Websites and operators that participate in a safe harbor program are deemed COPPA-compliant provided they comply with the guidelines and are insulated from FTC enforcement for COPPA violations. Safe harbor programs allow members to use a “seal of approval” indicating that their membership in the safe harbor and as an external signal that the website complies with children’s privacy regulations.
- What is next for safe harbors?
In a May 2020 statement announcing action against a mobile gaming company for misrepresenting its status as a safe harbor member, then-FTC Commissioner Rohit Chopra recommended the Commission “revamp its approach” to COPPA safe harbors. Commissioner Chopra suggested the Commission conduct periodic routine reviews and vote to accredit the existing safe harbors, disclose complaints and disciplinary action as well as performance metrics, and “restrict[] additional fee-based consulting offered by affiliates of the Safe Harbor to participating websites and apps” to eliminate conflicts of interest.
On January 10, 2022, Representatives Jan Schakowsky (D-IL) and Kathy Castor (D-NY), chair and member of the House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee, issued a letter to all six COPPA safe harbors seeking information to assist in “improv[ing] the program’s governing regulation and statute.” The representatives recognized the importance of the safe harbor seal of approval in assisting parents in making quick choices regarding their children’s privacy online, but expressed concern that the safe harbors were not adequately “fulfilling their legal obligations to provide ‘substantially the same or greater protections for children’ as those detailed in the COPPA rule.”
The representatives issued 14 questions to the safe harbors and have asked for their response by January 28. Here are some key details of the inquiries:
- Several questions ask for details regarding the safe harbor’s compliance and disciplinary protocols, including records of past disciplinary action, annual assessments of the operator’s compliance with program guidelines, and whether fines have been levied.
- The representatives are also seeking information regarding whether the member-operators use affiliated services outside of the safe harbor framework, the safe harbor programs advertising practices, and the fee structures used.
- Finally, the representatives are asking for input from the safe harbors regarding Commissioner Chopra’s recommendations and specific actions Congress and the FTC can take to improve the safe harbor framework and the COPPA statute and regulations generally.
- Expectations for safe harbors moving forward
If your organization is enrolled in a safe harbor, expect the program guidelines to change – if they have not already been updated. Both the representatives and Commissioner Chopra have expressed concern over the purchase and sale of affiliated services from the safe harbor providers, so it is safe to assume there will be some effort to curb those relationships. Further, given the focus on the transparency of disciplinary actions taken by the safe harbors, it is reasonable to expect those decisions will be required to be made public, and that previous enforcement actions could be made public in the coming months. Finally, it is possible that some of the existing safe harbors will not survive rigorous oversight by Congress and the FTC and may decide to terminate their program.
Client Alert 2022-016