Two members of Congress recently issued a letter to the six Children’s Online Privacy Protection Act (COPPA) safe harbor programs seeking information regarding each program’s business and compliance practices. This letter comes on the heels of a former Federal Trade Commission (FTC or the Commission) commissioner’s recommendations for updating and strengthening the safe harbor framework and in the midst of the Commission’s multiyear review of the COPPA rule, which began in 2019.
The Children’s Online Privacy Protection Act COPPA remains the only comprehensive federal privacy legislation in the United States. COPPA requires websites and operators of online services directed toward children under the age of 13 or those that have actual knowledge of children under the age of 13 using the websites or services to obtain verifiable parental consent before collecting, using, or disclosing personal information provided by the children. The following explains some key features of the COPPA rule.
- Verifiable parental consent: The rule requires operators to make reasonable efforts to provide notice of and obtain parental consent to the operator’s use, disclosure, and collection practices.
- Websites or services directed toward children: In determining whether a website is directed toward children, the rule directs the FTC to consider subject matter, visual content, use of animated characters or celebrities that appeal to children, and evidence regarding the actual and intended audience of the website.
- Safe harbors: COPPA safe harbor programs comprise industry groups that self-regulate their member-operators and establish their own guidelines and requirements that must guarantee the same or greater protection for children as the standards set forth in the COPPA rule. There are currently six approved safe harbor programs: Children’s Advertising Review Unit (CARU); Entertainment Software Ratings Board (ESRB); iKeepSafe; kidSAFE; Privacy Vaults Online, Inc. (PRIVO); and TRUSTe. Safe harbor programs must demonstrate mechanisms for ensuring compliance with their guidelines, including annual reviews of the member-operators in addition to a disciplinary protocol that allows for public reporting of actions taken against operators, payments made to the U.S. treasury for violations, and referral to the FTC for repeat offenders. Websites and operators that participate in a safe harbor program are deemed COPPA-compliant provided they comply with the guidelines and are insulated from FTC enforcement for COPPA violations. Safe harbor programs allow members to use a “seal of approval” indicating that their membership in the safe harbor and as an external signal that the website complies with children’s privacy regulations.