The Federal Trade Commission is leery about providing clear and specific advice on a variety of issues including the application of the Children’s Online Privacy Protection Act and COPPA Rule to the online business environment. Many companies, uncomfortable with potential exposure, look to third party certification companies to establish the necessary COPPA bonafides. Recent settlements are raising questions about whether these services are living up to their obligations with one company, in particular, receiving a good bit of criticism.
Congress often creates burdensome and unrealistic compliance requirements for government agencies. Perhaps realizing policing COPPA could be difficult, Congress created a process whereby private companies could be certified by the FTC to provide oversight. The key language of the law reads as follows:
(1) Self-regulatory incentives
In prescribing regulations under section 6502 of this title, the Commission shall provide incentives for self-regulation by operators to implement the protections afforded children under the regulatory requirements described in subsection (b) of that section.
(2) Deemed compliance
Such incentives shall include provisions for ensuring that a person will be deemed to be in compliance with the requirements of the regulations under section 6502 of this title if that person complies with guidelines that, after notice and comment, are approved by the Commission upon making a determination that the guidelines meet the requirements of the regulations issued under section 6502 of this title.
[See 15 U.S. Code 6503]
Self-regulation is controversial at the best of times with the ultimate merits often boiling down to the exact nature of what must be included in the self-regulation effort. In the case of COPPA, the FTC looks at the following three factors in making a determination whether to authorize a company as a regulator:
- Whether the applicant’s program includes guidelines that provide substantially the same or greater protection than the standards set forth in the COPPA Rule;
- Whether the program includes an effective, mandatory mechanism to independently assess member operators’ compliance with the program’s guidelines, which at a minimum must include a comprehensive annual review by the safe harbor program of each member operator;
- Whether the program includes effective disciplinary actions for member operators who do not comply with the safe harbor program guidelines.
[See 16 C.F.R. § 312.11]
Fair enough – in a vacuum. Unfortunately, there are significant doubts back in the real world as to whether the FTC monitors the self-regulation companies as required by law and the FTC’s own guidelines. Indeed, a few privacy advocate groups have sued to gain access to the reports the FTC is supposed to create for the reviews without much luck. The situation is all the more bizarre given states have attacked these companies with success.
On April 6, 2017, New York State Attorney General Eric Schneiderman announced a $100,000 settlement with TRUSTe – a third party COPPA safe harbor company. The claim at the heart of the settlement is that TRUSTe allowed Hasbro and Roblox, a popular gaming site, to track children in violation of COPPA. Hasbro and Roblox were not part of the settlement, and both companies have indicated to the press that they stopped working with TRUSTe prior to the legal actions [Not exactly a vote of confidence.].
With queried by an ABC news about the settlement, TRUSTe stated that the problem is now fixed and that “we take our regulatory responsibilities extremely seriously.”
Somewhere, a public relations executive shed a tear, but those awful things known as facts reveal this is not TRUSTe first settlement over its privacy certification services. In 2014, the company was fined $200,000 by the FTC for making misleading statements to the public. TRUSTe had promised that every website and internet-connected platform with one of its seals was re-assessed every year. The FTC found not only was this not the case, but TRUSTe had failed to re-asses over 1,000 clients from 2006 to 2013.
Safe Harbor Pierced?
Of course, the ultimate question is whether the TRUSTe failures impact customers? Interestingly, the answer is no. In the COPPA matter, the New York Attorney General did not pursue Hasbro or Roblox for the simple reason the law gives those companies immunity so long as they use a third party compliance company such as TRUSTe. Once a company coughs up the necessary fee to a third party regulator such as TRUSTe, the company is presumed to be COPPA-compliant even if the regulating for-profit party isn’t performing as required by the FTC.
Must be nice.
Richard Chapo, Esq.