The Office of the Attorney General of the State of New York (NYAG) has reached a settlement with privacy-compliance company TRUSTe regarding its COPPA safe harbor program participation.
The settlement comes after Attorney General Eric Schneiderman investigated two companies, Roblox and Hasbro, who’d formerly used TRUSTe’s certification program to signify compliance with the Children's Online Privacy Protection Act, and found they were non-compliant because of third-party tracking technologies on their websites. According to an NYAG press release, TRUSTe’s “failure to adequately assess its customers’ websites … left underage visitors to those websites vulnerable to illegal tracking prohibited under the federal Children’s Online Privacy Protection Act.”
As a result, TRUSTe will pay $100,000 and has agreed to make changes to the privacy assessment component of its COPPA safe harbor program.
TRUSTe CEO Chris Babel said in a press release, "As a father of three boys, kids' online privacy is important to me, as it is incredible where kids can wander and what mischief they can get into online." He said the changes the company will make per its settlement will help TRUSTe "further assist our clients in achieving their privacy compliance goals."
TRUSTe launched its Children’s Privacy Certification program in 2001, just after COPPA came into play, and the program got a facelift in 2013 following revisions to COPPA itself. One of the more significant revisions was the expansion of the definition of personal information, which is afforded certain protections under the law, to cover data collected by any tracking technology used on a site regulated by COPPA. So that included social media plugins, third-party advertisers, etc. That’s where things started to get a little tricky for some companies because it wasn’t always clear, even to site operators themselves, the kinds of tracking going on.
And that’s how the trouble started with Roblox and Hasbro, companies certified under TRUSTe’s COPPA safe harbor in 2013-2014. The NYAG started to investigate in 2015, according to Hilary Wandall, TRUSTe’s general counsel and chief data governance officer. She said that incomplete representations of what was happening in practice — either deliberately or because they legitimately were not aware the tracking technology was on their site — led to the companies being certified without disclosing tracking technologies at play.
To be clear, TRUSTe’s vetting process did, in 2013, as it does now, include a website scan, Wandall said. But at the time, it wasn’t a formalized process. The changes TRUSTe has agreed to make to that process include that it will dedicate a “technical scan review team” to do a full-tracking scan of a substantial portion of any website covered by COPPA, and then provide the results to the potential safe harbor participant. It would also require the certifying company itself to do an independent review of all third-parties operating on their site, then attest to TRUSTe in writing both how it conducted the review and its findings.
“In the past, we did those things, but it didn’t go through a process,” Wandall said. “NYAG was concerned that it wasn’t a very formal, robust process, and that may have been a contributing factor to how these things went wrong in 2013.”
TRUSTe will also, per its agreement with the NYAG, require its customers to disclose the kinds of information each third party at play collects and how that information is used, and to maintain a database of third-party tracking technologies to help it determine whether any of them could potentially violate COPPA.
Why is TRUSTe to blame for the sites’ noncompliance? Because COPPA operates under what’s called a “strict liability statute,” so because TRUSTe was responsible for reviewing those companies and giving them a stamp of approval, TRUSTe is the liable party.
Because it’s an FTC program, changes TRUSTe has proposed making to its safe harbor vetting process have been submitted to the agency, which will facilitate a public notice and comments period. After that, the FTC will determine whether TRUSTe will be permitted to continue operating as a COPPA safe harbor provider.
“Ultimately, we do think a formal robust process is important to the certification process as a whole,” Wandall said. "We’re happy to say we have really strong, robust processes, and we’re now going to increase our oversight and governance with respect to the program as a whole.”
While this isn’t the first time TRUSTe has made settlement headlines — it reached a settlement in 2015 with the FTC over alleged misrepresentations as a non-profit as well as deceiving customers about its recertification program — the NYAG’s investigation into TRUSTe’s practices was unrelated, Wandall made clear.
“The things we decided to do to make sure we were complying with what the FTC required of us as of 2015, those things related to a lot of processes we’ve changed, but the issues are not the same issues. The issues are totally different issues,” she said.
The settlement in this case relates strictly to using trackers on COPPA websites, while the 2015 settlement related to “requiring we do not make any misrepresentations as to how we do annual reviews on the one hand, and also ensuring that anyone who participated in our programs, and had been doing so for a long time, back when we were a non-profit, did not continue to say we were a non-profit."
The NYAG's investigation into Roblox and Hasbro is part of the office's ongoing effort, dubbed "Operation Child Tracker," to investigate marketers' illegal tracking of children. The investigation has led to settlements with four other companies last year who paid penalties totaling $835,000. The companies also were required to adopt "comprehensive reforms to protect children from improper tracking and the collection of children's personal data in the future," according to the NYAG press release.
Neither Roblox nor Hasbro is certified under TRUSTe’s program any longer.
photo credit: 3D Scales of Justice via photopin (license)