The U.S. Federal Trade Commission last week announced its settlement with a gaming app developer over its false claim of membership in a Children’s Online Privacy Protection Act safe harbor program, and alongside the announcement, a Democratic commissioner has called for a revamp of self-regulatory programs to strengthen children’s privacy protections.

The FTC said Swiss-based digital game developer Miniclip misled consumers by claiming membership in the Children’s Advertising Review Unit’s COPPA safe harbor program, both on its website and Facebook games’ privacy policy page from 2012 to mid-2019, despite CARU terminating its participation in the program in 2015. Miniclip, owned by Chinese tech conglomerate Tencent, had joined the BBB National Programs' CARU program in 2009.

Under the FTC’s COPPA rule, companies that join an FTC-approved safe harbor program and adhere to its guidelines are deemed to be in compliance with COPPA. CARU is one of seven COPPA safe harbor programs.

While he supports the FTC’s action, Commissioner Rohit Chopra said it “reinforces” his concerns about COPPA safe harbors. The commission, he said, “must take many steps to revamp its approach to these third-party privacy policing programs.”

“Beefing up oversight of the COPPA Safe Harbor program is just one of many actions the commission must take to strengthen our approach to protecting children’s privacy,” he said.

Vice President Dona Fraser said CARU supports additional oversight by the FTC. But for Georgetown Law professor Angela Campbell, the bigger question is “really whether the safe harbors are effective in protecting children’s privacy.”

Chopra’s calls to reform safe harbor programs come amid an FTC review of its COPPA rule, requiring services that collect personal information of children under 13 to notify parents and obtain consent. Also, earlier this month, a bipartisan group of senators asked the FTC to launch an investigation into children’s data practices within the educational and digital advertising industries and a group of privacy advocacy organizations called for effective enforcement action against TikTok, claiming the app is not removing videos made by children under 13 as required under a consent agreement with the commission.

To strengthen the FTC’s approach, Chopra suggested implementing routine reviews and commission votes to maintain COPPA safe harbor accreditation, rather than the “lifetime approvals” that are currently granted; disclosing safe harbor members’ data to the public, including complaints and disciplinary actions, restricting affiliates from offering additional fee-based consulting to participants, submitting documentation of disciplinary actions to the FTC, and terminating “Safe Harbor programs that do not adequately fulfill their oversight requirements.”

He also suggested the commission issue orders under Section 6(b) of the FTC Act — which empowers it to require responses “to specific questions” from an entity — to further study how companies collect, share and monetize children’s data, “as we look to modernize our rules and enforcement strategy to root out children’s privacy violations.”

Terminations are “exceedingly rare,” he said, commending CARU for “demonstrating its willingness to discipline its participants that violate its guidelines.” But, he said, specific details of Miniclip’s violations “remain a secret to the public,” and he expressed concern that if the FTC does not “promptly learn about or investigate terminations by COPPA Safe Harbors, the agency may be unable to obtain civil penalties, due to the five-year statute of limitations.” 

Fraser said terminations are generally the result of a company failing to comply with safe harbor or COPPA guidelines. They are rare, she said, and are “not something we take lightly.”

“Usually there’s a lot of back and forth and we work very hard to find different solutions to help companies comply, but if they insist on maintaining practices that are going to be inconsistent with COPPA or inconsistent with our guidelines, there’s not a lot of wiggle room at that point,” she said. “It’s rare because the goal is really to work with companies. What we don’t want is an ecosystem of companies that aren’t complying.”

Fraser said she welcomes additional oversight by the FTC and CARU will work to be more transparent by “indicating the issues we’re seeing and how we’re resolving them” in reporting to the commission, but she did raise concerns about naming companies in doing so.

“A lot of companies that join safe harbors end up undergoing great scrutiny by consumer advocates and other groups who are looking to see whether or not safe harbors are actually working,” she said. “Companies that want to do the right thing are going to join a safe harbor.”

Linnette Attai, president of global compliance consulting firm PlayWell, LLC, said wanting more transparency without identifying companies is a natural tension, but providing the FTC with more information on the types of issues safe harbors are seeing, the scope of those issues, how they are being addressed, and the safe harbor's processes would be a positive step.

Attai said the seven safe harbors are "not all created equally in terms of their depths of expertise and experience in the children's industry." There are those who have been in the industry since COPPA was prescribed, so they "already had some experience and expertise in understanding the very particular sensibilities that need to be in place when designing, creating and marketing to children." Others may have come into formation as privacy became a hot topic and may not have that depth of expertise. 

"Those that are already quite strong and have been doing the work for decades commonly welcome more transparency and oversight by the FTC, as it would ultimately raise the bar for all," she said. 

Two years ago, TRUSTe paid $100,000 and agreed to make changes to the privacy assessment component of its program in a settlement with the Attorney General of the State of New York regarding its COPPA safe harbor program. After investigating two companies that used TRUSTe's program, the AG said TRUSTe failed “to adequately assess its customers’ websites” and left underage visitors to those sites “vulnerable to illegal tracking prohibited” under COPPA.

Fraser said CARU has updated its procedures regarding terminations, Fraser said, and will routinely monitor to see if a terminated company is referencing the program in its materials.

She would ideally like to see greater education about COPPA and why compliance is important.

“We’ve been calling for the FTC to lead on doing education about COPPA, not just for businesses, but for consumers, as well. We’ve always said that we’re happy to work with them on that, but I do believe that the lead has to come from the FTC,” she said.

While Chopra’s comments are “really right on point,” Campbell called the FTC’s action “very troubling” for its sole focus on Miniclip’s misrepresentation of status in the safe harbor program, the length of time between its termination by CARU and FTC action and the FTC’s lack of enforcement of any underlying violations.

“I can’t understand why they don’t go after them for the underlying violations, or at least discuss the underlying violations, which I assume there were, or they would not have been terminated,” she said. 

She agreed with implementing Chopra’s suggestions, adding the FTC should be requesting information on any terminations and should promptly act.

“There has to be a way when someone is terminated that the FTC is aware, specifically, who it is and that they are making sure they are not falsely claiming that they are a safe harbor member. But then I think there’s a whole bunch of bigger questions about whether the safe harbor system works at all and whether it needs to be changed. I certainly think there needs to be more public oversight, like by making the annual reports public. To me, self-regulation has problems in general, one of them is really lack of enforcement.”

The FTC voted 5-0 to accept the settlement with Miniclip, which implements compliance and record-keeping requirements, and prohibits the company from “misrepresenting its participation or certification in any privacy or security program.” There is no monetary fine attached to the complaint, which falls under Section 5 of the FTC Act for “deceptive acts or practices.”

In a news release, FTC Bureau of Consumer Protection Director Andrew Smith said, “Consumers rely on companies to tell them the truth, especially when it comes to how they treat personal information about children. When companies like Miniclip promise consumers that they are an approved participant of a safe harbor program even after they’re removed, the FTC will take action.”

Photo by MI PHAM on Unsplash