On May 18, 2020, FTC Commissioner Rohit Chopra issued a statement regarding concerns of the Children’s Online Privacy Protection Act (COPPA) Safe Harbor programs. Sparked by the ouster of the mobile gaming player, Miniclip S.A., from the Children’s Advertising Review Unit’s (CARU) Safe Harbor program, the FTC announced action against Miniclip to order the cessation of its alleged misrepresentations regarding Miniclip’s participation in the self-regulatory program. A proposed settlement Consent Order was agreed and will published in the Federal Register for public comment shortly.

The COPPA Rule generally requires that operators of commercial websites and online services that collect personal information from children under the age of 13 provide parents with notice of their collection practices and obtain verifiable parental consent before collecting, using, or disclosing such personal information. COPPA contains a provision that enables industry groups to submit for FTC approval proposed self-regulatory guidelines that implement protections equivalent to or greater than the COPPA Rule. CARU, a self-regulatory division of the Better Business Bureau, is one of seven organizations currently approved by the FTC as Safe Harbor organizations. CARU carries the mission to “(1) to protect children from deceptive or inappropriate advertising in all media, and; (2) to ensure that, in an online environment, children’s data is collected and handled in a responsible manner.”

To this end, CARU implements COPPA Safe Harbor Program involving audits, monitoring, security and privacy reviews, and product assessments, for which CARU touts that adherent participants are deemed in compliance with COPPA and essentially insulated from FTC enforcement. Miniclip had joined CARU’s Safe Harbor program in 2009, but was terminated in 2015 amid claimed program violations. From termination until mid-2019 Miniclip continued to claim on its website and Facebook games privacy policy that it was then-currently a member of CARU’s program.

In the statement, the Commissioner took the opportunity of this rare termination by CARU to comment that the continued secrecy of the Safe Harbor programs violations stifles the ability of the FTC to timely investigate and pursue violators within the five-year statute of limitations. The Statement strongly suggested future revisions to the construct of these Safe Harbor programs aimed at increased transparency and accountability. Listing five illustrative examples of revisions – including disclosure of participants’ Safe Harbor performance data, complaints and disciplinary actions to the public – the Commissioner suggested that the Safe Harbor program revamp is “just one of many actions” that the FTC may take strengthen the Commission’s approach to children’s privacy.

As continued participation under these programs may soon be restructured, companies may soon reassess the benefit of electing to participate in the program, particularly if currently confidential product and operation assessments may made public.