Could COPPA Safe Harbor Changes Be in Store?
The Federal Trade Commission (FTC) took the unprecedented step of removing one of the approved Safe Harbor organizations under the Children’s Online Privacy Protection Act (COPPA) for failing to provide effective monitoring and assessment of its member companies’ websites, as required under the COPPA Rule. Earlier this year, Commission staff warned Aristotle International, Inc., whose Safe Harbor program was approved in 2012, that it was concerned about Aristotle’s monitoring practices and was considering withdrawing approval. On June 1, Aristotle informed the FTC that it was leaving the COPPA Safe Harbor program, and on August 4, the FTC announced that it had removed the company from the list.
Pursuant to Section 312.11(a) of the COPPA Rule, industry groups or other persons can apply to the FTC for approval of self-regulatory program guidelines. Approved programs must provide substantially the same or greater protections for children as those outlined in the COPPA Rule. Businesses that fully adhere to an approved COPPA Safe Harbor program will be deemed in compliance with the COPPA Rule for enforcement purposes under § 312.11(g), which provides incentives to businesses to support self-regulatory programs.
The August 4 press release announcing Aristotle’s removal from the COPPA Safe Harbor list included a troubling comment by the FTC’s Bureau of Consumer Protection’s Acting Director, Sam Levine, that may spell changes ahead for Safe Harbor programs: “There is a clear conflict of interest when self-regulatory organizations are funded by the website operators and app developers they are supposed to police, so we will be closely scrutinizing other children’s privacy oversight outfits to determine whether they are living up to their obligations.”
While the Acting Director’s statement reflects a concern over conflicts of interest as it pertains to Aristotle, it also appears to question the role, nature, and purpose of self-regulatory programs, as reflected in COPPA and the COPPA Rule. Antipathy towards the notion of industry self-regulation is reflected also in recent proposed legislation introduced by Rep. Castor (D- FL). But self-regulatory advertising and privacy programs, which are commonly funded by the “industry groups” authorized to apply for recognition under COPPA, provide enormous benefits to consumers, businesses, and regulators, as the FTC has recognized for decades.
Businesses play an essential role in the success and effectiveness of self-regulatory programs. Their financial support and input help to ensure that the organizations that serve them meet their respective legal compliance responsibilities. Self-regulatory programs not only help check on a participant’s compliance but also serve as a vehicle for businesses to air practical concerns about compliance burdens, assess implications of technological advancements and consumer interfaces, and put forward innovative ideas that can make compliance easier and less expensive. The Safe Harbor provisions of COPPA and other self-regulatory frameworks are intended to promote flexibility and efficiency by allowing businesses to tailor their compliance programs and to reward participants’ good faith efforts to comply with the law.
As the FTC continues to discuss potential changes to the COPPA Rule in its ongoing review, initiated in 2019, FTC oversight of COPPA Safe Harbor organizations is sure to be discussed. In his statement on a 2020 notice accepting a proposed consent agreement with Miniclip for falsely representing it participated in a COPPA Safe Harbor organization, Commissioner Rohit Chopra suggested a number of possible changes to the Safe Harbor framework. Some of these suggestions are already reflected in the COPPA Rule. For example, the Rule requires that Safe Harbor organizations monitor and assess members’ adherence to COPPA and their own privacy notices and provides for revocation of approval.
If a COPPA Safe Harbor organization fails to adhere to applicable rules, or neglects to exercise proper oversight of its members, it can and should be sanctioned by the FTC as a violation of the Rule. However, the assumption underlying the criticism that industry funding of self-regulatory programs necessarily removes their independence is contradicted by more than twenty years of largely successful COPPA Safe Harbors and has implications for other longstanding privacy and advertising self-regulatory programs and dispute resolution mechanisms. Foreclosing industry-led Safe Harbor organizations from exploring other revenue options or programs, as some have suggested, or forcing public disclosure of all documents and interactions with participants, will undermine the usefulness and value of the Safe Harbor process. Careful thought should be given to how to best assure that COPPA Safe Harbor organizations fully comply with their oversight responsibilities under COPPA while maintaining appropriate incentives to attract business participants and maintain the financial viability and independence of the Safe Harbor organization.