August 14, 2020

Volume X, Number 227

August 14, 2020

Subscribe to Latest Legal News and Analysis

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

FTC Settles with Digital Game Company Over Allegedly False COPPA Safe Harbor Claims

One of the first formal privacy safe harbor programs was created under the Children’s Online Privacy Protection Act (COPPA). Put simply, businesses are deemed in compliance with COPPA if they belong to an FTC-approved COPPA safe harbor program and follow the safe harbor program’s guidelines. But the FTC takes seriously any false claim about participation in or compliance with any privacy safe harbor program, as Switzerland-based digital game maker Miniclip, S.A. discovered.

The FTC’s complaint alleges that Miniclip, a major player in the children’s gaming space, falsely claimed participation in the Children’s Advertising Review Unit (CARU), despite having its membership terminated by CARU in 2015. Nonetheless, from 2015 to 2019, Miniclip continued to advertise its CARU membership on its website and Facebook games privacy policy page. On May 19, 2020, the FTC announced a proposed settlement order with Miniclip that requires the company to refrain from misrepresenting its participation or certification in any privacy or security program sponsored by a government or any self-regulatory organization, including the CARU COPPA safe harbor program. Miniclip must also supply compliance reports on request from the Commission and create records demonstrating full compliance with each provision of the order for ten years.

Commissioner Rohit Chopra issued a separate concurring statement in which he approved the settlement but called on the FTC to routinely review COPPA safe harbor programs, advocating continuing oversight by the FTC, bans on the ability of safe harbor organizations to generate consulting fees, and mandatory disclosure of documents and information related to members. He also urged that the FTC terminate safe harbor programs “that do not adequately fulfill their oversight requirements.” If adopted, however, Commissioner Chopra’s recommendation of mandatory disclosure requirements could undermine a fundamental purpose of safe harbor programs: offering a mechanism for companies to review compliance with an independent third party and quickly correct identified deficiencies. Safe harbor programs can avoid the time and cost of regulatory enforcement for both businesses and the FTC, but the participant must make a good faith effort to comply.

Safe harbor programs, such as the EU-U.S. Privacy Shield, the Swiss-U.S. Privacy Shield, and the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system, are also an important part of the privacy compliance landscape. We have previously reported on FTC enforcement actions against false Privacy Shield claims. The FTC’s action against Miniclip once again demonstrates the seriousness with which the FTC treats misrepresentations of participation in safe harbor frameworks, and especially COPPA. At a time when the FTC has solicited comments on possible revisions to the COPPA Rule, false COPPA safe harbor claims may get extra scrutiny. Companies should ensure that their membership in any safe harbor program – not just a COPPA safe harbor program – is current, that they adhere to all relevant safe harbor program guidelines, and that their advertising does not misrepresent the status of their participation.

© 2020 Keller and Heckman LLPNational Law Review, Volume X, Number 143


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association