Children’s Online Privacy Protection Act (COPPA) enforcement actions closed out 2021 (see our blog post) and children’s online privacy remains a hot topic in Congress in 2022. After a series of articles by The Wall Street Journal last September uncovered Instagram’s own research on possible harms to teenagers from social media engagement, members of the Senate Commerce, Science, and Transportation Subcommittee on Consumer Protection, Product Safety, and Data Security questioned executives from Facebook (Instagram’s parent company) about children’s online safety. More recently, Representatives Kathy Castor (D-FL14) and Jan Schakowsky (D-Il09) turned their attention to COPPA Safe Harbor organizations. In a letter sent on January 7, 2022 to the Children’s Advertising Review Unit (CARU), Entertainment Software Rating Board (ESRB), iKeepSafe, kidSAFE, Privacy Vaults Online, Inc. (d/b/a PRIVO) and TRUSTe, Castor and Schakowsky requested details concerning the organizations’ compliance with the legal requirements of the COPPA Rule.

The COPPA Safe Harbor program is a statutory creation. See 15 U.S.C. § 6503. The concept is simple: it allows an operator (as defined by COPPA) to satisfy the requirements of COPPA by following a set of self-regulatory guidelines issued by representatives of the marketing or online industries or other persons and approved in accordance with the procedures set out in Section 6503(b). The title of that section – “Incentives” – conveys the objective of Congress to promote self-regulation when it comes to children’s privacy. Section 6503(b)(1) directs the Federal Trade Commission (FTC) to “provide incentives for self-regulation.” Section 6503(b)(2) establishes that one of those incentives is “Deemed Compliance.”

In short, businesses that fully adhere to an approved COPPA Safe Harbor program by demonstrating to the FTC that their program offers substantially the same or greater protections for children as those outlined in the COPPA Rule are deemed compliant with the COPPA Rule for enforcement purposes. Safe harbor organizations that fail to do an effective job can lose Safe Harbor status, which occurred last summer when one organization was dropped from the list.

Castor and Schakowsky’s letter includes a questionnaire that asks Safe Harbor organizations for a range of information, including documentation of all Safe Harbor advertising, descriptions of how each organization’s Safe Harbor program provides substantially the same or greater protections for children as those contained in the COPPA Rule, what their processes are for handling consumer complaints, and what disciplinary actions they take if member companies are found in breach of the COPPA Rule. The authors state that they “are also committed to exploring ways in which Congress can strengthen COPPA and the COPPA Rule” and ask the organizations for feedback on ways to improve the Safe Harbor program.

Representative Castor has previously weighed in on children’s privacy issues. Following policy changes made by several major tech companies in response to the UK’s stringent new children’s privacy rules that took effect last September, Castor, along with Senator Ed Markey (D-Mass.) and Representative Lori Trahan (D-MA03), cosigned a letter to the FTC in October urging the Commission to use “all its authority to ensure that these powerful companies comply with their new policies, to hold them accountable if they fail to do so, and to prioritize the protection of children’s and teen’s privacy.” That letter followed a similar request to the CEOs of Amazon, Facebook, Google, Snapchat, TikTok, and Twitter in June 2021.

It is useful to periodically benchmark progress and consider ways that self-regulation can be improved. In doing so, it is vital that legislators remain true to the intent clearly expressed by Congress to provide strong incentives for effective self-regulation of children’s privacy.