Self-Regulation for Companies in COPPA Safe Harbors
What if your company had a buffer between it and the Federal Trade Commission, just as it’s enacted tough new rules in the Children’s Online Privacy Protection Act (COPPA)—someone who could pick up the phone and ask agency staff a question on your behalf, or provide you with warnings on non-compliance before a government investigator knocked on your door?
As sweeping, amended privacy regulations take effect on Monday, companies have long been taking advantage of such a shield: the FTC-approved safe harbor programs, a kind of shelter built into COPPA.
And more companies with child-directed websites and mobile apps may choose to join these safe harbor programs as they seek to comply with COPPA rules changes that expand the scope of what’s considered “personally identifiable information.” Under the rule, companies can’t collect images, audio, or persistent identifiers of children under 13 without obtaining parental consent—and companies are also liable if third parties operating on their sites collect that data without consent.
But in joining a safe harbor, “You can think of it as insurance against some very serious liability and costs for violating COPPA, even innocently,” says Blair Richardson, general counsel of Aristotle, whose safe harbor program was the most recent to be approved last year.
The commission is “more or less deputizing you to handle problems before they hit the FTC deck,” Richardson adds.
Explains FTC staff attorney Kandi Parsons, with the division of privacy and identify protection: “We each bring different authority to bear, but all with the same goal, which is compliance with the amended COPPA rule.”
Safe harbor programs “can help companies avoid enforcement,” she says.
The programs are designed to take the guesswork out of compliance for members. First, safe harbors have to earn FTC approval. Under the law, companies or organizations are allowed to submit applications to the commission, detailing how they would apply compliance requirements to members that match—or even exceed—COPPA’s standards.
“We get very specific with the how-tos,” says Dona Fraser, who leads the privacy seal certification program, ESRB Privacy Certified (formerly called Privacy Online), at the Entertainment Software Rating Board.
Those applications are published and open for a public comment period before the commission decides whether to grant safe harbor status. Since the COPPA rule went into effect in 1999, the FTC has approved five safe harbor programs and denied one application (one other application was withdrawn).
In that same time, the FTC has also carried out 19 enforcement actions for COPPA violations, totaling $6.6 million in fines, and often requiring violators to provide periodic compliance updates to the agency. None of those actions, however, has been against a company that belongs to a safe harbor program.
“The experience [of self-regulation] has been much better than anyone anticipated,” says Lee Peeler, a former deputy director of consumer protection at the FTC. He now leads the Advertising Self-Regulatory Council and is executive vice president for national advertising at the Council of Better Business Bureaus.
The safe harbor program that the council runs, the Children’s Advertising Review Unit (CARU), has amassed some 200 reported self-regulatory decisions on member compliance to date. That “frees up the FTC,” according to Peeler.
For companies, self-regulation “is vastly preferable to government enforcement,” Peeler adds. So much so that even when a member doesn’t agree with CARU’s findings about the company’s compliance, it will make the recommended change anyway.
Corporations including The Hershey Company and Marvel Entertainment have worked with CARU to improve their COPPA compliance. “You have major companies who will change the way they do business to demonstrate their support for self-regulation,” Peeler says.
Companies can also benefit from the safe harbor program’s relationship with the FTC. “In our experiences, the safe harbor programs work with their members to bring and keep them in compliance, so we would consider that” when contemplating an enforcement action, says the FTC’s Parsons.
Fraser says that if ESRB gets a compliance question from a member company, “and we don’t know the answer, I’m happy to pick up the phone and call the FTC.”
That offer may sound especially appealing now that the FTC can enforce the amended COPPA rule as of July 1, a deadline that many trade associations tried—and failed—to get the agency to push back.
And already, safe harbor program leaders are planning to seek additional answers for their members. CARU, for example, says it will poll members on the issues they’re struggling with and what approaches they’re taking to comply—then share that information with the membership at large.
The FTC has already published a series of frequently asked questions (with answers) about COPPA since April. The commission will keep releasing FAQs after July 1, according to Parsons. She also points companies to this resource page.
“The big compliance challenge is the new definition of what ‘personally identifiable information’ consists of, which is much more expansive and goes to the heart of many companies’ operation model,” says Peeler.
After July 1, he says, “We anticipate it being a very, very busy period.”