A recent lawsuit brought by the New York Attorney General has spurred debate over the effectiveness of the Federal Trade Commission’s (“FTC”) enforcement of child online privacy laws. As a result of this lawsuit, changes may be coming that will affect smart phone application developers, social media platforms, software service providers, and other companies that target or collect data from children under thirteen years old.
The New York Attorney General’s lawsuit based on violations of the Children’s Online Privacy Protection Act (“COPPA”) is significant for two primary reasons. First, the lawsuit prompted the FTC to seek public comment on proposed measures to strengthen privacy requirements for online companies with content attractive to children. Second, the lawsuit resulted in another major penalty imposed on a company for COPPA privacy violations.
What is COPPA?
COPPA is a federal law intended to protect the privacy of children under thirteen years old. COPPA prohibits child-directed online services and other online developers or providers from collecting, using, or disclosing personal information of children under thirteen years old. COPPA also imposes disclosure, reporting, parental consent, and oversight requirements on these companies. Violating COPPA can cost over $40,000 per individual violation. The FTC and State Attorneys General enforce COPPA.
Companies subject to COPPA can avoid these penalties by participating in COPPA’s “Safe Harbor” program. To participate in the Safe Harbor program, a company must obtain a certification showing that the company has implemented self-regulation protections that meet COPPA’s requirements.
TrustArc (formerly known as TRUSTe) is one of seven FTC-approved organizations that certify companies under the Safe Harbor program. Once TrustArc certifies a company, the company will generally be immune from FTC enforcement actions, but TrustArc must monitor the company for continued compliance.
The Lawsuit and Proposed Changes
In April 2017, TrustArc settled a lawsuit brought by New York Attorney General, Eric Schneiderman. The lawsuit alleged TrustArc failed to adequately ensure that companies using TrustArc as a Safe Harbor provider remained compliant with COPPA. TrustArc agreed to pay $100,000 and implement changes to its approval and monitoring procedures. Among other things, TrustArc agreed to require its customers to conduct an annual internal assessment of third parties’ collection of personal information from children under the age of thirteen.
After TrustArc proposed these changes, the FTC sought public comment on the proposed changes. Commenters, namely online businesses and other Safe Harbor providers, supported the proposed changes as a way to toughen TrustArc’s monitoring of child privacy. The FTC has not yet announced its decision on the proposed changes.
These changes would impact TrustArc certified companies by adding new privacy and tracking requirements. Other Safe Harbor providers are expected to follow suit. Moreover, the lawsuit and proposed changes, whether or not approved, reflect an increase in COPPA enforcement that should alert all online businesses, website providers, and app developers of the need to become or maintain compliant with COPPA or risk major penalties.
Severe Penalties for COPPA Violations
The TrustArc lawsuit marks another costly penalty paid for COPPA violations. Since 2015, app developers and other online services not in COPPA’s Safe Harbor program have paid penalties up to $950,000 for COPPA violations. Most lawsuits involved allegations that companies allowed third-parties to collect personal information about children under thirteen. Other lawsuits were brought against third party advertisers directly for these same actions.
These penalties illustrate the importance to online companies of participating in COPPA’s Safe Harbor program and maintaining robust internal compliance programs. While the FTC may make changes to the Safe Harbor program, the need for businesses to seek Safe Harbor under COPPA remains critical in the face of increasing enforcement and penalties.
The TrustArc lawsuit and proposed regulations reveal the FTC and state enforcement agencies’ increased effort to protect and enforce online child privacy. Smart phone developers, social media platforms, software service providers, and any other company targeting or collecting data from children under thirteen should pursue Safe Harbor protection to mitigate risk of COPPA penalties. Moreover, these companies—safe harbor approved or not—should follow the FTC’s decision on the proposed changes to maintain COPPA compliance.
For more information on the proposed changes, see the FTC’s web page seeking public comment on the changes.
Jon Farnsworth is a shareholder at Felhaber Larson in Minneapolis, Minnesota. He is the Past Chair of the Minnesota Computer and Technology Law Section. He advises clients on complex technology and legal issues, including COPPA. Jon gratefully acknowledges and thanks Zach Alter, a summer associate at Felhaber Larson, who was instrumental in the creation of this article.