The FTC’s COPPA Rule requires, inter alia, that operators of commercial websites and online services directed to children under the age of 13, or general audience websites and online services that knowingly collect personal information from children under 13, must obtain parental consent before collecting, using, or disclosing any personal information from children under the age of 13.
COPPA includes a “safe harbor” provision that allows industry groups and others to ask the Commission to approve self-regulatory guidelines that implement the protections of the Rule. Companies that comply with an FTC-approved safe harbor program are exempt from agency enforcement action under COPPA.
The Entertainment Software Ratings Board recently applied for approval of proposed modifications to its COPPA safe harbor program. The Federal Trade Commission has approved modifications to the video game industry’s self-regulatory program aimed at ensuring compliance with the Children’s Online Privacy Protection Act.
The ESRB Modified Program makes several substantive changes that ESRB indicates are intended to better align the program with the Commission’s COPPA-related regulations and guidance, and to allow the ESRB to monitor clients to ensure they remain in compliance with the law. For example, the Modified Program updates the definition of “Personal Information and Data,” adds text to make it clear that members shall not collect information and data that they are not utilizing, and clarifies that links to privacy statements must be clear and prominent.
The Commission received five comments in response to its request for comment on ESRB’s application, three of which were germane. An individual, recommended that the FTC review COPPA and other programs, such as the Safe Harbor Program, on an annual basis. The FTC agrees that this type of review is important.
The Commission does conduct an annual review of its approved Safe Harbor programs, as provided by the Rule. With respect to ESRB’s proposed changes, the commenter recommended that ESRB clarify that links to privacy statements be prominent and clearly labeled. This concern, also, is addressed in the Rule.
Section 312.4(d) requires, among other things, that an “operator must post a prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page or screen of its Web site or online service, and, at each area of the Web site or online service where personal information is collected from children.” Furthermore, ‘“clear and prominent’ means that the link must stand out and be noticeable to the site’s visitors through use, for example, of a larger font size in a different color on a contrasting background.
The Commission does not consider ‘clear and prominent’ a link that is in small print at the bottom of the home page, or a link that is indistinguishable from a number of other, adjacent links.” ESRB’s program does in fact require the link to be clear and prominent.
The Campaign for a Commercial-Free Childhood (“CCFC”) and the Center for Digital Democracy (“CDD”) filed a joint comment through their counsel, the Institute for Public Representation. CCFC and CDD recommended that absent changes, the FTC should reject ESRB’s application to modify its safe harbor program because in their view, ESRB’s proposed modification would reduce protections for children below the bar set by COPPA.
Another comment came from the Electronic Privacy Information Center (“EPIC”). While EPIC commended ESRB on some of its proposed changes, the organization expressed concern that other proposed modifications would diminish privacy safeguards and fall below
For Commission approval, self-regulatory guidelines must include: (1) a requirement that participants in the safe harbor program implement substantially similar requirements that provide the same or greater protections for children as those contained in the Rule; (2) an effective mandatory mechanism for the independent assessment of the safe harbor program participants’ compliance with the guidelines; and (3) disciplinary actions for noncompliance by safe harbor participants.
See the FTC approval correspondence, here.
Richard B. Newman is a digital media and data privacy compliance lawyer at Hinch Newman LLP. He is a member of the International Association of Privacy Professionals.
Advertising Material. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.