One of the first formal privacy safe harbor programs was created under the Children’s Online Privacy Protection Act (COPPA). Put simply, businesses are deemed in compliance with COPPA if they belong to an FTC-approved COPPA safe harbor program and follow the safe harbor program’s guidelines. But the FTC takes seriously any false claim about participation in or compliance with any privacy safe harbor program, as Switzerland-based digital game maker Miniclip, S.A. discovered.
The FTC’s complaint alleges that Miniclip, a major player in the children’s gaming space, falsely claimed participation in the Children’s Advertising Review Unit (CARU), despite having its membership terminated by CARU in 2015. Nonetheless, from 2015 to 2019, Miniclip continued to advertise its CARU membership on its website and Facebook games privacy policy page. On May 19, 2020, the FTC announced a proposed settlement order with Miniclip that requires the company to refrain from misrepresenting its participation or certification in any privacy or security program sponsored by a government or any self-regulatory organization, including the CARU COPPA safe harbor program. Miniclip must also supply compliance reports on request from the Commission and create records demonstrating full compliance with each provision of the order for ten years.
Commissioner Rohit Chopra issued a separate concurring statement in which he approved the settlement but called on the FTC to routinely review COPPA safe harbor programs, advocating continuing oversight by the FTC, bans on the ability of safe harbor organizations to generate consulting fees, and mandatory disclosure of documents and information related to members. He also urged that the FTC terminate safe harbor programs “that do not adequately fulfill their oversight requirements.” If adopted, however, Commissioner Chopra’s recommendation of mandatory disclosure requirements could undermine a fundamental purpose of safe harbor programs: offering a mechanism for companies to review compliance with an independent third party and quickly correct identified deficiencies. Safe harbor programs can avoid the time and cost of regulatory enforcement for both businesses and the FTC, but the participant must make a good faith effort to comply.
Safe harbor programs, such as the EU-U.S. Privacy Shield, the Swiss-U.S. Privacy Shield, and the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system, are also an important part of the privacy compliance landscape. We have previously reported on FTC enforcement actions against false Privacy Shield claims. The FTC’s action against Miniclip once again demonstrates the seriousness with which the FTC treats misrepresentations of participation in safe harbor frameworks, and especially COPPA. At a time when the FTC has solicited comments on possible revisions to the COPPA Rule, false COPPA safe harbor claims may get extra scrutiny. Companies should ensure that their membership in any safe harbor program – not just a COPPA safe harbor program – is current, that they adhere to all relevant safe harbor program guidelines, and that their advertising does not misrepresent the status of their participation.