PRIVO's Submission to the FTC Announcement

December 13, 2019

PRIVO was pleased to provide comments on the Federal Trade Commission's (FTC) request for public comment on the Children's Online Privacy Protection Act (COPPA).

Where COPPA is sometimes perceived to be no more than the online equivalent of movie ratings designed to prevent children from seeing scary content or hearing swear words, its requirements are not taken seriously with the result that many call for its protections to be weakened. In PRIVO’s experience, however, industry and users both benefit when COPPA-compliant child privacy safeguards are in place permitting children, content creators, and brands to interact in appropriate ways. More can be done to fulfill the promise of this groundbreaking and important legislation.

We'd like to highlight some of our top recommendations:

Adoption of a uniform signal:

• PRIVO submits that the Commission should encourage industry to cooperate in the adoption of a uniform signal by which a device or browser can give operators notice that the primary user of the device is a child. Operators would then respond by discontinuing any tracking, behavioral advertising, profile building, lookalike modeling or similar data collection practices as well deactivating features that permit a child to potentially disclose Personal Information such as through chat or sharing. Just as commercial casinos in many states are required to maintain a database whereby those who have a gambling addiction can identify themselves to a casino and request the casino’s assistance in preventing the addicted person from engaging in certain activities in the casino, so too would parents be able to designate a particular device as one used primarily by a child and secure the operator’s assistance in protecting the child’s Personal Information.

Educational and non-profit entities:

• In Question 5, the Commission asks whether there are other laws that conflict with the COPPA Rule and make compliance with one or the other law difficult. There is confusion on the part of schools, service providers and parents as to what FERPA and COPPA require, the extent of the protection of the “school official” exemption to FERPA, and what approach to take with respect to clarifying these issues in this proceeding.
  
• PRIVO encourages the Commission to review the COPPA education exception to ensure that commercial entities are obliged to verify that the teacher has been given the authority to act on behalf of the school.
• There are an increasing number of customizable educational tools, contests (run by non-profits, government and commercial entities alike) and content that are fueled by personal information collected. While the Commission did not explicitly ask about non-profit entities and its jurisdiction is limited with respect to them, non-profits collect and control large amounts of child personal information. These include traditional youth organizations, athletic programs, and an ever-growing number of enrichment programs operated by foundations that are funded by commercial entities seeking to reach children around STEAM or other educational themes. The Commission should examine whether non-profits share covered information with commercial partners and funders and require that those commercial entities comply with COPPA due to their knowledge that the information originated with the child-directed activities of the non-profit.
  
• In addition, the Commission should examine the extent to which non-profits’ privacy policies and marketing materials reference COPPA-like protections, such as statements affirming commitment to the protection of children under 13 and adherence to vague privacy best practices, and consider whether such assertions, which play on the inherent trust parents may have in non-profits, are unfair or deceptive where the entity is not in compliance with COPPA.

GDPR:

• One aspect of the GDPR that the COPPA Rule should mirror is in establishing a child’s rights, as distinguished from the rights of the parent in relation to the child, which is what COPPA addresses. The GDPR is very clear that the child has the same rights as a data subject at or above the age of consent to, for example, erasure of their personal data.

Provisions regarding Safe Harbors:

• PRIVO submits that, properly operated, a Safe Harbor does invaluable work in bringing members into compliance, educating members and other stakeholders as to the important issues involved in children’s online privacy protection, and in so doing, frees Commission staff to focus scarce investigative and enforcement resources on those operators that may not be striving for compliance. Nevertheless, PRIVO is aware that in a few instances, operators have refused to take steps prescribed by a Safe Harbor, and then tried to join another Safe Harbor in the hopes of not being asked to take those same steps. These rare occurrences waste Safe Harbor resources, seek to create competition among the Safe Harbors on the issue of compliance, and if left unaddressed, could undermine confidence in one or more Safe Harbors or the program as a whole. While Safe Harbor remains a neutral third party, any competition between the Safe Harbors should be on added value and support that is provided at a service agreement level only.
  
• With respect to Safe Harbor approval and monitoring, it is appropriate for the Commission to require the Safe Harbor to demonstrate current skill sets and experience adequate to administer a robust and up to date program.
• Programs must also be able to show that they have members with child directed services in order to maintain Safe Harbor status. What ensures a Safe Harbor is equipped to carry out its role is working closely not just with members, but with industry in general, at a grass roots level, to ensure comprehensive understanding of all areas of this evolving and dynamic environment. An example might be the ability to run packet sniffing tools and analyse the results to uncover third party tracking and any potential violations.
• With respect to the language of Section 312.11(g), PRIVO submits that the section is internally contradictory. The first sentence relieves operators of any liability for a violation of COPPA if they are participating in an approved self-regulatory program. The remainder of the section confuses the section’s message. Should the Commission have concerns with the compliance of an operator, it should bring those concerns to the Safe Harbor. If it is determined that corrective action is necessary, the Safe Harbor should assure that the operator takes it. This has been the Commission’s practice, and that practice does not seem to be influenced by the remaining language of the Section.

PRIVO is pleased to have had the opportunity to bring these issues forward and looks forward to working with the Commission on these and similar issues.

Read PRIVO's complete submission, click here.