May 27, 2020
Children’s privacy protections are under the spotlight and rightly so. Last week FTC Commissioner Rohit Chopra issued a statement in which he commented on the “secrecy” of COPPA Safe Harbor programs and how this hinders the FTC in its investigations of violations of the Children’s Online Privacy Protection Act “COPPA”. As the CEO and VP of Compliance for PRIVO, a Safe Harbor program in good standing since 2004, we would like to add some additional perspective based on our experience. PRIVO supports thousands of websites and apps, which have been proactive in seeking help to protect children’s privacy.
There are millions of apps and websites in the market, many of which appeal to children and many of which are operating in “a wild west” with little regard for privacy regulations or protections. Only a fraction of these companies has sufficient understanding of COPPA or immediate concern about the likelihood of enforcement which would prompt them to seek review by a COPPA Safe Harbor. Companies that proactively join a Safe Harbor program are putting heads above the parapet and opening the doors for review and evaluation. They have committed to doing the work required to get their houses in order. In many cases, they are investing in this work while understanding that competitors maybe increasing their revenue and taking risks in ways that violate child privacy protection regulations, knowing regulatory enforcement is exceedingly rare.
By definition, Safe Harbor allows for time to remediate if something is discovered to be out of compliance or if something innocently goes awry. For example, in the fast-paced world of technology changes do sometimes get rolled back in a release or a software bug occurs. Robust compliance monitoring looks for such issues and supports to resolve in a timely manner. If an operator cannot resolve and refuses to make a fix there is a process to remove COPPA Safe Harbor certification. However, it is important to note that by joining a program the very point is to bring the service into compliance and to monitor that compliance to ensure those fixes are made during a prescribed term. Supporting members to assess risk and construct compliant solutions is also an important area of our work and should not be seen as a conflict of interest. Any member in good standing of a Safe Harbor program will agree that it is not a “free pass.” Every member in our program is investing precious resources in the form of legal, executive, product, program and engineering time and expertise to understand the intricacies of any privacy concerns or potential compliance violations and to take the policy, practice and engineering steps to implement remedies sufficient for compliance certification.
In PRIVO’s view, success of a Safe Harbor program is better measured by its records of successful remediation (how the Safe Harbor contributed to improving privacy) rather than the number of expulsions and enforcement as a matter of course.
PRIVO has long supported transparency and welcomes an opportunity to show the robust program and hard work that its compliance team delivers for those members who have taken steps to work with a program such as ours. PRIVO publishes a list of all members and all the services app by app and site by site in its program to ensure transparency for the public, industry and regulators alike, here: https://my.privo.com/. If a member is no longer in our Safe Harbor program and the Safe Harbor seal has not been removed from the app or site clicking on it will display a page stating that this company is NOT certified compliant by PRIVO. We also work closely with the FTC staff to provide feedback on issues and comprehensive reporting of the work we do.
In order to encourage companies to engage in the process of protecting minors’ privacy, there must be agreed upon limits to the level of transparency with the caveat that any immediate or serious risk to children’s privacy is always given the highest priority.
While an operator is in the program, they are monitored by the Safe Harbor and can remediate within an established framework and timeline. This is the value of membership to businesses who want to be compliant but need specialized expertise to fully understand where they may fall short and what remedial options are available and acceptable. In fact, the Safe Harbor process of - assess, report, remediate, certify, repeat is the very engine which in turn supports the delivery of compliant and privacy protected experiences for children.
It is always possible to find a bad actor and it’s easy for this to become a focus undermining the very good work that is taking place under Safe Harbor programs each and every day. The recent news of Miniclip who fraudulently continued to claim membership of a COPPA Safe Harbor when in fact its membership had been terminated is one such case in point.
We believe the FTC must be given the resources it needs to review its Safe Harbor programs but as importantly it needs resource to review key areas of concern in general, such as the ad tech industry in relation to children’s privacy and the exploitation of children’s data. These are areas where Safe Harbor plays a key role supporting with knowledge gained from working in the grass roots.
PRIVO says yes to more transparency into how we work but in a measured and thoughtful way to ensure that more good than harm comes from any material changes to the way Safe Harbor programs are operated. PRIVO was pleased to provide comments on the Federal Trade Commission's (FTC) request for public comment on COPPA in December of 2019, where PRIVO specifically addresses the COPPA Safe Harbor program, among other recommendations. See PRIVO’s submission by clicking here.
We take great pride in the role we play in ensuring children’s privacy and we look forward to collaborating with all efforts to improve success across the entire ecosystem of identity protection for children and minors.
Denise G. Tayloe Claire Quinn
Co-Founder & CEO VP of Compliance & DPO, CIPP/e