Modifications to the video game industry’s self-regulatory program designed to comply with the Children’s Online Privacy Protection Act (COPPA) Rule have been granted approval by the Federal Trade Commission.
In 2001, the FTC approved the Entertainment Software Rating Board’s (ESRB) original COPPA safe harbor program; in 2005 and again in 2013, the agency signed off on modifications to the program (in part, to comply with the 2012 amendments to the COPPA Rule).
The group submitted an application in March 2018 to make substantive changes intended to better align the program with the FTC’s guidance and regulations. For example, the ESRB sought to update the definition of “Personal Information and Data” (PID) to make it clear that members cannot collect information and data that they are not using and to clarify that links to privacy statements must be clear and prominent.
As part of the modification process, the FTC asked for public comment. The agency received five comments, only three of which were germane. One individual provided several suggestions that the agency noted were already covered by the program (conducting an annual review of the approved safe harbor programs, for instance).
Together, the Campaign for a Commercial-Free Childhood (CCFC) and the Center for Digital Democracy (CDD) filed a joint comment with additional ideas to modify the program. Specifically, the groups proposed replacing language regarding the number of compliance reports required; adding language explaining how the ESRB will collect information about a participant’s “Online Information Practices”; revising the proposed exceptions for speech-to-text recordings and persistent identifiers within the definition of PID; and defining the term “Monitored Products.”
The CCFC and CDD also advised the FTC that the ESRB program should retain language that defines street-level geolocation as PID; replace “photograph or video recording showing an individual’s face” in the definition of PID with “photograph or video that contains the individual’s image;” reinstate the language requiring each member to link to its privacy statement; and replace the word “should” with “must” or “shall” in the sentence “If PID is not being utilized, Participant should not collect it.”
Agreeing that these proposed amendments “would help ensure that ESRB’s Modified Program is compliant with COPPA,” the FTC said the program as approved reflected these changes.
In addition, the FTC also adopted the tweaks submitted by the Electronic Privacy Information Center (EPIC) in its comment. EPIC encouraged the agency to reject the ESRB’s attempt to narrow the definition of “Child/Children” to only residents in the United States. The FTC agreed with the Center, noting that “COPPA’s protections are not limited only to U.S. residents.”
The FTC also rejected a proposal from the ESRB to change the definition of PID with respect to information “rendered anonymous” and “collected online,” finding merit in EPIC’s concerns that the modification could be read to allow member companies to collect personal information without notice and consent as long as they de-identify it.
Finally, EPIC suggested that ESRB’s plan to mandate “exit messages” or “bumper pages” be phrased as a best practice rather than a requirement.
Having concluded that the ESRB Modified Program, as updated to reflect the public comments, satisfied the criteria for approval, the FTC approved the modifications.
To read the FTC’s letter, click here.
Why it matters: For the FTC to approve the self-regulatory guidelines, they must have included a mandate that participants in the safe harbor program implement requirements that provide the same or greater protections for children as those contained in the COPPA Rule. They must also provide an effective mandatory mechanism to independently assess whether participants have complied with the guidelines, and they must describe what disciplinary actions are available for those who fail to comply. As the ESRB Modified Program satisfied these requirements—once the changes proposed by the CCFC, CDD and EPIC were incorporated—the FTC approved the safe harbor program for the video game industry.