Self-regulatory organization moves to match earlier FTC-issued guidance

Port in the Storm

The Children’s Online Privacy Protection Act provides a “safe harbor” for companies that comply with self-regulatory certification guidelines issued by FTC-approved industry groups. Companies that comply with these certification requirements are exempt from agency enforcement under the Children’s Online Privacy Protection Act (COPPA). 

The Entertainment Software Rating Board (ESRB – responsible for, among other things, the familiar rating labels found on software game packages) was one of the first industry groups to create safe harbor guidelines (the ESRB’s were approved by the FTC in 2001). On March 13, 2018, the ESRB submitted a request for approval of modifications to its safe harbor program. According to the request, the board believes that a continual assessment of its program requirements against the changing standards of COPPA is necessary to “ensure they remain current with the Commission’s COPPA-related regulations and guidance.”

Among the modifications are changes that will make the ESRB’s program requirements “track” FTC guidance governing the collection of audio voice recordings under COPPA. The guidance, issued in October 2017, mandated that websites and online services that deal with children needed to obtain “verifiable parental consent” prior to collecting an audio recording of a child; this policy doesn’t apply to audio captures that are used strictly for a limited time and purpose – for instance, interactive search functions.

The changes also include the removal of the self-assessment questionnaire requirement for new members of the ESRB program (the ESRB is interested in taking a more personal approach to new members, including phone calls and video conferences) and a new insistence on “prominent and clearly labeled” privacy statements, including mandatory links to the privacy statements in the app store pages of companies that produce apps under the program’s umbrella.

The FTC is seeking comment on these changes; the public comment period closes on May 9, 2018.

The Takeaway

Under COPPA, commercial website operators that market services and products to children under the age of 13 must post comprehensive privacy policies, notify parents about their information-collection practices and, absent certain narrow exceptions, obtain verified parental consent before collecting personal information (defined to include device identifiers) from children. COPPA has been a hot issue over the past year, most recently and notably in a case filed against YouTube. COPPA gives the FTC the ability to levy fines, a power it lacks regarding its privacy regulation for adults, and the commission has been very active in bringing actions and fining companies that make COPPA errors. Working with an FTC-approved safe harbor provider is a good way to learn how to comply with the complicated regulatory scheme for children’s privacy and avoid FTC enforcement actions. Another popular safe harbor program is administered by CARU, the Children’s Advertising Review Unit of the Council of Better Business Bureaus.