Marc E. Szafran, Esq.
Dear Mr. Szafran:
This letter is to inform you that the Federal Trade Commission has approved the application of the Entertainment Software Rating Board (ESRB) to serve as a safe harbor program for purposes of implementing the protections of the Children's Online Privacy Protection Rule.(1) As you know, the Rule includes a provision enabling industry groups or others to submit self-regulatory guidelines to the Commission for approval as a safe harbor program.(2) Pursuant to this provision, on May 1, 2000 ESRB submitted an application for Commission approval. The application was published in the Federal Register on June 30, 2000 for public comment, which closed on July 31, 2000.(3)
To be approved by the Commission, self-regulatory guidelines must include: (1) a requirement that participants in the safe harbor program implement substantially similar requirements that provide the same or greater protections for children as those contained in the Rule; (2) an effective, mandatory mechanism for the independent assessment of safe harbor program participants' compliance with the guidelines; and (3) effective incentives for safe harbor program participants' compliance with such guidelines.(4) The Commission has determined that ESRB's application for status as a safe harbor program and its self-regulatory guidelines satisfy these three criteria.
First, the Commission has determined that the "Children's Program Requirements," Part 7 of ESRB's "Principles and Guidelines,"(5) mirror the provisions of the Rule in setting forth the requirements that each safe harbor participant must follow, and therefore provide the same or greater protections as those contained in the Rule.
Second, the Commission has determined that the independent assessment mechanisms that ESRB has created to evaluate participants' compliance with its guidelines meet the standard set out in the Rule. The proposed program asks the applicant to complete an initial self-assessment questionnaire,(6) in preparation for ESRB's onsite visit to independently assess the website's information practices.(7) The program also includes random and quarterly monitoring and seeding of each website to assess compliance with the self-regulatory guidelines.
Third, the Commission has concluded that ESRB's safe harbor program provides a number of effective incentives to ensure operators' ongoing compliance with its guidelines. Two proposed incentives mirror two of the recommended incentives set forth in the Rule. For example, in cases where the operator fails to voluntarily comply with ESRB's guidelines after ESRB has sent it a formal enforcement letter, ESRB may refer the matter to the Commission. In addition, ESRB will enforce its License Agreement provisions by seeking legal remedies for any material breach of the agreement, including seeking compensation in the form of payments to the United States Treasury.
In response to the publication of ESRB's safe harbor application, the Commission received two comments. Only one comment raised concerns with ESRB's application, which concerns primarily involved: (1) the need to clarify certain aspects of ESRB's requirements for providing parental notice and giving parents access to their child's information and (2) the fact that the ESRB guidelines themselves did not contain the compliance incentives required for safe harbor status. The Commission believes that each of these concerns has been addressed through ESRB's submission of revised materials. ESRB's Principles and Guidelines now specifically articulate each requirement that website operators must meet in order to fall within the safe harbor program and closely follow the requirements set forth in the Rule.
The Commission therefore is pleased to approve ESRB's application as its second safe harbor program. This program will play an important role in expanding the implementation of the COPPA Rule, and we look forward to working with ESRB and other safe harbor programs to provide these important protections for children's online privacy. The Commission reserves the right to revoke this approval if at any time it determines that the approved self-regulatory guidelines and their implementation do not, in fact, meet the requirements of the Rule.
By direction of the Commission
1. 16 C.F.R. § 312.
2. 16 C.F.R. § 312.10.
3. The Commission received two comments. In response to concerns raised in the comments, ESRB supplemented its application with additional materials on November 17, 2000 and March 7, 2001, which more specifically describe the practices websites must implement under its program.
4. 16 C.F.R. § 312.10(b).
5. ESRB requires website operators involved in its safe harbor program to participate in its general Privacy Online privacy seal program. ESRB's safe harbor program is the distinct component within its general program that requires websites collecting personal information from children to provide the Rule's specific protections.
7. ESRB's Online Audit Report (a proprietary, non-public document) is a comprehensive questionnaire used by ESRB personnel in connection with the onsite assessment of an applicant website's information practices.