Do your COPPA Safe Harbor claims hold water?

Share This Page

Way back in Marketing 101, we learned that consumers factor a number of features into their purchase decisions: price, performance, product positioning, and personal preference, to name just a few. The FTC’s proposed settlement with game developer Miniclip serves as a reminder of another important alliterative consideration for many consumers: privacy. The company claimed it was a current member of a Children’s Online Privacy Protection Rule’s safe harbor program – a representation the FTC says was false.

Most companies are (we hope) familiar with the compliance basics of the Children’s Online Privacy Protection Act Rule. Among other things, the COPPA Rule requires that operators of commercial websites and online services directed to children under 13, or general audience websites and online services that knowingly collect personal information from kids under 13, post their privacy policies prominently, notify parents about their information practices, and get parental consent before collecting, using, or disclosing personal information from their kids.

The COPPA Rule includes a safe harbor provision that allows industry groups and others to seek FTC approval for self-regulatory guidelines that implement protections that are “the same or greater” than the COPPA Rule. A company is deemed to be in compliance with COPPA if it’s a member of an FTC-approved COPPA safe harbor program and honor its guidelines.

Which brings us back to complaint allegations against Miniclip. The company joined the Children’s Advertising Review Unit’s safe harbor program in 2009 and remained a member until 2015, when CARU terminated Miniclip’s participation. But according to the FTC, until mid-2019, Miniclip continued to say this on its website:

In recognition of our focus on the quality and safety of our content, we have been accepted to join the CARU Kids Privacy Safe Harbor Program and have been certified as COPPA compliant.

And again until mid-2019, here’s what it claimed on its Facebook games privacy policy page:

Miniclip is a Certified Participant of the Better Business Bureau’s, CARU Kids Privacy Safe Harbor Program . . . . The information practices of Miniclip.com have been reviewed and meet the standards of the Children's Advertising Review Unit’s Kid’s Privacy Safe Harbor Program.

The complaint alleges that Miniclip violated the FTC Act by falsely representing it was a current participant in CARU’s COPPA safe harbor program. Under the proposed order, Miniclip is prohibited from misrepresenting its participation or certification in any privacy or security program sponsored by a government or any self-regulatory organization. Once the settlement runs in the Federal Register, you’ll have 30 days to file public comments with the FTC.

The case offers two takeaway tips for businesses.

Truth-in-advertising principles extend beyond product performance.  Of course, your widget must do what you say it does. But other claims you make – including representations about your privacy practices or your adherence to self-regulatory frameworks – aren’t just window dressing. They, too, are objective claims that also need appropriate substantiation.

Re-re-read your privacy policies and other disclosures.  Drafting your company’s privacy policies – both on your website and on other sites – isn’t a one-and-done box to check off your TO DO list. It’s a living, breathing document that has to keep up with changes in your business practices. Review your privacy policies and other disclosures periodically to make sure they’re up to date.


 

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.