One of the first formal privacy safe harbor programs was created under the Children’s Online Privacy Protection Act (COPPA). Put simply, businesses are deemed in compliance with COPPA if they belong to an FTC-approved COPPA safe harbor program and follow the safe harbor program’s guidelines. But the FTC takes seriously any false claim about participation in or compliance with any privacy safe harbor program, as Switzerland-based digital game maker Miniclip, S.A. discovered.
Commissioner Rohit Chopra issued a separate concurring statement in which he approved the settlement but called on the FTC to routinely review COPPA safe harbor programs, advocating continuing oversight by the FTC, bans on the ability of safe harbor organizations to generate consulting fees, and mandatory disclosure of documents and information related to members. He also urged that the FTC terminate safe harbor programs “that do not adequately fulfill their oversight requirements.” If adopted, however, Commissioner Chopra’s recommendation of mandatory disclosure requirements could undermine a fundamental purpose of safe harbor programs: offering a mechanism for companies to review compliance with an independent third party and quickly correct identified deficiencies. Safe harbor programs can avoid the time and cost of regulatory enforcement for both businesses and the FTC, but the participant must make a good faith effort to comply.
Safe harbor programs, such as the EU-U.S. Privacy Shield, the Swiss-U.S. Privacy Shield, and the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system, are also an important part of the privacy compliance landscape. We have previously reported on FTC enforcement actions against false Privacy Shield claims. The FTC’s action against Miniclip once again demonstrates the seriousness with which the FTC treats misrepresentations of participation in safe harbor frameworks, and especially COPPA. At a time when the FTC has solicited comments on possible revisions to the COPPA Rule, false COPPA safe harbor claims may get extra scrutiny. Companies should ensure that their membership in any safe harbor program – not just a COPPA safe harbor program – is current, that they adhere to all relevant safe harbor program guidelines, and that their advertising does not misrepresent the status of their participation.