With Widespread COPPA Noncompliance, Stakeholders Expect FTC Enforcement Action

Some credit the FTC for taking a measured approach over the past year-plus. “They are being flexible,” said Joanne Furtsch, director-product policy for TRUSTe, another of the seven FTC-approved safe harbor programs. The commission has updated its COPPA FAQs multiple times in response to industry queries (WID July 17 p4; April 23 p8) and allowed companies to submit applications for new verifiable parental consent (VPC) methods. The FTC, Furtsch told us, is “clarifying around how they're interpreting the rule and providing some more flexibility to both operators and consumers about how that verifiable parental consent is obtained.” Alan Friel, a privacy and consumer protection lawyer with BakerHostetler, told us that over the past year the FTC has “really spent a lot of time sending staff to ad industry conferences and Web developer conferences and getting out there and explaining what all this means."

But everyone we talked to believes the hammer will soon fall. “I would be surprised if we don’t start seeing [enforcement] by the first quarter of next year, at the latest,” said Friel, who speaks with FTC staff regularly. “It’s a really powerful tool in their arsenal.” Because the commission has spent considerable time working with industry to clarify the rule, once it starts enforcement actions, “I think they'll be even less tolerant,” Friel said. The FTC could not comment by our deadline.

COPPA’s updated rule took effect July 1, 2013, expanding the websites and apps that fall under COPPA, broadening the definition of personal information and allowing companies to submit new VPC mechanism applications (WID Dec p1). The updates came to the fore earlier this week when the FTC requested comment on AgeCheq’s VPC method application (WID Aug 26 p1), the fourth such application under the new rule. Some took issue with the application for its substance -- or lack thereof -- while others argued AgeCheq’s should be working with a safe harbor company instead of the FTC.

AgeCheq proposed a “consent management platform” that would allow parents to control consent for an unlimited number of websites and apps while giving developers a central location to submit their information collection details (http://1.usa.gov/1zturNX). The proposal lacked substance, said Center for Digital Democracy (CDD) Legal Director Hudson Kingston, arguing it more closely resembled a safe harbor program than a VPC and skirted the necessary technical details. “I don’t think he actually read the application,” AgeCheq CEO Roy Smith told us, pointing to a number of charts and video demonstrations in the applications and citing the resources used to create the technology -- one year in development, 12 to 15 employee-years of work and over $1 million in investments.

Regardless of the application’s merits, AgeCheq -- and other VPC applications -- should go through safe harbor, PRIVO’s Tayloe told us. “When they choose to bypass the safe harbor process and go directly to the FTC, I believe it’s more about press releases,” she said. Devoting resources to such applications risks pulling the FTC’s focus from enforcement, where it should be, Tayloe said. “When the FTC approves a safe harbor, the safe harbor is supposed to be there to act as an intermediary to control compliance."

But Smith and others, including CDD (http://bit.ly/1mTfFuh), question the safe harbor system’s efficacy. “There is a cloud of doubt over the whole safe harbor program,” Smith said. Many in industry, he said, see safe harbors as merely trading COPPA certification for thousands of dollars without protection from FTC action, he said. Tayloe strongly disagreed. The government audits safe harbor programs yearly and safe harbors annually audit their clients, she said. Conversely, if the FTC approves AgeCheq’s application, there’s no annual audit requirement moving forward, she said. “It’s just a big end run around safe harbor,” she said.

The safe harbor nod is “really not the kind of ironclad guaranteed approval that the people we're selling to want,” Smith said. AgeCheq, he said, works with gaming companies like King.com, makers of Candy Crush, and Rovio, makers of Angry Birds. “It was necessary for us to get our entire system explicitly approved by the FTC,” Smith said. “We're just following the guidelines that were written into the law.” TRUSTe’s Furtsch understands the desire to take applications to the FTC rather than safe harbors. “Businesses are more comfortable going directly to the regulator,” she said. With the public comment period and review, “there’s definitely a level of transparency that people appreciate."

Though Tayloe and Smith may diverge on industry’s approach to COPPA, they concur that noncompliance is rampant and FTC enforcement is necessary to incentivize compliance. “Until there is some fear in the market that they could be in trouble, nobody is going to hurt their app’s onboarding by putting this complicated parental thing in front of it,” Smith said. “You can’t just set up a service and let all the data flow and not have accountability in the system,” Tayloe said.

Traditionally, when the FTC starts enforcement in new areas, it begins with prominent “shots across the bow,” perhaps with a high-profile company, Friel told us. From there, the commission moves to egregious, clear-cut violations of the new rule as it ups the financial settlements, he said. Finally, the commission tackles more “esoteric” cases that further clarify its interpretation of the law. “They're going to start doing that again, it’s just a matter of when,” Friel said.

California is also under the microscope, Smith said, as observers wait for it to begin enforcement of its similar California Online Privacy Protection Act, which applies to all websites and apps doing business in the state. “When that particular flag is taken up the pole,” Smith said, “this whole issue is going to be alive.”