U.S. Representatives Kathy Castor (FL14) and Jan Schakowsky (IL09) wrote to all of the Children’s Online Privacy Protection Act (COPPA) Safe Harbor programs, requesting information to ensure that they are fulfilling their legal obligations to provide “substantially the same or greater protections for children” as those detailed in the COPPA Rule as well as soliciting feedback on how best to improve the Safe Harbor program. Rep. Schakowsky is the Chair of the Energy and Commerce Committee’s Consumer Protection and Commerce Committee of which Rep. Castor is a member.

Letters were sent to all Safe Harbor Program organizations: Children’s Advertising Review Unit (CARU), Entertainment Software Rating Board (ESRB), iKeepSafe, kidSAFE, Privacy Vaults Online, Inc. (d/b/a PRIVO) and TRUSTe.

The letter can be read here and below:

RE: Oversight Questions Regarding COPPA Safe Harbors

Dear Ms. Vance—

We write to you to better understand the Children’s Online Privacy Protection Act’s Safe Harbor Program run by the Entertainment Software Rating Board and to solicit feedback from the Entertainment Software Rating Board on how best to improve the program’s governing regulations and statute.

The Children’s Online Privacy Protection Act (COPPA), signed into law in 1998, includes provisions that regulate how entities or “operators” collect and use personal information from children under thirteen years old. The statute includes a provision entitled “Safe Harbors,” which states that an operator may satisfy COPPA regulations by following a set of approved self-regulatory guidelines.[1] The Federal Trade Commission (FTC) promulgated its first rule implementing COPPA in 1999 and revised the COPPA Rule in 2013. In the current rule, there is a section entitled “Safe harbor programs” that further details the requirements for these programs.[2]

Recent press reports and FTC enforcement actions have highlighted the importance of ensuring online platforms protect children’s privacy.[3] Parents do not have confidence that their children’s privacy is sufficiently protected online and do not have the time or resources to read through complicated and convoluted privacy policies. Often parents are forced to make quick judgments about the safety of a website or app and a stamp of approval from a safe harbor deeming a site compliant with COPPA can make a significant difference in whether parents allow their children to use it. These problems are further exacerbated as children are increasingly required to use online resources for educational, informational, and other essential purposes.  Therefore, it is critical that COPPA Safe Harbor organizations are working as intended.

Unfortunately, there are signs that COPPA Safe Harbor organizations are not adequately doing their job. Former FTC Commissioner Chopra, in prepared remarks on April 4, 2019, and in a statement on May 19, 2020, said that the FTC and Congress need to take steps to “[beef] up oversight of the COPPA Safe Harbor program.”[4] Some of the actions then-Commissioner Chopra proposed include: “Limiting conflicts of interest by COPPA Safe Harbors by restricting additional fee-based consulting offered by affiliates of the Safe Harbor to participating websites and apps,” and “Disclosing COPPA Safe Harbor performance data to the public, including complaints handled and disciplinary actions taken.”

Congress and the FTC need to consider all options to protect our children online. As members of the House Committee on Energy and Commerce, which has jurisdiction over the COPPA Safe Harbor Program, we are committed to conducting oversight to guarantee the participants in this program are fulfilling their legal obligations to provide “substantially the same or greater protections for children” as those detailed in the COPPA Rule. We are also committed to exploring ways in which Congress can strengthen COPPA and the COPPA Rule.

To better inform our work, please provide written responses to the following questions by January 28, 2022.

1. How many operators participate in your Safe Harbor program?
1. Please provide a list of the names of the operators that participate in your program.
2. Is this list publicly accessible? If so, where?
2. Do you conduct advertising for your Safe Harbor program?
1. If so, please provide documentation of the advertising.
3. How does your Safe Harbor program provide “substantially the same or greater protections for children as those contained” in the COPPA Rule?[5]
4. Describe the “effective, mandatory mechanism for the independent assessment of subject operator’s compliance with the self-regulatory program guidelines.”[6]
5. How often do you conduct a comprehensive review of “each subject operator’s information policies, practices, and representations?” Please describe how such reviews are conducted.[7]
6. What disciplinary actions for subject operators’ non-compliance with self-regulatory guidelines does your organization utilize?
1. Does your organization require “mandatory, public reporting of any action taken against subject operators” as a disciplinary action?[8]

                                                                                       i.      If so, please provide all public reporting of any action taken against subject operators.

1. Does your organization include “consumer redress” as a disciplinary action?[9]

                                                                                       i.      If so, please provide all examples of consumer redress.

1. Does your organization include “voluntary payments to the United States Treasury in connection with an industry-directed program for violators of the self-regulatory guidelines” as a disciplinary action?[10]

                                                                                       i.      If so, please provide all examples of voluntary payments to the US Treasury?

1. Does your organization include “referral to the Commission of operators who engage in a pattern or practice of violating the self-regulatory guidelines” as a disciplinary action?

                                                                                       i.      If so, please provide a description of all referrals to the FTC.

1. Has your organization terminated any operators from your organization’s safe harbor program?

                                                                                       i.      If so, please describe the instances when that has occurred, including the process involved and the reason for each termination.

1. Please provide all instances of disciplinary actions, including actions not specified in the preceding questions, taken against operators in your organization’s program.
1. What is the process for a consumer to submit a complaint alleging violations of your organization’s guidelines?
1. How many consumer complaints has your organization received since the program’s initial approval by the FTC?
2. What is your organization’s process for responding to consumer complaints?
3. Has a consumer complaint resulted in a disciplinary action?

                                                                                       i.      If so, please provide descriptions of all instances in which a consumer complaint resulted in a disciplinary action, including the substance of the complaint and the disciplinary action taken.

1. Please explain the fee structure of your organization’s Safe Harbor program.
1. Do you provide any other products or services to operators in your Safe Harbor program outside of the services provided in ensuring safe harbor compliance?  What is the fee structure for such products or services?
2. If so, how many operators in your Safe Harbor program avail themselves of such products or services?
2. Has an operator enrolled in your Safe Harbor program ever left your program to enroll in a different safe harbor?
1. If so, please describe to the best of your knowledge the circumstances under which this has occurred?
3. How can Congress amend COPPA to better protect children’s privacy, health, and safety online?
4. How can Congress amend COPPA to improve the Safe Harbor program?
5. How can the FTC amend the COPPA Rule to better protect children’s privacy, health, and safety online?
6. How can the FTC amend the COPPA Rule to improve the Safe Harbor program?
7. In May 2020, then-FTC Commissioner Chopra made a number of suggestions to improve the COPPA Safe Harbors program. Do you agree with these suggestions?[11]
1. Do you agree that “subjecting the COPPA Safe Harbors to routine reviews and Commission votes to maintain accreditation, rather than the current ‘lifetime approval’ approach” would improve the COPPA Safe Harbor program?
2. Do you agree that “disclosing COPPA Safe Harbor performance data to the public, including complaints handled and disciplinary actions taken” would improve the COPPA Safe Harbor program? Would such a requirement present any difficulties in ensuring operators compliance with your organization’s guidelines?
3. Do you agree that “limiting conflicts of interest by COPPA Safe Harbors by restricting additional fee-based consulting offered by affiliates of the Safe Harbor to participating websites and apps” would improve the COPPA Safe Harbor program?  How would such changes impact your organization’s Safe Harbor program?
4. Do you agree that “seeking the prompt submission to the FTC of all documentation regarding disciplinary actions” would improve the COPPA Safe Harbor program?
5. Do you agree that “terminating Safe Harbor programs that do not adequately fulfill their oversight requirements” would improve the COPPA Safe Harbor program?

Sincerely,