Reducing legal exposure for clients and navigating complex issues of children’s privacy protections is a major focus of many law firms. Attorneys and counsel for global gaming companies, children’s educational or entertainment sites, apps and communities are inundated with client requirements for age verification and consent. Online use of kids’ social media apps burgeoned over 70% in the pandemic year.
The practice of enforcing privacy programs and bringing online operators into compliance with the Children’s Online Privacy Protection Act (COPPA) is hard work. Law firm partners seek out FTC-approved safe harbors to ensure improved adherence.
At Privacy Vaults Online (PRIVO), we have been protecting kids for 20 years. We are an FTC-approved COPPA safe harbor that also provides parent consent and family identity services.
PRIVO supports hundreds of online services and apps that have been proactive in seeking help to protect the privacy of children. Our transparent and detailed report submitted to the FTC annually demonstrates how robust our safe-harbor program is.
There are millions of apps and websites in the market, many of which appeal to children and many of which operate in “a wild west” with little regard for privacy regulations or protections. Only a fraction of these companies have sufficient understanding of COPPA or immediate concern about the likelihood of enforcement that would prompt them to seek review by a COPPA safe harbor.
Companies and their legal advisers that proactively join a safe harbor are taking the right approach and opening the doors for review or evaluation, and often the need for remediation. They have committed to doing the work required to get their houses in order. In many cases, they are investing in this work while understanding that competitors may be increasing revenue and taking risks in ways that violate child privacy protection regulations, knowing regulatory enforcement is exceedingly rare.
At a recent Senate hearing on “Protecting Kids Online: Internet Privacy and Manipulative Marketing,” charges were leveled against COPPA safe harbor organizations as “rubber stamping” social communities, gaming sites, and online services with respect to children’s privacy. Nothing could be further from the truth.
Every member in our program is investing precious resources in the form of legal, executive, product, program and engineering time and expertise to understand the intricacies of privacy concerns or potential compliance violations.
They take the policy, practice, and engineering steps to implement remedies sufficient for certification. It is important to see safe harbor as one tool in the box to support child privacy protections and for the FTC to have the resources to ensure that all safe harbors are doing a robust job.
PRIVO publishes a list of members and services app-by-app and site-by-site in its program to ensure transparency for the public, industry and regulators alike. PRIVO has long supported transparency and works closely with FTC staff to provide feedback on issues and comprehensive reporting of the work we do.
AppCensus Research Data Conflict Issues
During the Senate hearing, members of Congress heard from Serge Egelman, research director of the usability and privacy group at the International Computer Science Institute and a research lead on privacy at the University of California, Berkeley.
Egelman asserted that safe harbor-certified apps were found just as likely to be in violation of COPPA as non-certified apps based on his own research and that the “internal operations exemption” is being abused by app developers.
As founder and chief technology officer of AppCensus Inc., he appears to have a conflict of interest in promoting his product and gain from its growth. AppCensus provides automated scans of digital apps to identify data collection and sharing practices by the app and associated third parties, but has no official certifications or authority to evaluate an online service’s COPPA compliance.
The research used to demonstrate non-compliance with COPPA was carried out for a report in 2018: Won’t Somebody Think of the Children: Examining COPPA Compliance at Scale. The report was prepared by BLUES (Berkeley Laboratory for Usable and Experimental Security), where Egelman is the director, to analyze Android mobile apps compliance with COPPA.
While PRIVO welcomes any development of tools that support compliance efforts and research in this area, we highlighted key issues we found in our evaluation of the AppCensus tool and method used to gather and analyze the data. We reviewed the research that forms the basis of the report. We also carried out analysis of the research findings.
The testimony represents the work of safe harbors as “app developers and operators of other services submit their products, fill out a questionnaire, and the Safe Harbor certifier deems them COPPA compliant and indemnified from FTC action.”
We dispute this statement. We do so much more. It is not a true depiction of our robust and comprehensive work and we hope the above argument clarifies this.
Safe harbors are one critical tool in the FTC toolbox and firms need to regularly re-evaluate individual safe harbors to ensure they maintain high standards required to protect children’s privacy.
This column does not necessarily reflect the opinion of The Bureau of National Affairs,Inc. or its owners.
Denise G. Tayloe is the co-founder/CEO of PRIVO and is a subject matter expert, recognized leader, and authority in children’s online privacy, permission, and identity management.
Claire Quinn is the chief privacy officer for PRIVO and subject matter expert specializing in COPPA, the GDPR and children’s privacy and safety in the digital world. She works closely with major child directed brands, third -party service providers, moderation companies, regulators and agencies.