Privacy Certification Program Settles COPPA Violations with NYAG
Last week, True Ultimate Standards Everywhere, Inc. (“TRUSTe”) agreed to pay the New York Attorney General (“NYAG”) a $100,000 penalty, and beef up privacy measures, to settle alleged violations of the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501-6506 (“COPPA”). The Federal Trade Commission (“FTC”) is authorized to issue rules under COPPA, § 6502(b), and, along with the State Attorneys General, enforces it, §§ 6504(a), 6505(a). Generally, the FTC’s “COPPA Rule” mandates that operators of websites directed to children under the age of 13, or website operators that knowingly collect personal information from children under 13, must provide parents with notice of their information practices, make the collected information available upon request, limit the collection of such information, and secure it. See generally 16 C.F.R. pt. 312. Additionally, and relevant to this settlement, “collection” includes the passive tracking of children’s personal information through a persistent identifier, and not just its active collection. 16 C.F.R. § 312.2. Failure to comply may subject an operator to a penalty up to $40,654 per violation and a permanent injunction. See 15 U.S.C. §§ 45(a)(1), 45(m), 53(b), 57a(d)(3), 6502(c); 16 C.F.R. §§ 1.98, 312.9.
TRUSTe offers a privacy compliance certification solution to website and app operators. The FTC approved TRUSTe (along with six other organizations to date) as a self-regulatory, safe harbor program that subjects its operators to the same or greater protections for children as the COPPA Rule. See 16 C.F.R. § 312.11. Once certified, TRUSTe’s members may display the “TRUSTe Kids Privacy” seal on digital properties (and possibly avoid being the subject of government enforcement). According to the NYAG, however, TRUSTe failed to scan its members’ web sites for third-party tracking practices prohibited by COPPA during annual recertification assessments required of any safe harbor program. In other instances, TRUSTe failed to notify members about the detection of prohibited tracking, or accepted member representations about the legality of such tracking. These accusations came on the heels of TRUSTe’s settlement with the FTC a few years ago for similar concerns. See True Ultimate Standards Everywhere, Inc., Doing Business as TRUSTe, Inc.; Analysis To Aid Public Comment, 79 Fed. Reg. 69850 (Nov. 24, 2014). Similar to its settlement with the FTC, TRUSTe must improve the scanning, assessment, and reporting of any third-party tracking on its members’ sites in addition to its penalty to the NYAG.
COPPA remains a powerful tool in the arsenal of the FTC and State Attorneys General to curtail the ever-increasing marketing by online businesses to children under the age of 13. Failure to adequately prevent illegal tracking technology, or any other enumerated prohibition of COPPA, opens the door to regulatory scrutiny and enormous monetary penalties. The increasing enforcement of COPPA by states signifies that the welfare of children online is a top priority for federal and state authorities alike.