The Federal Trade Commission (FTC) is currently seeking comment on proposed changes to TRUSTe’s safe harbor program under the agency’s Children’s Online Privacy Protection Rule (COPPA).   Per the Federal Register notice, the comment period will last for 30 days, until May 24, 2017. 

TRUSTe (True Ultimate Standards Everywhere, Inc.) is a private company that has operated as a COPPA safe harbor provider since May 2001.  The program is designed for websites that have actual knowledge that they are collecting personal information directly from the users of a website or online service directed at children.  As an approved safe harbor provider, TRUSTe is required to conduct annual audits of its clients’ online services to assess compliance with its program requirements.  A company that meets the requirements of TRUSTe’s program can receive immunity from enforcement action in accordance with Section 312.11(e) of COPPA.  While a compliance certification from TRUSTe is not a guarantee of COPPA immunity, companies in FTC-approved safe harbor programs are less likely to be ordered to pay penalties.

The proposed changes in the TRUSTe safe harbor program are a result of last month’s settlement agreement between TRUSTe and the New York Attorney General Eric T. Schneiderman, which represents the first time any state or federal law enforcement agency has taken action against the operator of a privacy certification program for children’s websites.  Attorney General Schneiderman announced that TRUSTe will pay a penalty of $100,000 and adopt new measures to strengthen privacy assessments of its customers’ websites in connection with the company’s “failure to adequately prevent illegal tracking technology from surfacing on some of the nation’s most popular children’s websites.”  These measures require TRUSTe to scan its customers’ children’s websites for tracking technologies prohibited by COPPA, disclose the technologies found to its customers, and maintain a database of third-party tracking technologies, among other procedures.  

The New York Attorney General’s forays into COPPA enforcement have garnered significant interest, because the vast majority of COPPA enforcement actions since the statute took effect in 2000 have been initiated by the FTC rather than by states.  Since the FTC amended the COPPA rules in 2013, however, New York, New Jersey, and Maryland have brought enforcement actions under the statute.  Attorney General Schneiderman has been particularly aggressive in investigating how third-party services on companies’ websites are tracking user data and in taking action against a privacy certification program like TRUSTe.

Last year, previous FTC Bureau of Consumer Protection Director Jessica Rich “applauded” the New York Attorney General’s actions and said that Congress “wisely provided for law enforcement by both the FTC and state attorneys general so that there are multiple cops on the beat protecting children’s privacy.”  Per its request for comment, the FTC is particularly interested in a cost-benefit analysis of TRUSTe’s new COPPA provisions, as well as an evaluation of the incentives for and mechanisms to assess operators’ compliance.