The US Federal Trade Commission (FTC) shows no patience with companies falsely claiming participation in industry standards organizations, especially where children’s data is involved.
A recent case proves this point. The FTC settled claims against Miniclip S.A., a major player in the mobile gaming industry that offers more than 1,000 games to users, for misrepresenting its participation in The Children’s Advertising Review Unit (CARU), a Better Business Bureau program promoting industry self-regulation on children’s privacy topics. In 2001, CARU was approved by the FTC as the first Safe Harbor Program under Children’s Online Privacy Protection Act (COPPA).
Companies complying with the CARU guidelines are insulated from FTC enforcement action. Companies claiming to comply, but not doing so, clearly are not.
COPPA is a federal law that applies to website and online service operators that are directed to children under 13 years old or have actual knowledge that it collects personal information of children under 13. Operators have to comply with certain key provisions aimed at protecting the privacy of young children including disclosing their privacy policies and obtaining verifiable parental consent before collecting, using, or disclosing children’s personal information.
The FTC brought an enforcement action against Miniclip, alleging that such representations constituted deceptive acts or practices in violation of Section 5 of the FTC Act. What’s interesting is that the FTC does not allege any actual violations of COPPA. For all we can tell, Miniclip was fully COPPA-compliant the entire time. The claim rests solely on Miniclip’s representations that it was a member of CARU when it wasn’t.
Followers of recent enforcement actions shouldn’t be too surprised though. Even in the absence of consumer harm, federal regulators have shown an appetite to go after companies that misstate their data collection practices. For example, the FTC recently settled claims against five companies over allegations they falsely claimed they were certified under the E.U.-U.S. Privacy Shield Framework. In addition, in 2016, the CFPB settled claims against Dwolla that rested in part on the company’s representations that its data security practices were PCI-DSS compliant when, in fact, they weren’t.
What’s the take-away here? Certainly lying about a set of data security standards you adhere to spells trouble. But it also reinforces the importance of a robust compliance program that routinely reviews marketing collateral for UDAP compliance issues. Reading between the lines, it seems that this wasn’t a case of Miniclip intentionally misrepresenting its continued participation in CARU. Indeed, Miniclip was, at one point, a member of CARU; it is likely the company had just failed to update its fine print to remove that representation.