When Privacy Concerns and Deceptive Marketing Issues Intersect

The FTC is proposing changes to its Children’s Online Privacy Protection Rule, or COPPA Rule, which imposes certain requirements on website operators to protect the privacy of children under 13. The commission says that its proposed modifications “are intended to respond to changes in technology and online practices” and to “clarify and streamline the Rule,” and is seeking comment on its proposals.

Some of the proposed changes are aimed to strengthen the FTC’s oversight of its COPPA Safe Harbor program, a program that enables commission-approved industry groups to offer paying member companies COPPA-compliance certification and protection from FTC enforcement action.

Today, TINA.org filed a comment regarding the FTC’s proposed amendments to this section of the rule.

Why is TINA.org weighing in on privacy issues?

While TINA.org primarily focuses on false and deceptive marketing issues, there are times when these interests overlap with children’s privacy concerns. Our Roblox complaint is a prime example. There, we found a plethora of deceptive marketing issues impacting millions of young children on a daily basis and resulting in numerous brands that advertise on the platform, as well as Roblox itself, taking not only users’ time, attention and money, but their personal data as well.

We’ve kept a close eye on the digital platform since filing our complaint with the FTC and, in so doing, discovered further problematic issues concerning COPPA Safe Harbor programs – issues that highlight why enhanced FTC oversight of these programs is necessary.

The use of COPPA Safe Harbor seals as marketing tools

The FTC currently entrusts six industry groups to self-regulate their member companies to ensure compliance with COPPA: Children’s Advertising Review Unit (CARU), Entertainment Software Rating Board (ESRB), iKeepSafe, kidSAFE, Privacy Vaults Online, Inc. (d/b/a PRIVO) and TRUSTe. When these Safe Harbor programs determine that companies’ products or services comply with the COPPA Rule, the programs allow the companies to promote the approval by, among other things, displaying a seal on the approved products/services.

As such, the program seals serve to inform consumers and regulators alike that the underlying products/services – which include not only entertaining kids’ games but also a multitude of educational resources used in schools – protect children’s online privacy in compliance with COPPA.

Some Safe Harbor programs inform prospective and current member companies that the seals can be “proudly displayed” to demonstrate their compliance with privacy protection laws and tout the secondary benefits associated with the seals, including that they give parents comfort and increase trust in – and engagement with – the underlying brands. According to PRIVO, for example, which lists “brand discovery” as one of its Safe Harbor program highlights:

Being in the trenches as a FTC-approved COPPA Safe Harbor since 2004, PRIVO has been helping brands not only comply with COPPA, but find new ways to increase engagement and sales.

And ESRB states on its Privacy webpage that:

According to a recent survey, upwards of 70% of parents with children 15 and younger that play mobile, online, and console video games said they would be much more comfortable allowing their kids to play if an ESRB Privacy Certified Seal is displayed.

The recipient companies then use their Safe Harbor program approvals and corresponding seals to market their products/services on a multitude of platforms, including their websites, social media pages, press releases and app stores, among other places, as the examples below show.

This means that COPPA Safe Harbor seals are not only symbols of privacy protection, but also beneficial marketing material used to drive traffic to Safe Harbor programs, as well as to member companies’ programs and services.

And such marketing messages can deceive consumers if the programs do not thoroughly and properly carry out their COPPA-compliance responsibilities, as TINA.org discovered.

TINA.org’s investigation into CARU’s approval of Walmart Roblox games

In December 2022, CARU announced in a press release that it had determined that a Walmart experience on the Roblox platform – Walmart Universe of Play – complied with COPPA.

However, CARU further represented that its approval indicated that the Walmart game also complied with CARU’s Advertising Guidelines – “a set of standards for advertising that help ensure advertising directed to children is not deceptive, unfair, or inappropriate.” According to the press release:

BBB National Programs’ CARU COPPA Safe Harbor Program is the first and longest-running COPPA Safe Harbor Program in the U.S. and it is the only one designed to ensure both a company’s products and the product’s advertising comply with COPPA and CARU’s Advertising and Privacy Guidelines.

Not only were such representations beyond the scope of COPPA’s Safe Harbor provision (which pertains only to privacy protection concerns for children under the age of 13, not unfair or deceptive advertising practices), they also had the potential to mislead companies into believing that a Safe Harbor program approval meant that false and deceptive advertising claims were beyond the scope of FTC review, and mislead consumers into believing that Walmart Universe of Play did not raise any “deceptive, unfair, or inappropriate” advertising issues, which was not the case.

As TINA.org, together with consumer advocacy groups Fairplay, Center for Digital Democracy, National Association of Consumer Advocates and Common Sense Media, informed CARU in early 2023, Walmart Universe of Play not only raised privacy concerns by virtue of being hosted on Roblox (more on this below) but was deceptively marketing Walmart products to millions of young children on a daily basis by blurring the distinction between advertising content and organic content, and failing to provide any clear or conspicuous disclosures that the game (or contents within the game) were ads.

Even more concerning, however, was TINA.org’s discovery that the CARU COPPA Safe Harbor program had approved – and allowed the use of its seal on – various Walmart games that were only accessible on Roblox without independently vetting Roblox’s compliance with COPPA.

As TINA.org explained to CARU, because children could not access the games without first creating an account on – and logging into – Roblox, parents viewing the CARU COPPA Safe Harbor seals could have reasonably believed that CARU had also verified Roblox’s compliance with COPPA, which, again, was not the case.

Instead of conducting its own review to ensure Roblox complied with COPPA as well as its own Privacy Guidelines, CARU relied on the fact that Roblox had previously been approved by a different COPPA Safe Harbor program, KidSAFE. (CARU never independently accepted Roblox into its own Safe Harbor program.) But KidSAFE’s approval of Roblox, and CARU’s subsequent reliance on this approval, are problematic for several reasons:

1. Creating an account on Roblox requires, among other things, providing children’s full birthdate, username and password, and indicating that they agree to Roblox’s Terms of Use and acknowledge the platform’s Privacy Policy, all without their parents’ verifiable consent, as is required by the COPPA Rule.
2. As part of TINA.org’s 2022 investigation into Roblox (and subsequent complaint with the FTC regarding rampant deceptive marketing on the platform), we learned through a FOIA request that, as of March 2022, the commission had received nearly 1,300 consumer complaints regarding Roblox, many of which noted significant privacy concerns vis-à-vis children.

3. Months after accepting Walmart Universe of Play into its COPPA Safe Harbor program, CARU separately investigated Roblox and stated that it too had “privacy concerns” regarding the platform. Yet despite finding issues with the platform’s COPPA compliance, neither KidSAFE nor CARU attempted to bring any sort of formal disciplinary action against Roblox.

The ability of a COPPA Safe Harbor program to represent that children’s privacy is properly protected when using a particular product or service, like a video game, without independently determining whether the platform that hosts the game also protects children’s privacy, raises serious concerns regarding the effectiveness and validity of the FTC’s Safe Harbor program.

For these reasons, TINA.org’s comment expresses support for the FTC’s strengthening of its oversight of the COPPA Safe Harbor program, but also urges the commission to further amend the COPPA Rule to make clear that a COPPA Safe Harbor program must not certify a product’s or service’s privacy practices as compliant with COPPA if it has not also independently verified that the platform on which it is hosted also complies with COPPA or, in the alternative, properly disclose to the public the limitations of the review. Without this requirement, many Safe Harbor program approvals and accompanying marketing pushes by brands about the safety of their products or services will risk misleading – and possibly harming – the very consumers that these programs are supposed to be protecting: children.

Read TINA.org’s full comment here.