NY AG Settles with TRUSTe Over its COPPA Safe-Harbor Program


by Benjamin Stein

Last week, the New York Attorney General’s Office announced that it had entered into a settlement with privacy compliance company TRUSTe, signaling the AG's continuing interest in children's privacy and potentially portending an uptick in state-level enforcement under the Children’s Online Privacy Protection Act (“COPPA”). TRUSTe operates an FTC-approved safe-harbor program for online services subject to COPPA. As an approved safe-harbor provider, TRUSTe is required to conduct annual audits of its clients’ online services to assess compliance with its program requirements.  According the the New York Attorney General, TRUSTe’s assessments failed to adequately address the presence of third-party tracking technologies prohibited on child-directed sites under COPPA. 

Specifically, the Attorney General claimed that (i) while TRUSTe scanned client services for third-party tracking technologies, it omitted from these scans “most or all of its customers’ children’s webpages,” (ii) it failed to provide its clients with the relevant results of these scans, and (iii) it accepted representations from its clients that third-party tracking technologies identified by TRUSTe were COPPA-compliant, without independently verifying these representations.

To settle the dispute, TRUSTe will pay $100,000 and implement a more rigorous privacy-assessment process for clients of its safe-harbor program.  Under the settlement, TRUSTe must: (i) conduct scans of a substantial portion of its clients' sites (with such scans conducted by dedicated employees with relevant expertise); (ii) disclose to its clients each third-party tracking technology identified by the scan; (iii) require that its clients provide information on the third parties operating on the client’s service, including what information the third party collects and how it is used; (iv) review this information and determine whether the third party is in compliance with COPPA; and (v) maintain a database on third-party tracking technologies to assist in its evaluation.

This settlement is noteworthy because it demonstrates a continued interest by the New York Attorney General in children’s privacy. The AG’s press release on the settlement noted that this “is the second announcement made in connection with ‘Operation Child Tracker,’ the Attorney General’s ongoing investigation into the illegal tracking of children’s online activity by marketers, advertising companies, and others.” [emphasis added]  (The first being a September 2016 settlement with four publishers of child-directed online services.)  While we expect to see continued interest in COPPA issues from both the New York AG and the FTC, we also anticipate the potential for other Attorneys General to get involved in state-level COPPA enforcement in the coming years.

If you operate a child-directed online service, take this opportunity review your properties. Make sure that you are aware of all third parties operating on your service, confirm that you understand what information they are collecting from your users and how they use that information, and verify that such collection and use is compliant with your obligations under COPPA.   COPPA remains a hot topic and now is the time to ensure your house is in order.

The Attorney General’s press release on the settlement is available here.