Administrations come and administrations go, but the FTC and self-regulation have had a long-running love affair. But can there be too much of a good thing? The FTC has long been an enthusiastic cheerleader and active supporter of self-regulatory programs such as NAD. And the bloom doesn’t appear to be off that rose. However, a recent speech by Commissioner Chopra suggests there might be limits to the Commission’s appetite for self-regulation.
The object of Commissioner Chopra’s scrutiny is the safe harbor provision under the Children’s Online Privacy Protection Act (COPPA). The Safe Harbor program essentially outsources COPPA compliance and enforcement. Under the provision, an organization can seek approval from the FTC to run a COPPA Safe Harbor program. Operators of websites subject to COPPA can then pay a fee to have their COPPA compliance assessed and hopefully certified. Once the compliance is certified, operators are protected from being charged by the FTC with violating COPPA.
To be approved as an administrator of a Safe Harbor program, the program must have clear guidelines that operators must follow, and it must independently review and assess operators’ compliance with COPPA at least once per year. Finally, the program must have a meaningful disciplinary procedure for any violations that are uncovered.
Sound good? A federal agency, understaffed and underbudgeted, enlists the private sector to help it ensure regulatory compliance and the industry receives prior assurance of regulatory compliance. Commissioner Chopra doesn’t think so. What are his concerns?
First, money changes hands, and as someone once said, “Money is the root of all evil.” And it’s true that financial incentives can skew outcomes. Long ago the Supreme Court, for example, held that magistrates couldn’t be compensated on a per warrant issued basis, as this might bias them toward granting warrant requests. In the case of Safe Harbor programs, the programs get paid regardless of whether they give the operator a passing grade, but those Safe Harbor programs might fear that operators will shun them if they are particularly rigorous either with their initial review or with subsequent audits and enforcement. Of course, at the same time, a program risks losing all its funding if the FTC determines that it is not operating properly and terminates its status. As Commissioner Chopra noted, the FTC has previously said that revoking a program’s safe harbor status is “an important mechanism to ensure the integrity of the program.”
Commissioner Chopra also pointed out that COPPA Safe Harbor programs receive very few, if any, consumer complaints, and that for the Commission as a whole, consumer complaints submitted primarily through the FTC’s Consumer Sentinel program are an important enforcement tool. Commissioner Chopra raises some important issues regarding how difficult or cumbersome filing complaints may be with respect to some of these programs, and clearly these are problems that, if present, can and should be addressed. However, it would also be interesting to know how many COPPA complaints the FTC receives under its Consumer Sentinel program, in order to better understand if the issue is that parents don’t know how to file a complaint and when a complaint should be filed, particularly if many of them do not know what websites their children are engaging with or how they are engaging.
Finally, Commissioner Chopra expressed concern that when Safe Harbor programs find COPPA violations they typically work to bring the operators into compliance rather than discipline or suspend them. Of course, even the FTC’s Enforcement Division sometimes works with companies to bring them into order compliance rather than bringing a civil penalty proceeding, particularly if the violation is minor or occurs soon after an order is entered. So it would be helpful to understand more about the nature of the uncovered violations and whether tougher sanctions were in fact warranted. This too, however, is an area where the FTC does not lack tools. If Safe Harbor programs are being too accommodating to scofflaws, the FTC has the authority to revoke the programs’ status.
In short, Commissioner Chopra raises some provocative questions, and his comments highlight the tension with self-regulatory programs. Self-regulatory programs by their nature can typically review more “actors” and act more swiftly to address and correct potential problems. And this can be a net benefit to consumers. After all, the FTC almost certainly lacks the resources to conduct the annual audits of operators that Safe Harbor programs are required to undertake. On the other hand, there is the risk, as Commissioner Chopra points out, that the watchdogs will be more lax than would be a government regulator. But the solution may not be to throw the idea out altogether.
Perhaps the most interesting aspect of Commissioner Chopra’s speech is that it clearly previews his skeptical position on self-regulatory mechanisms as the Commission and Congress begin considering more and more regulation surrounding consumer privacy. And in a call that is sure to strike fear into the heart of any in-house lawyer who has lain awake worrying about potential class actions, Commissioner Chopra notes that there is no private right to enforce COPPA, but that with respect to future privacy regulation, having penalties that “are enforced by many” is a laudable goal.