TRUSTe's Failures Left Visitors To Popular Children's Websites Vulnerable To Illegal Tracking Technology
Children's Online Privacy Protection Act (COPPA) Imposes Major Restrictions On Online Tracking Of Children Under Age 13
Attorney General Eric T. Schneiderman today announced a settlement with True Ultimate Standards Everywhere, Inc. (“TRUSTe”), in connection with the company's failure to adequately prevent illegal tracking technology from surfacing on some of the nation's most popular children's websites. TRUSTe's failure to adequately assess its customers’ websites, which included Roblox.com and Hasbro.com, left underage visitors to those websites vulnerable to illegal tracking prohibited under the federal Children's Online Privacy Protection Act (COPPA).
As part of the settlement, TRUSTe will pay a penalty of $100,000 and adopt new measures to strengthen its privacy assessments. Today's settlement is the first time any state or federal law enforcement agency has taken action against the operator of a privacy certification program for children’s websites.
“Companies entrusted with protecting children’s privacy online have a responsibility that my office takes seriously – now, more than ever before,” said Attorney General Schneiderman. “TRUSTe failed to meet its obligations to keep children safe from the prying eyes of online trackers and its customers within the parameters of the law. My office is committed to protecting children online and will continue to hold accountable those who violate this or any other online privacy statute.”
The settlement announced today concerns TRUSTe’s Children’s Privacy Program, a “safe harbor program,” designed to assess website operators’ compliance with COPPA. COPPA encourages operators of children’s websites to participate in such programs by providing a safe harbor from enforcement actions to operators that comply with safe harbor program rules.
As the operator of a COPPA safe harbor program, TRUSTe is required to conduct a comprehensive review of website operators’ policies, practices, and representations at least once per year to assess operators’ compliance with COPPA. The Attorney General’s office found, however, that TRUSTe’s annual reviews failed to adhere to the company’s own policies in the following critical respects:
- Although TRUSTe conducted electronic scans of customers’ websites for third-party tracking technology prohibited by COPPA, in many cases TRUSTe omitted most or all of its customers’ children’s webpages from its scans. TRUSTe therefore could not determine whether unexpected third party tracking technologies were present on these customers’ children’s websites.
- In many cases, TRUSTe failed to provide its customers with relevant results from its electronic scans, including some of the third party tracking technologies that TRUSTe had detected. This deprived TRUSTe’s customers of an opportunity to analyze the results to identify tracking technologies that violate COPPA.
- TRUSTe accepted customers’ representations that third party tracking technologies found on their children’s websites did not violate COPPA instead of independently determining whether the tracking technologies violated COPPA.
These failures allowed COPPA violations to continue on children’s websites. The settlement requires that TRUSTe implement a more rigorous privacy assessment process for its COPPA safe harbor program, including:
- TRUSTe must conduct electronic scans of a substantial portion of each of its customers’ children’s websites for tracking technologies prohibited by COPPA. Only dedicated employees with expertise and experience operating TRUSTe’s scanning software may conduct the scans. After scans have completed, employees must verify that each scan was conducted properly.
- TRUSTe must disclose to its customers every third party tracking technology identified through TRUSTe’s scans.
- TRUSTe must require that its customers provide information about the third parties operating on the customers’ children’s websites, including the types of information each third party collects and how that information is used.
- TRUSTe must review the information that customers provide to determine whether each of the identified third party tracking technologies violates COPPA.
- TRUSTe must maintain a database of third party tracking technologies to assist in its determination of whether identified third party tracking technologies violate COPPA.
The Office of the Attorney General thanks the Federal Trade Commission for its assistance in this case.
This is the second announcement made in connection with “Operation Child Tracker,” the Attorney General’s ongoing investigation into the illegal tracking of children’s online activity by marketers, advertising companies, and others. In September 2016, the Attorney General announced that his office had entered into settlements with four companies that had violated COPPA by allowing illegal third-party tracking technologies on some of the nation’s most popular kids’ websites, including websites for Barbie, Nick Jr., My Little Pony, American Girl, Hot Wheels, and dozens of others. Those companies agreed to pay penalties totaling $835,000 and to adopt comprehensive reforms to protect children from improper tracking and the collection of children’s personal information in the future.