Because the COPPA Rule in many important respects provides only a broad outline of applicable legal standards, many of its provisions are ambiguous. Numerous questions of interpretation and application remain unanswered by the Rule, and the FTC has relied primarily on unofficial Staff guidance to provide further illumination. The chief repository for agency guidance relating to the COPPA Rule is a Staff-level publication commonly referred to as the “COPPA FAQs.” When the FTC pursues COPPA enforcement actions and negotiates settlements with private parties, it often will rely upon the COPPA FAQs as support for the standards and interpretations the Commission is enforcing—standards and interpretations that are not discernible from the text of the Rule itself. The problem is that the COPPA FAQs do not reflect the official views of the Commission itself. In fact, they include a prominent, bold-print disclaimer stating, “This document represents the views of FTC staff and is not binding on the Commission.”
Why is this a problem? When the FTC seeks civil penalties for COPPA violations, it does so based on a provision of the FTC Act that, as a predicate for civil penalties, requires proof that the defendant knew or should have known that its conduct violated the COPPA Rule. Yet it is well established that companies cannot be held liable for knowing violations of the law in circumstances where they acted consistently with an “objectively reasonable” (even if ultimately erroneous) interpretation of the applicable legal standards. In short, Congress intentionally designed this civil penalty provision not to apply in circumstances where the defendant, owing in part to a lack of clarity in the rule, at worst committed a “mistake of law.” As explained by the U.S. Supreme Court in its 2007 decision in Safeco Insurance Co. of America v. Burr, this principle has particular application in situations in which the text of the statute or rule at issue is “less-then-pellucid” and there is a “dearth” of “authoritative guidance.” Safeco involved the Fair Credit Reporting Act (“FCRA”), a statute enforced by the FTC, and the Court made it clear that, for these purposes, “informal [FTC] staff opinion[s] . . . not binding on the Commission” do not constitute “authoritative guidance.”
As explained below, this has significant implications for the FTC’s COPPA enforcement program. Despite its impressive track record in obtaining settlements, from an administrative law standpoint the FTC is operating on shaky ground. The COPPA Rule in places is certainly “less than pellucid,” and the Rule’s text is often open to multiple reasonable interpretations. There are no litigated precedents to provide clarity, and as Supreme Court precedent suggests, Staff-level guidance like the COPPA FAQs cannot be relied upon to give authoritative notice and guidance to affected parties. Hence, the agency faces a conundrum. If it proceeds on the current course, parties subject to FTC enforcement actions predicated on Staff-endorsed interpretations of otherwise ambiguous Rule provisions may have the ability to litigate and win in court, citing a lack of fair notice and the absence of proof that they committed any knowing COPPA violations. The alternative is for the FTC to revisit the Rule and attempt to add much-needed clarity, but this could prove difficult, require significant resource commitments at a time when the FTC’s resources are already stretched thin, and at most have an impact on cases challenging conduct post-dating any final rulemaking changes. Whatever path the FTC takes, it does appear to have a problem on its hands in cases where it is pursuing civil penalties for asserted COPPA violations based on ambiguous Rule provisions that are clarified, if at all, only through unofficial Staff-level guidance.
COPPA’s Many Ambiguities and the Heavy Freight Placed on the FTC Staff’s FAQs
The FTC recently issued a Policy Statement in which it pointedly warned education technology (“ed tech”) service providers that the Commission “intends to scrutinize [such companies’] compliance with the full breadth of the substantive prohibitions and requirements of the COPPA Rule and statutory language.” In the same breath, the Policy Statement advised ed tech companies that “Commission staff has provided extensive guidance on COPPA’s application to ed tech providers,” citing to Staff’s COPPA FAQs.
The FTC Staff’s COPPA FAQs in some areas do provide “extensive guidance” that goes well beyond the scope of the COPPA Rule and statutory language. Yet the very fact that Commission Staff has felt the need to publish such a detailed interpretive guide to the COPPA Rule is indicative of the lack of clarity in the Rule itself. One example relates to the threshold question whether an online service is “directed to children” as opposed to a “general audience” service.
The COPPA Rule states that whether a website or online service will be considered “directed to children” should turn on a multitude of factors, including “subject matter,” “visual content,” “use of animated characters or child-oriented activities and incentives,” “music or other audio content,” “age of models,” “presence of child celebrities or celebrities who appeal to children,” “language or other characteristics of the Web site or online service,” “whether advertising promoting or appearing on the Web site or online service is directed to children,” “competent and reliable empirical evidence regarding audience composition,” and “evidence regarding the intended audience.” Beyond listing these factors, the Rule provides no guidance in terms of how they will be applied or weighted, leaving much to interpretation. What the Rule does make clear is that an online service “that does not target children as its primary audience, shall not be deemed to be directed to children if it” screens visitors based on their reported ages and “[p]revents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13.” Although this term is never used in the text of the Rule, this screening concept is often referred to as an “age screen” or “age gate.”
Taking this issue as an example, the COPPA FAQs, in addressing the “child directed” question, expand significantly upon the text of the Rule. The FAQs pose and then answer well over a dozen questions built around hypothetical scenarios involving different fact patterns, and the Staff’s responses are meant to explain how the Rule likely would be interpreted and applied to such facts. In this regard, the FAQs candidly state that the “determination of whether content is child-directed will be clearer in some contexts than in others,” an apparent acknowledgement of the Rule’s potential ambiguities. In addressing the questions posed, the FAQs introduce a variety of new concepts and terminology, such as the terms “mixed audience,” “teen sites,” and “neutral age screen”—none of which appear in the COPPA Rule and are themselves subject to further Staff interpretation.
As noted, the Commission itself acknowledges that the Staff’s COPPA FAQs provide “extensive” additional guidance regarding how the COPPA Rule should be interpreted and applied. The degree to which the FAQs expand on the text of the COPPA FAQs in this and other areas is readily evident simply from comparing the length of the two documents. FTC COPPA enforcement actions sometimes rely upon concepts and interpretations that are not evident from the text of the COPPA Rule and are explained only in the COPPA FAQs. As one example, in a recent case resolved by settlement, the FTC challenged a company’s use of an age gate to screen website visitors 13 or under, alleging that the age gate violated COPPA because it included “non-neutral” language, referring to language in the age gate disclosures stating that “children under 13” by law “must sign up through a parent.” The COPPA Rule itself, however, says nothing to suggest that inclusion of such language could serve to invalidate an otherwise effective age gate. The concept that language of this nature is not “neutral” and that a “non-neutral age gate” could violate COPPA emanates entirely from the COPPA FAQs—again, a Staff-sponsored publication that is expressly “not binding on the Commission.”
Safeco and the Perils of Relying Upon Staff-Level Guidance to Clarify Ambiguous Rule Provisions
When the FTC brings COPPA enforcement actions, it routinely seeks civil penalties based on a provision in the FTC Act: Section 5(m)(1)(A). That provision permits the FTC to:
commence a civil action to recover a civil penalty in a district court of the United States against any person, partnership, or corporation which violates any rule under this chapter respecting unfair or deceptive acts or practices . . . with actual knowledge or knowledge fairly implied on the basis of objective circumstances that such act is unfair or deceptive and is prohibited by such rule.
As courts construing this provision have noted, “before . . . conduct can serve as the basis for imposing a civil penalty under § 5(m)(1)(A), the government must prove that the violations were committed knowingly or with knowledge fairly implied based on objective circumstances.”
The legislative history makes clear that, “[i]n determining whether knowledge of a Commission rule may be fairly implied” for purposes of this provision, Congress “intended that the courts hold a defendant responsible” only if “a reasonable and prudent man under the circumstances would have known” both (1) “of the existence of the rule,” and (2) “that the act or practice was in violation of its provisions.” In a decision from just last year, Jerman v. Carlisle, McNellis, Rini, Kramer & Ulrich LPA, the Supreme Court observed that Section 5(m)(1)(A)’s “actual knowledge or knowledge fairly implied” language “explicitly” provides “a mistake-of-law defense.” That is, notwithstanding “the general [common law] rule that mistake or ignorance of the law is no defense,” in adopting Section 5(m)(1)(A) “Congress chose” to create such a defense, as it has done in certain other statutes and in keeping with the “more onerous” nature of civil penalties.
These authorities suggest that where the FTC seeks civil penalties for a COPPA violation applying Section 5(m)(1)(A) of the FTC Act in contested litigation, the Commission would have to affirmatively prove that the defendant knew it was acting in violation of COPPA, or at a minimum that a reasonable person in the same circumstances “would have known” that the conduct at issue violated the COPPA Rule. Yet, as explained below, this is a burden the FTC in many cases would be unable to meet, which brings us back to the Supreme Court’s decision in Safeco.
Safeco did not involve claims brought by the government. It involved private actions against two insurance company defendants, GEICO and Safeco, based on asserted violations of the FCRA, which requires insurance companies to provide notice to consumers before taking any “adverse action” relating to policy coverage. The portion of FCRA allowing for private rights of action conditions liability on proof that the defendant “willfully” violated the Act’s consumer notice requirements. One of the two defendants, Safeco, failed to give notice to consumers seeking new insurance policies on the mistaken belief that FCRA’s notice requirement “did not apply” in the context of “initial applications” where there was no record of “prior dealing.” The central question before the Court was whether such a mistake of law could constitute a “willful” violation. On the facts presented, the Court concluded it could not.
The Court began its analysis by considering whether FCRA’s willful violation language applied “only to acts known to violate the Act.” It concluded that “willfulness” encompassed “not only knowing violations of a standard, but also reckless ones as well.” “[K]nowing violations,” the Court observed, “are sensibly understood as a more serious subcategory of willful ones.” However, in the circumstances of the case, the Court held that even the lesser standard of “recklessness” was not satisfied because “Safeco’s reading of the statute, albeit erroneous, was not objectively unreasonable.”
The Court came to this conclusion in part based on the view that FCRA’s statutory text, taken alone, was “less-than-pellucid” and allowed for more than one reasonable interpretation, as discussed above. The Court then considered whether there was any “authoritative guidance” either from “the courts of appeals or the Federal Trade Commission” (the sole federal agency charged with “enforcement responsibility” for FCRA) that “might have warned away” from Safeco’s statutory interpretation, and concluded there was not. “[N]o court of appeals had spoken on the issue,” the Court noted, and the only FTC guidance the plaintiffs could point to was an FTC staff letter “that explicitly indicated that it was merely ‘an informal staff opinion . . . not binding on the Commission.’” “Given this dearth of guidance” and the lack of clarity provided by the statutory text, “Safeco’s reading” of its statutory requirements “was not objectively unreasonable,” and fell “well short” of a reckless violation, much less a knowing one. Summarizing its holding, the Court said, “Where, as here, and relevant court and agency guidance allow for more than one reasonable interpretation, it would defy history and current thinking to treat a defendant who merely adopts one such interpretation as a knowing or reckless violator.”
Lower courts have subsequently applied Safeco in the context of various other federal regulatory and statutory schemes, and generally have done so with a focus on two key questions: (1) whether the defendant applied “a facially reasonable interpretation” of “undefined” or “ambiguous” legal standards; and (2) whether the defendant was “warned away from its interpretation” by authoritative governmental guidance.
For example, in United States ex rel. Purcell v. MWI Corp., the defendant, MWI, was found liable for violating the False Claims Act (“FCA”), which requires proof that the defendant knowingly submitted a false claim for payment to the government. The central allegation was that MWI had falsely certified, in a loan application to the Export-Import Bank, a U.S. agency, that it had paid only “regular commissions” in connection with certain water pump sales. In the view of the district court, while this terminology had not been previously defined through authoritative written guidance from the Bank, it was “not so ambiguous” that MWI lacked “notice that, in the government’s view, the term” had a different and broader meaning than the one MWI applied. The district court thus allowed the case to go to a jury, and the jury found MWI liable.
The problem, as noted by the D.C. Circuit on appeal, was that the government bore the burden of proving that MWI “knowingly” presented false claims. The FCA’s requirement of “a knowing violation,” the court stated, means that “the FCA does not reach an innocent, good-faith mistake about the meaning of an applicable rule or regulation. Nor does it reach those claims made based on reasonable but erroneous interpretations of a defendant’s legal obligations.” Applying the standards articulated by the Supreme Court in Safeco, the D.C. Circuit first considered MWI’s interpretation of the term “regular commissions” and concluded it was not “objectively unreasonable.” The question then was “whether there was sufficient evidence that MWI was warned away from its interpretation.” The court concluded that the government had failed to meet its burden in the regard, as it did not “point[] to sufficient record evidence” of “‘guidance from the court of appeals’ or relevant agency ‘that might have warned [MWI] away from the view it took,’” which required that the jury’s verdict be overturned.
Attempting to avert reversal, the government in Purcell made a host of arguments aimed at establishing that MWI should have been “warned away” from its interpretation. Each of these arguments was in turn rejected by the D.C. Circuit. The government argued there was evidence that an officer of the Bank “told MWI” information contradicting its interpretation of regular commissions; the appeals court said this “hardly amounts to the necessary ‘authoritative guidance’ from the Bank,” underscoring Safeco’s holding that “informal guidance . . . is not enough.” The government next argued that MWI employees “knew they were applying the wrong definition.” The court likewise rejected this argument, emphasizing that the Supreme Court in Safeco “clarified that subjective intent . . . is irrelevant when a defendant seeks to defeat a finding of knowledge based on its reasonable interpretation of a regulatory term”; instead, “the court’s focus is on the objective reasonableness of the defendant’s interpretation.” Finally, the government made arguments to the effect that, as a policy matter, MWI’s interpretation was “incompatible with the Bank’s basic purposes,” while “the government’s interpretation” in this regard “was the better one.” The appeals court categorically rejected this, stating, “That MWI’s interpretation may not be the best interpretation does not demonstrate that MWI’s interpretation was necessarily unreasonable.” In conclusion, the court signaled that, “[h]ad the government wanted to avoid [the] consequences” of alternative legal interpretations such as MWI’s, “it could have defined its regulatory term to preclude them.”
The D.C. Circuit acknowledged in Purcell that “strict enforcement” of “the FCA’s statutory knowledge requirement helps to ensure that innocent mistakes made in the absence of binding interpretive guidance are not converted into FCA liability, thereby avoiding potential due process problems posed by ‘penalizing a private party for violating a rule without first providing adequate notice of the substance of the rule.’” According to the court, the FCA’s “knowledge requirement” thus plays “an essential role” in ensuring “‘the adequacy of notice to [a regulated party] that his conduct is proscribed.’”
The same applies in the context of Section 5(m) (1) (A) of the FTC Act. As discussed above, through Section 5(m) (1) (A)’s “actual knowledge or knowledge fairly implied” language Congress created an express “mistake-of-law defense,” protecting private parties from the “onerous” burden of civil penalties where they may have violated an FTC rule owing to a mistaken legal interpretation adopted in the absence of clear guidance.
Risks to the FTC in Future COPPA Litigation
Although no one charged by the FTC with a COPPA violation has ever before gone to court and litigated defenses to the FTC’s claims, in the future parties finding themselves in this position may wish to consider whether litigation would be preferable to settlement, particularly a settlement accompanied by large monetary penalties. As explained above, in cases involving enforcement of ambiguous COPPA Rule provisions, the FTC may be vulnerable to legal challenges focusing on the Commission’s burden, as a predicate to obtaining civil penalties, to “prove that the violations were committed knowingly or with knowledge fairly implied based on objective circumstances.”
A review of past FTC COPPA complaints shows that the FTC often does not even include factual allegations focused on substantiating that the asserted violations were knowingly committed, or at most makes conclusory allegations lacking specific factual support. The common approach in COPPA complaints is simply to include a boilerplate allegation that the defendant violated the COPPA Rule with “the knowledge required by Section 5(m)(1)(A) of the FTC Act.” Yet the legal authorities discussed above suggest that the failure to plead and prove facts demonstrating an actual knowing violation of the law would bar the FTC from obtaining civil penalties. In fact, the FTC’s standard boilerplate and conclusory approach to pleading this required element of proof could make future Commission COPPA complaints vulnerable to motions to dismiss.
Fundamentally, the problem for the FTC is that Section 5(m)(1)(A)—as the Supreme Court itself recently concluded—“explicitly” creates “a mistake-of-law defense.” Yet in many COPPA cases the defendant may have good grounds to argue that its conduct, at worst, reflected a mistaken understanding of what the COPPA Rule required or prohibited. As the D.C. Circuit held in Purcell, “statutory knowledge requirement[s]” like those found in the FCA and Section 5(m)(1)(A) of the FTC Act are designed to “ensure” that such “innocent mistakes” of law “are not converted into . . . liability” when they are “made in the absence of binding interpretive guidance.” And in the COPPA context this is a key consideration. For reasons explained above, in proving that a defendant knew or should have known it was violating the COPPA Rule, the FTC would likely be required to rely upon the express standards articulated in the Rule itself. The “extensive” additional guidance provided in the COPPA FAQs is very unlikely to be considered “authoritative,” and hence cannot be relied upon by the Commission to demonstrate what a defendant knew or should have known about the lawfulness of its actions.
Because there are no litigated FTC COPPA precedents, there are no examples to point to showing how such issues have played out in court. But there are analogous cases involving different federal laws. For instance, in Proctor the claim was that Safeway violated the FCA by improperly reporting its “usual and customary prices” on pharmaceutical sales to the government, as required by Medicare and Medicaid regulations. On appeal, the Seventh Circuit carefully considered whether, following the Supreme Court’s Safeco framework, Safeway could be found to have violated the FCA. The complainant contended that Safeway’s interpretation and application of the term “usual and customary price” was noncompliant and conflicted with “authoritative guidance” from the responsible agency, the Centers for Medicare and Medicaid Services (“CMS”). Yet, as the court explained, the CMS Manual in question, while adopted and published by agency staff, was not “binding on” the agency and thus did “not constitute ‘authoritative guidance.’” The Proctor decision observed that many courts similarly have concluded that “documents such as the CMS Manual,” which provide staff-level “guidance” and “directives” but were not formally adopted “through notice and comment” procedures, “are not binding as a matter of law” and do not constitute “authoritative guidance” as contemplated by Safeco. “Because there was no authoritative guidance warning Safeway away from its interpretation of the law,” the court held “that Safeway’s position . . . was objectively reasonable” and it was thus entitled to summary judgment.
While arising in a different statutory context, the Proctor decision may provide a good example of the challenges the FTC may face in litigation if it continues to follow the current approach of pursuing COPPA claims, and seeking increasingly large amounts in civil penalties, based on ambiguous Rule provisions that are clarified and explained, if at all, only in publications generated by agency Staff expressly disavowing that they comprise official statements of policy binding upon the Commission. Even in order to satisfy its pleading burdens in a COPPA case seeking civil penalties, the FTC should be required to allege facts demonstrating that the defendant knew its conduct violated the COPPA Rule, or reasonably should have known this based on the text of the Rule itself, not taking into account any additional unofficial guidance provided by agency Staff. And in cases in which the defendant asserts that it complied with an alternative, objectively reasonable interpretation of the Rule, it would be the FTC’s burden to plead and prove that the asserted alternative interpretation was not in fact objectively reasonable or that the Rule itself contained language to “warn” the defendant “away” from that interpretation.
Conclusion
Child privacy is undeniably a serious issue deserving of focused attention from federal and state law enforcement agencies. The FTC justifiably has prioritized COPPA enforcement and no doubt will continue to do so. But as the FTC proceeds down this path, it should be mindful of the agency’s responsibility to provide clear and authoritative notice of the standards it intends to enforce. Parties who may find themselves subject to FTC scrutiny for their compliance with COPPA are entitled to be warned, in advance, of the standards they will held to comply with. And to the extent the FTC fails to do this in a manner that complies with applicable law, it too should be held accountable.
While the FTC has continued to bring new cases enforcing COPPA’s technical and sometimes confusing standards, no private party has yet availed itself of the courts to combat the FTC’s claims or to challenge the manner in which the FTC has chosen to communicate and provide notice of the legal standards the agency enforces. In the right case, there may well be good cause to put the FTC to its burden to proof, including its burden to prove that defendants engaged in knowing violations of the COPPA Rule. As discussed in this article, given how unclear many COPPA standards are and the dearth of clarifying Commission guidance, in many cases this would be a difficult standard for the FTC to meet.
