Can you explain the concept of the FTC's COPPA "safe harbor" program? Does it ease the compliance burden for e...
The Children's Online Privacy Protection Act (COPPA), enacted in 1998, is one of the earliest online privacy protection laws in the United States. It applies to any commercial online service directed at children under the age of 13 or any general purpose commercial online service that knowingly collects information from children under the age of 13. Online services that fit into either of those categories must comply with seven regulations spelled out by the Federal Trade Commission (FTC):
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
- Give parents the choice of consenting to the operator's collection and internal use of a child's information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- Provide parents access to their child's personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child's personal information;
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use."
The Federal Trade Commission is required by law to review and certify Safe Harbor programs that consist of self-regulatory frameworks for complying with the COPPA regulations. Organizations that fully participate in one of these programs are "deemed to be in compliance" with COPPA by the FTC. There are currently seven Safe Harbor programs certified by the FTC. These programs, which include TRUSTe's Children's Privacy Program, ESRB Kids Seal and the Better Business Bureau's Children's Advertising Review Unit, allow businesses that work with the personal information of children to certify their compliance with the FTC regulations.
Safe Harbor programs do not ease the compliance burden for regulated websites -- they provide a way for an organization to certify its compliance through participation in a self-regulatory program. The true value offered by the Safe Harbor is the exemption from FTC enforcement actions that the law provides for organizations participating in the Safe Harbor initiative.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Does ISO 27001 certification make an enterprise Safe Harbor compliant? Mike Chapple answers.
Dig Deeper on Data privacy issues and compliance
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ...continue reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ...continue reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.