How does the safe harbor program affect COPPA compliance?

The FTC's safe harbor program won't necessarily ease COPAA compliance requirements for enterprises. Expert Mike Chapple reviews the seven regulations the FTC will definitely enforce.

Can you explain the concept of the FTC's COPPA "safe harbor" program? Does it ease the compliance burden for e...


The Children's Online Privacy Protection Act (COPPA), enacted in 1998, is one of the earliest online privacy protection laws in the United States. It applies to any commercial online service directed at children under the age of 13 or any general purpose commercial online service that knowingly collects information from children under the age of 13. Online services that fit into either of those categories must comply with seven regulations spelled out by the Federal Trade Commission (FTC):

  1. "Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
  2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
  3. Give parents the choice of consenting to the operator's collection and internal use of a child's information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
  4. Provide parents access to their child's personal information to review and/or have the information deleted;
  5. Give parents the opportunity to prevent further use or online collection of a child's personal information;
  6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
  7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the  information using reasonable measures to protect against its unauthorized access or use."

The Federal Trade Commission is required by law to review and certify Safe Harbor programs that consist of self-regulatory frameworks for complying with the COPPA regulations. Organizations that fully participate in one of these programs are "deemed to be in compliance" with COPPA by the FTC. There are currently seven Safe Harbor programs certified by the FTC. These programs, which include TRUSTe's Children's Privacy Program, ESRB Kids Seal and the Better Business Bureau's Children's Advertising Review Unit, allow businesses that work with the personal information of children to certify their compliance with the FTC regulations.

Safe Harbor programs do not ease the compliance burden for regulated websites -- they provide a way for an organization to certify its compliance through participation in a self-regulatory program. The true value offered by the Safe Harbor is the exemption from FTC enforcement actions that the law provides for organizations participating in the Safe Harbor initiative.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Does ISO 27001 certification make an enterprise Safe Harbor compliant? Mike Chapple answers.

This was last published in December 2014

Dig Deeper on Data privacy issues and compliance

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.