Foghorn Whistle Blows: Navigating the New COPPA Safe Harbor Program Transparency and Reporting Requirements
In 1998, Congress adopted a flexible co-regulatory model for industry compliance as part of the Children’s Online Privacy Protection Act (COPPA).
The Safe Harbor provision (15 U.S.C. § 6503) allows operators—who are otherwise subject to regulation under COPPA—an opportunity to satisfy the law’s compliance obligations by following Federal Trade Commission (FTC) approved self-regulatory guidelines.
Since 2000, companies that operate child-directed online services, mixed-audience services that are likely to interact with children under 13, and general audience services that want to ensure they do not trigger the COPPA rule, have worked with BBB National Programs’ Children’s Advertising Review Unit (CARU) to operationalize industry best practices under our FTC-approved Children’s Online Privacy Guidelines and COPPA.
At CARU, we also continue to support industry best practices adopted in advertising under our longstanding Children’s Advertising Guidelines and under Section 5 of the FTC Act.
The revision process, which began in 2019, has seen the FTC add new language to the final COPPA Rule that further clarifies the transparency obligations of Safe Harbor programs. For companies who work with or are thinking about working with a Safe Harbor program, parents looking to learn more about children’s online privacy, and the general public, let’s break down what these changes mean for compliance with the primary US children’s online privacy and safety law.
The COPPA Rule sets out three criteria for approval of a self-regulatory program. The program must:
Under these criteria, the organization must demonstrate that they can assess a participant’s COPPA-related practices, specifically practices related to parental notice and consent, age gating, parental rights, data minimization, data security, data retention, and data deletion.
The post-2013 COPPA Rule (the Rule prior to the recent revision) already imposed notable transparency obligations on Safe Harbors. Safe Harbor organizations must submit an annual report to the FTC containing the following elements:
Information regarding the program must be maintained for a period of not less than three years, and, if requested by the FTC, the program must make available:
Safe Harbor programs are also obliged to promptly respond to FTC requests for additional information regarding the program. Finally, the FTC must approve any proposed revisions to the guidelines.
Additionally, one new section of the Rule requires approved Safe Harbor programs to submit a technical report every three years detailing the Safe Harbor program’s technological capabilities and mechanisms for assessing a participant’s compliance obligations. The FTC also added language to clarify that it “reserves the right to revoke any approval” if at any time it determines that an approved self-regulatory program does not meet the requirements of the Rule.
Further, the revised Rule now specifies that the Safe Harbors’ independent annual assessments should evaluate each participant’s “privacy and security” policies, practices, and representations. This type of assessment has long been a practice of CARU, and our 2024 comments to the COPPA Rule NPRM reflected our approval of this clarifying change, which will ensure that Safe Harbors make efforts to evaluate the data security practices of participating businesses.
CARU feels confident that these changes will allow even more parents, policy makers, and businesses to understand the value of safe harbors as a compliance mechanism under COPPA.
We look forward to working with our participants and the FTC to ensure that independent industry self-regulation remains a robust oversight mechanism that encourages best practices that align with—or even exceed—the responsibilities Congress assigned online services to protect children’s data privacy.
The Safe Harbor provision (15 U.S.C. § 6503) allows operators—who are otherwise subject to regulation under COPPA—an opportunity to satisfy the law’s compliance obligations by following Federal Trade Commission (FTC) approved self-regulatory guidelines.
Since 2000, companies that operate child-directed online services, mixed-audience services that are likely to interact with children under 13, and general audience services that want to ensure they do not trigger the COPPA rule, have worked with BBB National Programs’ Children’s Advertising Review Unit (CARU) to operationalize industry best practices under our FTC-approved Children’s Online Privacy Guidelines and COPPA.
At CARU, we also continue to support industry best practices adopted in advertising under our longstanding Children’s Advertising Guidelines and under Section 5 of the FTC Act.
The revision process, which began in 2019, has seen the FTC add new language to the final COPPA Rule that further clarifies the transparency obligations of Safe Harbor programs. For companies who work with or are thinking about working with a Safe Harbor program, parents looking to learn more about children’s online privacy, and the general public, let’s break down what these changes mean for compliance with the primary US children’s online privacy and safety law.
Safe Harbor Requirements
Under the COPPA Rule, self-regulatory organizations that establish guidelines for children’s privacy are required to submit proposals to the FTC. If the FTC approves these safe harbor guidelines, the self-regulatory organization must adhere to further requirements concerning assessment of participants, reports to the FTC, and record keeping on participant matters to maintain status as an approved safe harbor.The COPPA Rule sets out three criteria for approval of a self-regulatory program. The program must:
- Ensure operators provide substantially the same—or greater—protections for children as the substantive provisions of the COPPA Rule;
- Maintain an effective and independent annual assessment mechanism to comprehensively review a participant’s policies, practices, and representations for adherence to the guidelines; and
- Maintain disciplinary actions for a participant’s non-compliance with the guidelines.
Under these criteria, the organization must demonstrate that they can assess a participant’s COPPA-related practices, specifically practices related to parental notice and consent, age gating, parental rights, data minimization, data security, data retention, and data deletion.
The post-2013 COPPA Rule (the Rule prior to the recent revision) already imposed notable transparency obligations on Safe Harbors. Safe Harbor organizations must submit an annual report to the FTC containing the following elements:
- An aggregated summary of the results of the independent assessments;
- A description of any disciplinary action taken against any participant;
- A description of any approvals of member operators’ use of a parental consent mechanism approved by the Safe Harbor.
Information regarding the program must be maintained for a period of not less than three years, and, if requested by the FTC, the program must make available:
- Consumer complaints alleging violations of the guidelines;
- Records of disciplinary actions; and
- Results of independent assessments.
Safe Harbor programs are also obliged to promptly respond to FTC requests for additional information regarding the program. Finally, the FTC must approve any proposed revisions to the guidelines.
Revised Transparency Obligations
Under the recent COPPA Rule amendments, the annual report requirements for Safe Harbors have been slightly revised. In addition to the elements of an annual report listed above, annual reports must now include:- A narrative description of the Safe Harbor program’s business model, including whether it provides additional services (e.g., trainings);
- Copies of each consumer complaint related to each participant’s violation of a Safe Harbor program’s guidelines;
- A description of the process for determining whether a participant is subject to discipline (this is in addition to the description of each disciplinary action taken against a participant required under the earlier version of the Rule).
Additionally, one new section of the Rule requires approved Safe Harbor programs to submit a technical report every three years detailing the Safe Harbor program’s technological capabilities and mechanisms for assessing a participant’s compliance obligations. The FTC also added language to clarify that it “reserves the right to revoke any approval” if at any time it determines that an approved self-regulatory program does not meet the requirements of the Rule.
Further, the revised Rule now specifies that the Safe Harbors’ independent annual assessments should evaluate each participant’s “privacy and security” policies, practices, and representations. This type of assessment has long been a practice of CARU, and our 2024 comments to the COPPA Rule NPRM reflected our approval of this clarifying change, which will ensure that Safe Harbors make efforts to evaluate the data security practices of participating businesses.
CARU feels confident that these changes will allow even more parents, policy makers, and businesses to understand the value of safe harbors as a compliance mechanism under COPPA.
We look forward to working with our participants and the FTC to ensure that independent industry self-regulation remains a robust oversight mechanism that encourages best practices that align with—or even exceed—the responsibilities Congress assigned online services to protect children’s data privacy.