COPPA Safe Harbor

Overview
The Children's Online Privacy Protection Act (COPPA) established a safe harbor for participants in FTC-approved COPPA self-regulatory programs. With the safe harbor provision, Congress intended to encourage industry members and other groups to develop their own COPPA oversight programs, thereby promoting efficiency and flexibility in complying with COPPA’s substantive provisions. COPPA's safe harbor provision also was intended to reward operators’ good faith efforts to comply with COPPA. The Rule therefore provides that operators fully complying with an approved safe harbor program will be "deemed to be in compliance" with the Rule for purposes of enforcement. In lieu of formal enforcement actions, such operators instead are subject first to the safe harbor program’s own review and disciplinary procedures.

Section 312.10 of the Rule sets forth the criteria the FTC uses to approve applications for safe harbor status under COPPA. First, the self-regulatory program must contain guidelines that protect children’s online privacy to the same or greater extent as the Rule and ensure that each potential participant complies with these guidelines. Second, the program must monitor the participant’s practices on an ongoing basis to ensure that the participant continues to comply with both the program’s guidelines and the participant’s own privacy notices. Finally, the safe harbor program must contain effective incentive mechanisms to ensure operators' compliance with program guidelines.