i-SAFE, Inc. Application for Safe Harbor #546345-00015

Submission Number:
Chris Rettstatt
Initiative Name:
i-SAFE, Inc. Application for Safe Harbor

For more than a decade (since before COPPA became law) I've been providing companies with guidance on how to comply with best practices when it comes to protecting the privacy and safety of children online. I've run online communities for children, and I've consulted on the creation of others. I've worked very closely with COPPA requirements since it was enacted in 1998. I've followed the developments closely and with the critical eye necessary for any legislation that concerns an issue as important as the privacy of children. As a fan of self-regulatory initiatives and the Safe Harbor program in particular, I've been waiting eagerly to see new applications. In particular, I hoped to see more organizations provide guidelines that not only enforce COPPA, but also offer something of value beyond the Rule. CARU is an excellent example of this. I believe i-SAFE has this potential as well, though that potential is not realized in this application. Overall, i-SAFE's application is thorough and has a few strong points, such as the Qualification Audit Review and the trademark infringement component of the Participant License Agreement. On the other hand, the Periodic Monitoring Review is weak in its current form. The pieces are there, but the language of the application undermines any potential value: "Periodic monitoring reviews may be quarterly, semi-annual, annual, or bi-annual, which shall be determined and conducted by i-SAFE at its sole and complete discretion." i-SAFE's application focuses on the obligations of its participants, but it is unacceptably vague regarding its own obligations. i-SAFE should revise its application to commit to a more specific program of periodic monitoring. The current language could be interpreted to mean that monitoring may not happen at all. Regarding complaint resolution, i-SAFE's application states that "i-SAFE reserves the right, in its sole discretion, to characterize any complaint/dispute as frivolous, vexatious or harassment and to dismiss/reject it." Though I understand the necessity for i-SAFE to limit its legal exposure, I believe this language goes too far. i-SAFE should be able to make this characterization only when such a characterization is reasonable. i-SAFE should not give itself the power to dismiss any complain that it may find inconvenient. More concerning than the above items, however, is the fact that i-SAFE has not made its own website compliant with the requirements of COPPA. While it may not be required to do so by law due to its not-for-profit status, its compliance is demanded by industry best practice, particularly considering its Safe Harbor aspirations. The i-SAFE application should not be approved until i-SAFE's own website is in order. i-SAFE needs to post a link to its Privacy Statement on the main page of its "Kids & Teens" section as well as other pages where it intends to collect information from children. In addition, the Privacy Statement itself needs a number of changes in order to become compliant. In short, I believe that i-SAFE's application is very thorough when it comes to obligations of its potential Safe Harbor clients but weak in terms of its own obligations. I recommend rejecting the application until these issues have been resolved. Regards, Chris -- Chris Rettstatt http://www.linkedin.com/in/rettstatt