The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids. The COPPA Rule puts additional protections in place and streamlines other procedures that companies covered by the rule need to follow. The COPPA FAQs can help keep your company COPPA compliant. Learn about the COPPA Safe Harbor Program and about organizations the FTC has approved to implement safe harbor programs. You can also get information about ways to get verifiable parental consent– including new methods the Commission has approved – and the process for seeking approval for new methods.
Consumers care about the privacy and security of their health-related information. If your company makes privacy promises – either expressly or by implication – the FTC Act requires you to live up to those claims. In addition, even if you don’t make specific claims, you still have an obligation to maintain security that's appropriate in light of the nature of the data you possess. Also, if you experience a data breach, the Health Breach Notification Rule may apply to your business. Companies covered by the Rule must take specific steps following a breach. Another key resource: the Statement of the Commission on Breaches by Health Apps and Other Connected Devices.
Does your business use consumer reports or credit reports to evaluate customers’ creditworthiness? Do you consult reports when evaluating applications for jobs, leases, or insurance? Here's information about your responsibilities under the Fair Credit Reporting Act and other laws when using, reporting, and disposing of information in those reports.
Many companies keep sensitive personal information about customers or employees in their files or on their network. Having a sound security plan in place to collect only what you need, keep it safe, and dispose of it securely can help you meet your legal obligations to protect that sensitive data. The FTC has free resources for businesses of any size.
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
Are you up on the Red Flags Rule? (Sometimes it’s referred to as one of the Fair Credit Reporting Act’s Identity Theft Rules and it appears in the Code of Federal Regulations as “Detection, Prevention, and Mitigation of Identity Theft.”) The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations.
If you work for a business looking to transfer data between the EU and the United States, the FTC has resources to point you in the right direction. On July 17, 2023, the European Commission issued an adequacy decision on the EU-U.S. Data Privacy Framework (DPF). This new voluntary Framework, which replaces the Privacy Shield program, provides a mechanism for companies to transfer personal data from the EU to the United States in a privacy-protective way consistent with EU law. To join the Data Privacy Framework, a company must self-certify to the Department of Commerce that it complies with the Data Privacy Framework Principles. A participating company’s failure to comply with the Principles may violate Section 5 of the FTC Act’s prohibition on unfair and deceptive acts. The FTC is committed to vigorous enforcement of the DPF Principles, and works with privacy authorities in the EU to protect consumer privacy on both sides of the Atlantic. For more information, including how to join, visit the Data Privacy Framework Program. The Data Privacy Framework site also features a searchable list of participating businesses.
Update on the Privacy Shield Framework:
On July 16, 2020, the European Court of Justice issued a judgment declaring invalid the European Commission’s Decision 2016/1250/EC of July 12, 2016 on the adequacy of the EU-U.S. Privacy Shield Framework. We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to international data transfers. Updated on July 21st, 2020.
Update on the U.S.-EU Safe Harbor Framework
On October 6, 2015, the European Court of Justice issued a judgment declaring invalid the European Commission’s July 26, 2000 decision on the legal adequacy of the U.S.-EU Safe Harbor Framework. On July 12, 2016, the European Commission issued an adequacy decision on the EU-U.S. Privacy Shield Framework. This new Framework, which replaces the Safe Harbor program, provides a legal mechanism for companies to transfer personal data from the EU to the United States. The FTC will enforce the Privacy Shield Framework. We continue to expect companies to comply with their ongoing obligations with respect to data previously transferred under the Safe Harbor Framework. More information on the new framework is on the FTC’s Privacy Shield Framework page. Updated on July 25th, 2016.
If your company designs, develops, or sells mobile apps, smartphones, or other tech tools, the FTC has resources to help you consider the privacy and security implications of your products and services. In addition, the FTC sponsors conferences and issues reports about consumer protection issues on the technology horizon.