Privacy and Security
The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids. The COPPA Rule — with new provisions in effect on July 1, 2013 — puts additional protections in place and streamlines other procedures that companies covered by the rule need to follow. If you run a website designed for kids or have a website geared to a general audience but collect information from someone you know is under 13, you must comply with COPPA’s requirements. Questions? Send them to CoppaHotLine@ftc.gov.
Does your business use consumer reports or credit reports to evaluate customers’ creditworthiness? Do you consult reports when evaluating applications for jobs, leases, or insurance? Here's information about your responsibilities under the Fair Credit Reporting Act and other laws when using, reporting, and disposing of information in those reports.
Many companies keep sensitive personal information about customers or employees in their files or on their network. Having a sound security plan in place to collect only what you need, keep it safe, and dispose of it securely can help you meet your legal obligations to protect that sensitive data. The FTC has free resources for businesses of any size.
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations.
The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the United States from the European Union (EU) in a way that is consistent with EU law. To join the Privacy Shield Framework, a company must self-certify to the Department of Commerce that it complies with the Privacy Shield Principles. A company’s failure to comply with the Principles is enforceable under Section 5 of the FTC Act prohibiting unfair and deceptive acts. The FTC has committed to make enforcement of the Framework a high priority, and will work together with EU privacy authorities to protect consumer privacy on both sides of the Atlantic. The Framework replaces the U.S.-EU Safe Harbor Program.
The Department of Commerce has created a Fact Sheet with an overview of the protections provided and how the program works. More detailed information is available at the Department of Commerce Privacy Shield Website.
Update on the U.S.-EU Safe Harbor Framework
On October 6, 2015, the European Court of Justice issued a judgment declaring invalid the European Commission’s July 26, 2000 decision on the legal adequacy of the U.S.-EU Safe Harbor Framework. On July 12, 2016, the European Commission issued an adequacy decision on the EU-U.S. Privacy Shield Framework. This new Framework, which replaces the Safe Harbor program, provides a legal mechanism for companies to transfer personal data from the EU to the United States. The FTC will enforce the Privacy Shield Framework. We continue to expect companies to comply with their ongoing obligations with respect to data previously transferred under the Safe Harbor Framework. More information on the new framework is on the FTC’s Privacy Shield Framework page. Updated on July 25th, 2016.
If your company designs, develops, or sells mobile apps, smartphones, or other tech tools, the FTC has resources to help you consider the privacy and security implications of your products and services. In addition, the FTC sponsors conferences and issues reports about consumer protection issues on the technology horizon.