A: To self-certify for the safe harbor, organizations will need to provide to the Department of Commerce, or its designee, a letter, signed by a corporate officer, that contains at least the following information:
-- its effective date of implementation [this will be tied to the "grace period" which has yet to be determined],
-- a contact person for the handling of complaints, access requests, and any other issues arising under the safe harbor,
-- the specific statutory bodies that have jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices,
-- name of any privacy programs in which the organization is a member,
-- method of verification (e.g. in-house, third party)*, and
-- third party that will investigate unresolved complaints.
The Department (or its designee) will maintain a list of all organizations that self-certify for the safe harbor. Both the list and the self-certification letters submitted by the organizations will be made publicly available. All organizations that self certify for the safe harbor must also state in their published privacy policy statements that they adhere to the safe harbor principles. Any misrepresentation to the Department or to the general public concerning an organization's adherence to the safe harbor principles may be actionable by the Federal Trade Commission or other relevant statutory body.
*See FAQ on verification