Login   /  Logout   /  Resources for Consumers  /  Create a FREE Online Account  /  Contact Us
Consumer Help Membership Centers of Excellence Advocacy Events Who We Are Careers Blog


The DMA Safe Harbor Program
Guide for Businesses

Business Checklist for Safe Harbor Implementation

Review the US Department of Commerce's Safe Harbor Framework requirements to determine if this is the best solution for your organization's needs. Department of Commerce's website is: www.export.gov/safeharbor.

Review the DMA's publication, The US Direct Marketer's Guide to Compliance with the Safe Harbor Program for European Data, for guidance on this subject.

Designate an executive to be responsible for your organization's compliance with the safe harbor framework.

Develop a company privacy policy that meets the requirements of the safe harbor framework by assessing your company's business practices in the following areas:

Data Analysis:

Analyze data intake flows, data uses, and transfers to third parties.

Notice to Customers:

  1. Determine to whom, and when, notices must be given;
  2. Assure notices are drafted accurately and are given at all appropriate times and places; and
  3. Determine manner in which notice is made publicly available.

Provide consumers with the opportunity to opt-out or opt-in depending on the nature of the data. Set-up appropriate procedures to respect consumers' opt-out/opt-in requests particularly with respect to consumers' requests to not be approached for direct marketing (i.e., in-house suppression system.) Opting-out should not require consumers to incur any fee or expense beyond a first-class stamp or phone call.

Onward Transfer:
Determine the need for contracts with respect to the transfer of information to third parties.

Set-up procedures to allow customers the ability to access their personal information and the ability to correct it where it is inaccurate.

Set-up procedures to ensure that customer's personal information is protected and secure.

Data Integrity:
Set-up procedures to ensure that the customer's personal information is reliable, accurate, complete, current and used for its intended purposes.


  1. Refer consumers to your customer service department or other in-house dispute handling program to address their data privacy complaints; and
  2. Utilize the DMA Safe Harbor Program as the required independent third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints.

Establish an annual compliance review process by adhering to either:

  1. An internal self-assessment compliance review - you need to develop procedures for periodic objective reviews of compliance with your privacy policy and complaint handling; or
  2. An outside third-party assessment review/audit.

[Note: The DMA Safe Harbor Program does not provide this auditing function as a part of its service.]


  1. Assure all personnel receive general training in your safe harbor privacy policy. More extensive training should be provided to personnel who have access to or deal with the data; and
  2. Modify employee/personnel policies to provide for training and discipline for failure to follow your policy.

Self-Certify to the US Department of Commerce (DOC):

File a self-certification letter with the DOC. This may be done electronically at www.export.gov/safeharbor, or by letter to the US Department of Commerce, Attention: Safe Harbor Register, Room 2009, Washington, DC 20230.

Re-certify to the DOC on an annual basis through the web site or by letter.

Provide DMA Safe Harbor Program with the following documents:

A copy of your safe harbor privacy policy;
Company contact information cover sheet;
DMA Safe Harbor Contract; and
Annual Safe Harbor Contract fee.

Also, please make sure that your company is a DMA member. DMA membership is a pre-condition to participate in the DMA Safe Harbor Program.

Please send application and fee to:

Direct Marketing Association
Attn: Safe Harbor Program
1615 L Street NW, Suite 1100
Washington, DC 20036

back to top