Silicon Valley Apps for Kids: COPPA BASICS Laura D. Berger April 22, 2013 The views expressed herein are those of the speaker, and do.
Download
Report
Transcript Silicon Valley Apps for Kids: COPPA BASICS Laura D. Berger April 22, 2013 The views expressed herein are those of the speaker, and do.
Silicon Valley Apps for Kids: COPPA
BASICS
Laura D. Berger
April 22, 2013
The views expressed herein are those of the speaker, and do not
represent the views of the Commission or any individual Commissioner.
1
Agenda
• FTC privacy law basics.
• Intro to FTC business education materials.
• Discussion of the Children’s Online
Privacy Protection Act, including existing
requirements and 2013 changes, which
will take effect on July 1, 2013.
2
FTC Jurisdiction
• FTC Act (Section 5) prohibits unfair or
deceptive acts and practices in or affecting
commerce
• FTC also enforces 45 other statutes and
more than 30 trade regulation rules
Privacy standards the FTC enforces include
Children’s Online Privacy Protection Act
(“COPPA”), as well as other laws, such as the
Gramm-Leach-Bliley Act and the Fair Credit
Reporting Act.
3
FTC Act (Section 5)
Deception a material representation or
omission that is likely to mislead consumers
acting reasonably under the circumstances
Unfairness practices that cause or are
likely to cause substantial injury to consumers
that are not outweighed by countervailing
benefits to consumers or competition and are
not reasonably avoidable by consumers.
Note: Section 5 and COPPA violations often are alleged in tandem –
e.g., if you say you don’t collect information from kids under 13, but
you do.
4
FTC Advice for App Developers
5
• Tell the truth about what your app can do.
• Disclose key information clearly and
conspicuously.
• Build privacy considerations in from the start.
• Be transparent about your data practices.
• Offer easy to find and easy to use choices.
• Honor your privacy promises.
• Protect kids’ privacy.
• Collect sensitive information only with
consent.
• Keep user data secure.
6
Children’s Online Privacy
Protection Act (COPPA)
• COPPA is the only child-specific federal privacy law in the US.
• Goals are to:
– Permit parents to make informed choices about when and how
children’s personal information is collected, used, and disclosed
online; and
– Enable parents to monitor their children’s interactions and
help protect them from the risks of inappropriate online
disclosures.
• Among other things, operators of commercial websites and
online services must provide NOTICE and obtain parents’
CONSENT before collecting personal information from children
under age 13.
7
Overview of Changes to Rule
•
•
•
•
•
•
•
Definitions
Online and Direct Notices
Parental Consent Mechanisms
Confidentiality and Security of Children’s PI
Data Retention and Deletion
Safe Harbor Programs
New Voluntary Processes for FTC Approval
8
COPPA Enforcement
• FTC actively enforces COPPA.
• Agency has filed 21 federal court actions,
and has obtained over $8.4 million in civil
penalties.
9
Federal Court Orders
• FTC is authorized to seek up to
$16,000/violation in penalties, and may also
seek:
• Deletion of personal information collected
without parental consent;
• Employee education and written
acknowledgement;
• Written compliance report to FTC; and
• Consumer education.
10
Who must comply under current
Rule?
• Operators of commercial websites and online
services directed to children that collect,
maintain, or provide the opportunity to disclose
personal information or “PI.”
• Operators of general audience sites and
services (including teen/tween sites) with actual
knowledge that they collect kids’ PI.
• Entities on whose behalf operators collect the
information
11
Additional Operators as of July 1, 2013
• An operator of a child-directed site or service that
allows another person to collect PI directly from its
users, either: (1) as an agent or service provider,
OR (2) for the operator’s “benefit”, which applies
to child-directed sites/services that embed 3rd
party content collecting PII. (Under the Rule, the
Operator benefits from this collection, even if the
Operator does not access the PI itself).
• A site/service that has actual knowledge it is
collecting PII directly from users of a child-directed
site/service. (See revised def’n of “Website/Online
Service Directed to Children.”)
12
“Directed to Children”
Many factors: subject matter, visual content, age of models,
language, graphics, activities, or incentives; whether ads
promoting or appearing on the site or service are directed to
children; evidence re intended audience; empirical evidence
about audience composition.
• 2013 Changes: Sets forth criteria up front and – Adds music and celebrities appealing to children.
– Adds that a service collecting PI directly from users of a childdirected site is covered when it has “actual knowledge” it’s
collecting on a such a site.
– Allows a child-directed site/service that does not target U13
children as its primary audience to age-screen to provide
COPPA protections only to U13 children.
13
“Directed to Children”: Mobile Apps
14
General Audience Site/Service
• Must have actual knowledge that it has collected
PII from a child.
• “Actual knowledge” can come from asking a
child’s age, grade, birthday, other age-identifiers.
May also come from notification from a
concerned parent or other individual.
15
Personal information
2013 Definition:
• First and Last Name
•
• Physical address (including •
street name and city/town)
• E-mail address
• Social Security Number
• Telephone number
• A screen name revealing email
•
• A persistent identifier
combined with personal
information or “PI”
• Any information tied to PI •
Underlined items remain the same
Three items are virtually the same
• Online contact info is very
similar to email address.
• Geolocation info (sufficient to
identify street name and
city/town) – Commission
already said this was covered
under old rule.
• Screen/user names (that
function as online contact info)
Persistent Identifiers (e.g., IP
address, UDID, information stored
in a cookie, processor or device
serial numbers)
Photos, Videos, or audio files
containing a child’s image or voice
16
“Collects or Collection”
• Requesting, prompting, or encouraging that
children submit personal information online, even
when optional.
• Enabling children to make the information public,
e.g., in a chat room or profile.
• Passive tracking linked to personal information.
• 2013 Changes to definition:
– replace the “100% deletion standard” with a
“reasonable measures” standard:
• This enables operators to provide interactive communities for
children, without parental consent, so long as they take
reasonable measures to delete all or virtually all of a child’s
PI before it is made public.
17
What must Operators do under COPPA?
• Post a privacy policy and links to the policy
wherever personal information is collected.
• Give parents direct notice of information
practices.
• With certain exceptions, obtain verifiable
parental consent before collecting information.
And . . .
18
…Operators also must:
• Provide parents access and opportunity to delete child’s
personal information and opt-out of future collection.
• Limit collection of personal information.
• Establish and maintain reasonable procedures to protect
the confidentiality, security, and integrity of personal
information.
• 2013: Operators must (1) “take reasonable steps to
release [children’s PI] only to parties capable of
maintaining its security”; (2) retain PI only as long as
reasonably necessary to fulfill the purpose; (3) properly
delete PI by taking reasonable measures to protect
against unauthorized access to or use in connection with
deletion.
19
Notices (Revised)
• Improves the “direct notice” to:
• Ensure that key information is presented to parents in a
succinct “just-in-time” notice;
• Provide a clear roadmap for operators as to content of direct
notice depending upon its collection and use practices.
• Streamlines the privacy policy by requiring a simple
statement of:
• Who is collecting information – all operators at the
site/service
• What information collected and how used;
• That parent has control of the information.
Parental Consent
• Must be reasonably calculated, in light of available
technology, to ensure that person providing
CONSENT is the child’s parent (or legal guardian).
• The Rule provides a non-exhaustive list of approved
methods to satisfy this requirement.
• Can use another method, follow a safe harbor, or
seek Commission approval of additional methods.
Verifiable Parental Consent:
2013 Changes
• Add new methods:
– electronic scans of signed consent forms,
– video-conferencing, or
– use of government issued ID checked against a database and
deleted promptly thereafter,
– use of a debit card or other online payment system, if it provides
notification of each monetary transaction.
• Retains “Email Plus”
• Adds 2 new approval procedures:
– Commission approval – voluntary 120 day notice and
comment
– Safe Harbor approval – use of any method permitted by an
approved program.
22
New Exceptions to Consent
• (1) Where site/service collects parent’s online
contact info (but no other PI from child) to
keep the parent informed of a child’s
activities;
• (2) Where site/service collects persistent
identifier (but no other PI) for sole purpose of
providing “support for internal operations.”
• (3) Where a plug-in collects persistent
identifier on a child-directed site/service (but
no other PI) from a 13+ previously registered
user.
23
“Support for Internal Operations”
• Using persistent identifiers for these purposes does not
require notice and consent:
–
–
–
–
–
–
–
Maintain/analyze functioning of site/service
Perform network communications
Authenticate users/personalize content on site/service
Serve contextual ads, cap frequency of ads
Protect the integrity of the site/service
Ensure legal/regulatory compliance
Does not permit use for behavioral targeting or any
other purposes.
– Can seek Commission approval to add to the list.
(Will publish for comment and determine within 120
days).
24
Data Security: Review of Changes
Strengthens the Rule’s confidentiality, security, and
integrity provision by:
• Adding a requirement that operators take reasonable
steps to release children’s PI only to parties capable of
maintaining its security.
Adds a data retention and deletion provision to:
• Retain children’s PI for only as long as is reasonably
necessary to fulfill the purpose for which it was collected;
and,
• Properly delete PI by taking reasonable measures to
protect against unauthorized access to or use in
connection with its deletion.
Review: Voluntary Approval
Processes
• Parental consent methods: Request for Commission
approval of new mechanisms
• Support for internal operations of the website or
online service: Request for Commission approval to add
new activities to the definition of support for internal
operations
• All requests published for public comment
• Commission determination within 120 days of request
Self-Regulatory
Safe Harbor Programs under COPPA
• There are 5 approved safe harbors:
–
–
–
–
–
Aristotle, Inc. www.aristotle.com/integrity
CARU www.caru.org
ESRB www.esrb.org
Privo, Inc. www.privo.com
TRUSTe www.truste.com
• An operator participating in and complying with
an FTC-approved safe harbor will be deemed to
be in compliance with the Rule.
27
Review: Other Changes
• Strengthens COPPA Safe Harbors
• Improves the “direct notice” to parents to:
– Ensure that key info is presented in a
succinct, “just-in-time” notice;
– Provide a clear roadmap for operators as to
content of direct notice depending on its
collection and use practices.
• Streamlines the privacy policy
28
FTC Resources for businesses
29
• Questions?
30