You Are Viewing Children

New California Right of Erasure

Posted by fgilbert on January 2nd, 2015

The “Privacy Rights for California Minors in the Digital World Act” came into effect as of January 1, 2015. Business & Professions Code §22581 creates a “right of erasure” which has numerous similarities with the “right to be forgotten” or “right of erasure” that is written into the proposed EU Data Protection Regulation.

The California law requires an operator of an internet website, online service, online or mobile application (web service) who has actual knowledge that minors are using its service to permit a minor who is a registered user of that web service to request and obtain the removal of content or information posted on the web service by that user.

The web service must inform its users of this right to remove or obtain the removal of content or information and provide clear instructions on how a user may remove or request and obtain the removal of such content or information.

The law only applies to content or information that the user has posted on the web service. It does not address content or information posted by a third party. Only content posted by users themselves can be removed at the request of the user.

The law does not address content posted by third parties, such as “revenge porn.” The law provides for several exceptions to this right of erasure. They include, among others, where the content has been anonymized, where the minor has received compensation or consideration for providing the content, and where applicable law requires the web service to maintain the content or information.

A web service is deemed compliant with the law if it renders the content or information no longer visible to other users, even if the content or information remains on the web service’s servers in some form.

Yelp to pay $450,000 penalty for COPPA violation

Posted by fgilbert on September 17th, 2014

The Federal Trade Commission has announced a proposed settlement with Yelp, Inc. for COPPA violations. The FTC alleged that, for five years, Yelp illegally collected and used the personal information of children under 13 who registered on its mobile app service.

According to the FTC complaint, Yelp collected personal information from children through the Yelp app without first notifying parents and obtaining their consent. The Yelp app registration process required individuals to provide their date of birth. Several thousand registrants provided a date of birth showing they were under 13 years old. Even though it had knowledge that these registrants were children, Yelp did not follow the requirements of the COPPA Rule and collected their personal information without proper notice to, and consent from, their parents. Information collected included name, e-mail address, geolocation, and any other any information that these children posted on Yelp. In addition, the complaint alleges that Yelp did not adequately test its app to ensure that users under 13 were prohibited from registering.

Under the terms of the proposed settlement agreement, among other things, Yelp must:

  • pay a $450,000 civil penalty;
  • delete information it collected from individuals who stated they were 13 or younger at the time they registered for the service; and
  • submit a compliance report to the FTC in one year outlining its COPPA compliance program.

In a separate action, FTC alleged that TinyCo also improperly collected Children information in violation of COPPA. Under the settlement agreement between TinyCo and the FTC, TinyCo will pay a $300,000 civil penalty.

Article 29 Working Party’s Opinion on Mobile App Privacy

Posted by fgilbert on March 15th, 2013

On March 14, 2013, the European Union’s Article 29 Working Party published its opinion on the unique privacy and data protection issues faced by applications used on mobile device.  The 30-page opinion provides an analysis of the technical and legal issues, and concludes with a series of recommendations to app developers, platform developers, equipment manufacturers and third parties.

In many respects, this new opinion of the Article 29 Working Party is very similar to the document that the Federal Trade Commissions has published recently on the same topic.  It addresses many themes also found in the FTC documents regarding the use of mobile applications in general, or that mobile applications directed to children.

The Article 29 Opinion WP 202 provides two series of recommendations for application developers.  The first set of recommendation is in fact a recitation of general principles set forth in the proposed Data Protection Regulation, but adapted to the specific context of the mobile world, with references to location data, unique device identifier, SMS.   There are also references to other modern concepts, such as privacy design, also found on the proposed Data Protection regulation, but absent from Directive 95/46/EC, the directive currently in effect.

The second set of recommendations to application developers includes specific guidance on the actions to be taken.  These include:

  • Adopting appropriate measures that address the risks to the data;
  • Informing users about security breaches;
  • Telling users what types of data are collected or 
accessed on the device, how long the data are retained and what security measures are used to protect these data;
  • Developing tools to enable users to decide how long their data should be retained, based on their specific preferences and contexts, rather than offering pre-defined retention terms;
  • Including information in their privacy policy dedicated to European users;
  • Developing and implementing simple but secure online access tools for users, without collecting 
additional excessive personal data;
  • Developing, in cooperation with OS and device manufacturers and others, innovative solutions to adequately inform users on mobile devices, such as through layered information notices combined with meaningful icons.

The remainder of the recommendations is addressed to app stores, OS and device manufacturers, and third parties.

The protection of children reappears as a common theme in the different recommendations to the different players in the mobile market.  Each set of recommendations provided in WP 202 stresses that they should limit their collection of information from children, and especially refrain from processing children’s data for behavioral advertising purposes, and refrain from using their access to a child’s account to collect data about the child’s relatives or friends.

New FTC COPPA Rule will better protect 21st century children

Posted by fgilbert on December 19th, 2012

The Federal Trade Commission final updated COPPA Rule, published this morning (December 19, 2012),  brings child protection online to the 21st century. While most of the high level requirements, which stem directly from the Child Online Privacy Protection Act (COPPA) remain unchanged, the updated Rule contains references to modern technologies such as geolocation, plug-ins and mobile apps, and modern methods of financing websites, such as behavioral targeting. It also takes into account more than ten years of practice and attempts to address some of the shortcomings and complexities of the prior rule. For example, the new Rule requires better accountability from Safe Harbor programs, which will have to annually audit their members and also report annually to the FTC on the outcome of these annual reviews.  It also requires better accountability from companies.  Companies that release children personal information to third parties service providers or otherwise will be responsible for ensuring that these third parties are capable of protecting the confidentiality, security and integrity of children’s personal information, and that they actually do provide these protections when handling the children information in their custody.

 

More covered entities

The new definition of “operator” now also covers website or online service directed to children that integrate outside services, such as a plug-in or ad network.  The new definition of “website or online service” will also include plug-ins and ad networks that has actual knowledge that it is collecting personal information through a child-directed website or service.

 

More personal information protected

The definition of personal information is expanded to include:

  • Geolocation information
  • Photos, videos, and audio files that contain a child’s image or voice
  • Persistent identifiers, such as IP address or mobile device IDs, that can be used to recognize a user over time and across different websites or online services.

 

More permitted activities

Conversely, more activities are specifically permitted. These contextual advertising, frequency capping, legal compliance, site analysis, and network communications. However, this does not include behavioral advertising. Parental consent is required when using or disclosing information to contact a specific person or develop a profile on that person.

 

New form of disclosures

The Rule still requires a direct notice to parents in addition to the online notice of information practices, but it streamlines what website or service must disclose in their online privacy statements describing their information practices.

 

New forms of parental consent

The new Rule offers more ways in which parents can communicate their consents. These additional means include electronic scans of signed parental consent forms (in addition to mail and fax), videoconferencing, use of government-issued ID, and use of online payment systems (other than credit or debit cards) that provides notification of each discrete transaction to the primary account holder.

 

Stronger security and confidentiality

While operators continue to be responsible for protecting the confidentiality, security and integrity of children’s information, they will be required, in addition, to ensure, before releasing information to service providers and third parties, that these entities are capable of maintaining the confidentiality, security, and integrity of the information. They will be responsible for obtaining assurances that these measures will be maintained.

 

New limited retention and disposal rules

Operators will be expected to retain personal information collected online from a child for only as long as reasonably necessary to fulfill the purpose for which the information was collected. They will also be required to delete such information by using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

 

New monitoring and reporting requirements

The new Rule strengthens the FTC’s oversight of safe harbor programs. Safe harbor programs will be required to arrange for annual assessment of operators compliance with the program guidelines, and to provide the FTC with an annual report of the aggregated results of these independent assessments.

 

Proposed Changes to FTC COPPA Rule

Posted by fgilbert on August 1st, 2012

The FTC has issued a NPRM seeking comments on proposed changes to the COPPA Regulations. These changes are intended to take into account the evolution of web technologies, such as plug-ins and the use third party cookies and ad networks; they would also clarify some of the requirements for websites that contain child-oriented material that may appeal to both parents and children. This new NPRM pertains to changes to the COPPA Regulation that diverge from previously proposed changes that the FTC presented in its September 2011 proposal.

  • Expansion of the definitions of “operator” and “website or service directed to children”

The proposed changes to the definitions of “operator” and “website or online service directed to children” would clarify that an operator that integrates the services of third parties that collect personal information from visitors of its site or service would itself be considered a covered “operator” under the Rule. Further, an ad network or plug-in would also be subject to COPPA if it knows or has reason to know that it is collecting personal information through a child-directed site or service.

  • Clarification of the definition of “personal information”

The proposed change the definition of “personal information” would make it clear that a persistent identifier – e.g., a persistent cookie – would be deemed “personal information” subject to the Rule if it can be used to recognize a user over time or across different sites or services.

However, the use of tracking technologies or identifiers for authenticating users, improving navigation, for site analysis, maintaining user preferences, serving contextual ads, and protecting against fraud and theft would not be considered the collection of “personal information” if the collected data is not used or shared to contact a specific individual, e.g. for behaviorally-targeted advertising.

  • Mixed audience websites

The proposed changes would also clarify that mixed audience websites that contain child-oriented content and whose audience includes both young children and others, including parents, would be allowed to age-screen all visitors in order to provide COPPA’s protections only to users under age 13. However, those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience would still be required to treat all users as children

  • Text of the Notice of Proposed Rule Making

The text of the Notice of Proposed Rule Making is available at http://www.ftc.gov/os/2012/08/120801copparule.pdf

Mobile App Privacy Webinar on April 19, 2012

Posted by fgilbert on April 17th, 2012

On Thursday April 17, 2012, at 10am PT / 1pm ET, I will be moderating and presenting at a one-hour webinar organized by the Practising Law Institute: “A New Era for Mobile Apps?  What Companies Should Know to Respond to Recent Mobile Privacy Initiatives”.

The webinar will start with an overview of the technologies and ecosystem that surround the operation and use of mobile application, presented by Chris Conley, Technology and Civil Liberties Attorney, ACLU Northern California (San Francisco).

Patricia Poss, Chief, BCP Mobile Technology Unit, Federal Trade Commission (Washington DC) will then comment on the two reports recently published by the Federal Trade Commission:  “Mobile Apps for Children” (February 2012) and the final report “Protecting Consumer Privacy in an Era of Rapid Change”, which both lay out a framework for mobile players (March 2012).

I will follow with an overview of the recent agreement between the California State Attorney General and six major publishers of mobile apps, which sets up basic rules and structures for the publication and enforcement of mobile app privacy policies, and the Consumer Privacy Bill of Rights, which was unveiled by the White House in February 2012.  I will end with suggestions for implementing privacy principles in the mobile world.

To register for this webinar, please visit PLI website.

 

FTC issues Report on Kids Privacy & Mobile Apps

Posted by fgilbert on February 16th, 2012

On February 16, 2012, the FTC released a new Report on Privacy issues in Mobile Apps. There are good lessons to be drawn from the document, both for mobile apps developers and for companies that operate websites. What is true for mobile apps is generally also true for websites.

Among other things, the report recommends:

  • Everyone – stores, developers and third parties providing services – should play an active role in providing key information to parents.
  • Information about data practices should be provided in simple and short disclosures.
  • It should be clear whether the app connects with social media
  • It should be clear whether it contains ads.
  • Third parties that collect data also should disclose their privacy practices.
  • App stores also should take responsibility for ensuring that parents have basic information.

The full report is available at: http://www.ftc.gov/opa/2012/02/mobileapps_kids.shtm


Never too Small to Face an FTC COPPA Action

Posted by fgilbert on November 9th, 2011

Some companies think that they are small and can fly under the radar, and need not worry about compliance.  They should rethink their analysis of their legal risks after the recent FTC action against a small social networking site.

On November 8, 2011 the FTC announced a proposed settlement with the social networking site www.skidekids.com, which collected personally information from children without obtaining prior parental consent, in violation of COPPA, and made false statements in its website privacy notice, in violation of the FTC Act.

In this case, the personal information of 5,600 children was illegally collected. This was much less than the violations identified in some of the recent FTC COPPA enforcement actions. For example, the 2006 action against Xanga revealed that Xanga had collected 1.7 million records, the 2008 action against Sony, that Sony had collected 30,000 records, and the 2011 action against W3 Innovations identified 50,000 illegally collected records.

The Problem

The social networking site Skid-e-kids targeted children ages 7-14 and allowed them to register, create and update profile information, create public posts, upload pictures and videos, send messages to other Skid-e-kids members, and “friend” them.

According to the FTC complaint, the website owner – a sole proprietor – was prosecuted for:

  • Failing to provide sufficient notice of its personal data handling practices on its website;
  • Failing to provide direct notice to parents about these practices; and
  • Failing to obtain verifiable parental consent.

In addition, these practices were found to be misleading and deceptive, which in turn was deemed to violate Section 5 of the FTC Act.

The site online privacy statement claimed that the site requires child users to provide a parent’s valid email address in order to register on the website and that it uses this information to send parents a message that can be used to activate the Skid-e-kids account, to notify the parent about its privacy practices, and that it can use the contact information to send the parent communications about features of the site.

According to the FTC, however, Skid-e-kids, actually registered children on the website without collecting a parent’s email address or obtaining permission for their children to participate. Children who registered were able to provide personal information, including their date of birth, email address, first and last name, and city.

The Proposed Settlement

The proposed Consent Decree and Settlement Order against Jones O. Godwin, sole owner of the site www.skidekids.com is available at http://www.ftc.gov/os/caselist/1123033/111108skidekidsorder.pdf. The proposed settlement would:

  • Bar Skid-e-Kids from future violations of COPPA and misrepresentations about the collection and use of children’s information.
  • Require the deletion of all information collected from children in violation of the COPPA Rule;
  • Require that the site post a clear and conspicuous link to www.onguardonline.gov, the FTC site focusing on the protection of children privacy, and that the site privacy statement as well as the privacy notice for parents also contain a reference to the On Guard Online site;
  • Require that, for 5 years, the company engaged qualified privacy professionals to conduct annual assessments of the effectiveness of its privacy controls or become a member in good standing of a COPPA Safe Harbor program approved by the FTC;
  • Require that, for 8 years, records be kept to demonstrate compliance with the above.

A lenient fine … subject to probation

An interesting aspect of the proposed settlement is that the settlement, in effect, imposes only a $1,000 fine to the defendant. The fine is to be paid within five days of the entry of the order. However, if Skid-e-Kids fails to comply with some of the requirements of the Settlement, it will have to pay the full $100,000 fine that is provided for in the settlement.

Specifically, a $100,000 will be assessed if:

  • The defendant fails (a) to have initial and annual privacy assessment (for a total of 5 annual assessments) conducted by a qualified professional approved by the FTC and identifying the privacy controls that have been implemented, how they have been implemented and certifying that the controls are sufficiently effective; or (b) to become a member in good standing of a COPPA Safe Harbor program approved by the FTC for 5 years; or
  • The disclosures made about the defendant’s financial condition are materially inaccurate or contain material misrepresentations.

The Lesson for Site with Children Content

This new case is a reminder that the COPPA Rule contains specific requirements that must be followed, no matter the size of the site, when intending to collect children personal information. The COPPA rule defines procedures and processes that must be followed rigorously.

Among other things, the COPPA Rule requires websites that are directed to children and general audience websites that have actual knowledge that they are collecting children information to:

  • Place on its website a conspicuous link to its privacy statement;
  • Provide specified information in the website privacy statement, describe in clear terms what personal information of children is collected, how it used, and explain what rights children and parents have to review and delete this information;
  • Provide a notice directly to the parents, which must include the website privacy statement, and inform the parents that their consent is required for the collection and use of the children’s information by the site, and how their consent can be obtained;
  • Obtain verifiable consent from the parents before collecting or using the children’s information;
  • Give parents the option to agree to the collection and use of the children’s information without agreeing to the disclosure of this information to third parties.

In addition, we suggest also including, clearly and conspicuously, (a) in the website privacy statement; (b) in the notice to parents; and (c) at each location where personal information is collected a notice that invites the user to visit the On Guard Online website of the Federal Trade Commission for tips on protecting children’s privacy online: www.onguardonline.gov/topics/kids-privacy.aspx.

 

 

 

FTC proposes changes to the COPPA Rule

Posted by fgilbert on September 15th, 2011

On September 15, 2011, the Federal Trade Commission published for comments its proposed amendment to the current COPPA Rule, which is codified as 16 CFR Part 312. This proposed amendment is based on the information and comments collected during several public round tables and other consultations with the public and stakeholders in 2010. The text of the Proposed Amendment can be found at http://www.ftc.gov/os/2011/09/110915coppa.pdf. Written comments must be received on or before November 28, 2011.

The Commission proposes modifications to the Rule in the following areas:

  • Definitions;
  • Parental notice and consent mechanisms;
  • Confidentiality and security;
  • Self-regulatory safe harbor programs.

What Will Not Change

While the proposed amendment would make some significant changes in some areas, a number of issues that had raised questions will not be affected. For example:

  • The definition of “child” will not change. The Rule will continue to protect children under 13, and not minors or other teens.
  • The amendment does not propose a clarification of what constitutes “actual knowledge” that a site is collecting information of children. This is unfortunate, since this question is the source of many problems for companies.

Several Revised Definitions

The proposed amendment would modify and clarify a number of definitions of crucial terms. Some of these clarifications will likely be welcomed by the service providers. Other changes significantly expand the scope of the defined terms, to take into account the changes and advances in technology and online practices. For example, the proposed amendment addresses the now ubiquitous use of behavioral targeting and location information. Several definitions are affected.

Definition of “Personal Information”

The proposed amendment would expand the definition of “personal information.” The new definition would include a customer identification number held in a cookie, an IP address, a processor or device number, or a unique device identifier that is used for functions other than internal operations of the website. Among other things, this addition would cover tracking cookies used for behavioral advertising.

The proposed amendment would also add geolocation information as well as photographs, videos and audio files that contain a child’s image or voice to the definition of personal information protected under COPPA.

Definition of “Collection”

The new definition of “collection” would clarify that the Rule covers the online collection of personal information both when an operator requires the personal information and when the operator merely prompts or encourages a child to provide such information.

The revised definition would permit a website operator to allow children to participate in interactive communities without parental consent, provided that the operator take reasonable measures to delete “all or virtually all” children’s personal information before it is made public, and to delete it from its records.

Definition of “Release of Personal Information”

The amendment would define the term “release” of personal information separately from the definition of “disclosure.” A “release” would be the sharing selling, renting, or transfer of personal information to a third party.

Definition of “Online Contact Information”

The definition of “Online Contact Information” would be expanded to include instant message user identifier, VoIP identifier, and video chat user identifier.

Parents’ Notice and Consent Requirements

The amendment would provide much needed improvements to the rules that pertain to giving notice to parents and custodians and obtaining their consent.

Methods to be Used to Provide Parental Notice

COPPA requires that the parents be notified both on the operator’s website and in a notice delivered directly to the parent whose child seeks to register on the site or service. The proposed amendment would streamline the parental notice requirement. Key information would be presented to parents succinctly in a “just-in-time” notice, in addition to being presented in a privacy policy.

There are also proposed changes to the content of the notice. For example, all operators of a website would have to provide contact information including name, physical and email address, and telephone numbers. In addition, the amendment would streamline the content requirements for the notice.

Parental Consent Mechanisms

The proposed amendment would add new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database.

Concurrently, the proposed amendment would eliminate the “email – plus” method of parental consent which allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent.

Confidentiality and Security Requirements

The amendment would strengthen the existing confidentiality and security requirements and would introduce new data retention and disposal requirements.

Data Retention and Deletion

The amendment would introduce a data retention and deletion requirement, which would require the data to be retained only for as long as is necessary to fulfill the purposes for which it was collected. In addition, the proposed amendment would require the operator of a website or service to delete the child’s personal information by taking reasonable measures to protect against unauthorized access to, or use of the information in connection with its disposal.

Service Providers

The amendment proposes adding a requirement that operators ensure that service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it.

This requirement is consistent with similar requirements that are in place in most – if not all – laws, regulations, rulings, and standards that address the protection of personal information. In all cases, the data custodian who gives access to personal information to a third party is responsible for ensuring that the third party protects the data with privacy, confidentiality, and security measures at least as stringent as those that the data custodian is required to use.

Safe Harbor

Finally, the amendment would strengthen the COPPA Safe Harbor Programs. It would modify the criteria for approval of self-regulatory guidelines and introduce new reporting and record keeping requirements. The amendment would require the Safe Harbor Programs to audit their members at least annually and report periodically to the Commission the results of these audits.

Comments Invited

The FTC has invited comments to the proposed amendment. These comments must be received by November 28, 2011.

Conclusion

The proposed amendment to the COPPA rule provides numerous significant additions and clarifications to the existing Rule. It takes into account changes in practices and technologies to adapt to the new forms of using online services. It also takes into account some of the obstacles encountered and questions asked by online services – and their advisors – when trying to implement some of the provisions of COPPA. While the amendment would improve and simplify the procedures to be used to notify parents and obtain their consent, it remains to be seen whether companies will be able to provide elegant and reliable methods for signing up children with their parents’ consent.

How to Protect Children From Child Predators and Cyberbullies in Social Networking Sites

Posted by fgilbert on January 14th, 2010

It is easy register as a user on a site using a different identity than the actual one. A 14 year old can pretend to be 25 and set up a profile on most social networking sites. As a result, minors have been able to find their way onto sites that were intended for adults. In some cases, they have become the victims of child predators whom they met online. Governments and legislators are looking at age verification as a way to protect minors from inappropriate contacts on the Internet. This article explores some of the issues raised by age verification and looks at the status of laws and government enforcement actions that focus on keeping minors out of sites that are not intended for them, or not prepared to handle them.

 

1. Background

The case John Doe v. SexSearch.com (Case. No. 3:07 CV 604 U.S. Dist. Ct N. District of Ohio) provides an example of encounters that may result where there is no verification of the age or other information provided by a registrant. SexSearch.com offers an online adult dating service intended for a mature audience. For more detailssee the version of this article published in the Shidler Journal of Law, Commerce + Technology Shortly after he became a member of SexSearch.com, John Doe located Jane Roe’s profile, which provided Jane Roe’s birth date, her age (18), and an authentic image of Jane Roe at her then-current age. After chatting online through SexSearch.com, the two decided to schedule a sexual encounter. The meeting went as planned, and the two engaged in consensual sexual relations. (more…)