Amended COPAA Rules Expand Data Privacy Protections

By | January 24, 2013

Posted in: Network Security Trends

Effective July 1, 2013, the amended Children’s Online Privacy Protection Act (COPPA) will take effect. In today’s world, as those of us in security and compliance know all too well, the same information that enables our business and moves our world quickly to the latest and greatest innovation, puts our private information and that of our friends and family at risk.  Given the difficulty many of us face in assisting our adult customers and clients in the workforce with understanding the negative repercussions of “sharing too much,” one can only image how next to impossible it would be to educate children under the age of 13.  This is where COPPA comes in, its goal is still to protect the online privacy of children and ensure those who collect information on children are accountable for their activities.

Those of you familiar with the act may remember back in the late 1990s when news reports were aired showing how easy it was for strangers to get access to our children’s data. At that time it was possible for anyone to gain detailed listings of children’s ages, addresses, and personal information merely by sending a couple of hundred dollars to database firms. The information collected was readily available and extensive due to the growth of the Internet and proliferation of databases created by schools, hospitals, government agencies, clubs, etc.

The privacy issues were further compounded by the lack of standards, oversight, and regulation over anyone’s private data, much less that of children. So it was that in 2000, COPAA took effect. The main requirements of the Act mandated  that the owners/ operators of a website were required to follow included: a detailed privacy policy, verification of parental consent prior to any data collection on a child under 13, disclosure of what information was collected, the right to revoke, assurances that limited information would be gathered when a child used the website for games, contests, etc., and a general agreement that the owner or operator of the website would take steps to protect security and privacy of a child’s personal information.

In recent years it has become evident that technology has moved past the original safeguards outlined in the 2000 Act and in 2010, the Federal Trade Commission began the update process. Some of the areas that needed to be addressed included mobile devices and social media.  These two factors have greatly changed the way we collect and disseminate the personal information of children, and anyone with a child understands how ubiquitous social media and smart phones are with today’s youth.  The digital world we live in requires that we consider mobile applications, social media plug-ins, third-party platforms, etc when we have meaningful discussions regarding privacy.

A few of the more significant expansions to the Act include additions to the definition of “personal information.” It now includes geo-location, photos, audio files, video files, screen/user names, and also identifiers that can, over time, be used to identify a child across several websites such as IP address, mobile ID, etc. The Act now includes a safe harbor based on screening for age and the Act has language to clarify what disclosures need to be included in parental notifications and privacy policy notices regarding the online service’s information gathering practices and children.

There is of course much more in the amended COPAA Rule than what has been discussed in this brief article, and it is highly recommended that businesses that collect information on children, directly or indirectly, evaluate their information gathering practices and consult their respective legal representatives to ensure the amendments to COPPA are well understood.

About the Author: Jo Dee Pederson has 20 years of combined project management and security experience. She has enjoyed a professional life rich in variety starting with crisis management in the United States Coast Guard which helped prepare her for five years at a small newspaper, writing and editing copy, and then making the move into IT where she has worked in security and compliance and IT technical project management ever since. Jo Dee is also a past ISACA President for the Alaska Chapter and has volunteered as an ISC2 Safe and Secure Internet Safety instructor.

Editor’s Note: The views expressed in this article are the opinions of the author. Security Bistro is not responsible for the article’s content or messaging.


You May Also Be Interested In: