kids and privacy around the world (final) · “personal information,” including: ofirst and last...
TRANSCRIPT
Kids and Privacy Around the World
hiInternational Privacy + Security Forum 2019
Presented by:
Meredith HalamaPartner, Perkins Coie LLP
Mark WattsPartner, Bristows LLP
Presenters
Mark Watts Partner
Bristows LLP
Meredith Halama Partner
Perkins Coie LLP
Agenda
Kids Privacy in the US
Kids Privacy under the GDPR
Kids Privacy Around the Globe
Section 1
Kids Privacy in the US
In U.S. kids get special privacy protections:
Introduction to Kids Privacy in U.S.
Online(Children’s Online Privacy Protection Act (COPPA)) & its implementing regulations
In schools (federal and state laws)
Photo Source: https://commons.wikimedia.org/wiki/File:Circle-icons-computer.svg & https://peoplepng.com/school-png-photo-2/149933/free-vector
“Operators” of websites and other “online services”:
COPPA: Who is Covered
That are directed to children under 13
With actual knowledge that collecting
personal information from children under 13 (even if the website or online service is not directed to children)
With actual knowledge that collecting
personal information from a site or service that is directed to kids
(third party obligations)
“Personal information,” including:o First and last nameo A home or other physical address
including street name and name of a city or town
o Online contact informationo A screen or user name that functions
as online contact information;o A telephone numbero A social security numbero A photograph, video, or audio file,
where such file contains a child’s image or voice
o A photograph, video, or audio file, where such file contains a child’s image or voice
o Geolocation information sufficient to identify street name and name of a city or town
o Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above
o and….
COPPA: What information is covered
“Personal information,” including:
Photo Source: https://www.spotx.tv/resources/blog/product-pulse/us-companies-care-pii-non-pii-personal-data/
Under COPPA, persistent IDs that can be used to recognize a user across different websites or online services over time are personal information.
COPPA and Persistent IDs
Includes cookie number, an IP address, a processor or device serial number, or a unique device identifier.
But parental notice and consent requirements do not apply if the identifier is used solely to support the internal operations of the site or service and not to show targeted ads or profile a user.
COPPA Obligations
Post a clear and comprehensive online privacy policy describing information practices for personal
information collected online from children
Provide direct notice to parents
Obtain “verifiable parental consent,” with limited exceptions, before collecting personal information
online from children
1
2
3
COPPA Obligations (cont’d)
Provide parents access to their child's personal information to review and/or have the information
deleted
Give parents the opportunity to prevent further use or collection of their child's personal information
Maintain the confidentiality, security, and integrity of information collected from children
Don’t require kids to provide more personal information than needed to participate in the
service/offering.
4
5
6
7
“Verifiable parental consent” required prior to collecting any personal information from a child (unless just a persistent ID used for internal operations)
Verifiable Parental Consent Options
Must be “reasonably calculated” to ensure that the person providing consent is the child’s parent.
If the service discloses personal information, or allows children to share personal information, then available methods include verifying the parent’s government-issued ID against a reliable database, requiring the parent to complete a consent form, charging parent’s credit card, and other robust methods.If the operator will NOT disclose the child’s personal information to third parties (e.g., will use the information only for internal purposes), “email plus” is sufficient.
Regulatory Enforcement
FTCCan impose fines of $40K per violation Areas of enforcement activity:
• Not directed to children but actual knowledge of users under 13 (Yelp - $450K settlement)
• Directed to children and collecting personal information (Musil.ly - $5.7M settlement; TinyCo - $300K settlement) or allowing targeted ads (Retro Dreamer - $300K settlement)
• Third parties collecting personal information through child-directed (InMobi - $950K settlement)
State AGsNY AG’s office reached $4.95 million settlement with Oath, Inc. for targeting ads to kids New Mexico claims against developer and host of ad tech companies
No private right of action under COPPA
Class Action Claims
Nevertheless, claims against Disney and others alleging that violations of COPPA constitute other violations (e.g., a claim for intrusion upon seclusion, a violation of the right to privacy under the CA constitution)
Motions to dismiss on preemption grounds pending
Photo Source: https://www.freeiconspng.com/img/402
The Family Educational Rights and Privacy Act (FERPA) applies to educational agencies and institutions that receive funds under any program administered by Secretary of Education
Education Privacy: Federal
Protects “education records:” records containing information directly related to a student and which are maintained by an educational agency or institution or a party acting on their behalf
Protected PII includes student’s name, parent/family member names, address, and similar identifiers
Does NOT apply to providers of technologies that collect information from or about students, but education institutions push down obligations under “school official” exemption for sharing
Many binding directly on tech providers
Education Privacy: State
Some only apply to education-specific tech products
Others apply to any technology used in the classroom
Generally require:• Use of personal information only to provide the service• NO use of information for targeted ads/profiling• Secure data• Particular contractual commitments to schools
Section 2
Kids Privacy under the GDPR
Children are identified as “vulnerable individuals” and deserving of “specific protection”
Introduction to Kids Privacy under the GDPR
Where consent is the basis for processing personal data from an information society service offered to a child (i.e. online service), that consent must be from someone with parental responsibility rather than the child
• Default age for parental consent is 16, but member states can go as low as 13
• Offline vs online distinction can be significant (e.g. Uber 2017 case
GDPR leaves in place member state laws governing validity, formation or effect of a contract in relation to a child
Special care needed in conducting legitimate interests analysis for children’s data given sensitivity of that data and special protections for childrenNeed to build privacy of children into the product from the beginningTake age of children into account (younger need more protection and older less) – recent case lawSpecific protection should apply to the “use of personal data of children for the purposes of marketing or creating personality or user profiles” and when offering services directly to a child
Kids and Legitimate Interests
Consent must be given or authorised by the holder of personal responsibility over the child
GDPR requires consent to be: • Freely given (e.g., no detriment to refusing, can be withdrawn)
• Specific (e.g., given in relation to specific purposes)
• Informed (e.g., after being provided with certain information but before processing begins)
• An unambiguous indication of wishes (active motion or declaration required) When consent is from the parent for the child, must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology
Parental Consent under the GDPR
Varies depending upon the risks inherent in the processing and the technology that is availableCollecting email address only to send an email to the child • Declaration that the user is old enough to provide their own consent, or a
declaration of parental consent and responsibility, via a tick box or email confirmation = sufficient
Allowing to publicly post publicly • More is needed -- e.g. third party verification service to verify user’s age or
identity of the person claiming parental responsibilityNeed to keep in mind other data protection principles, such as data minimization, in verifying age or parental relationship
What are “reasonable efforts” to verify that parent?
What is (and is Not) Sufficient for Parental Consent
Source: blog.superawesome.com/2018
Age of Consent in Different Countries
Austria14
Belgium13
Bulgaria16 (14)*
Croatia16
Cyprus14
Czech Republic16(15)*
Denmark13
Estonia16(13)*
Finland13
France15
Germany16
Greece16(15)*
Hungary16
Ireland16
Italy14
Latvia13
Lithuania14
Luxembourg16
Malta13
Netherlands16
Poland16
Portugal16(13)*
Romania16
Slovakia16
Slovenia16(15)*
Spain14
Sweden13
UK13
*Exact age not yet finalized
Source: https://www.betterinternetforkids.eu/en_US/web/portal/practice/awareness/detail?articleId=3017751#EE
Any information presented specifically to a child must be provided in concise, transparent, intelligible and easily accessible form using clear and plain language.• Need to give information directly to kids, even when getting consent from parent
• Often see simple notice for child & fuller notice for parent or guardianAll rights ordinarily afforded to the data subject directly must be exercisable by the parent or guardian if the child is not competent to exercise them, e.g.:• Parent must be able to access child’s data
• Parent must be permitted to request deletion
• Parent must be able to restrict processing where applicablePlus right not to have decisions based solely on automated processing (including profiling) if these have a legal or similarly significant effect on them, unless an exception applies.
Data Subject Rights and Kids
How do you know if you’re offering an ISS to a child?
Per ICO GuidanceIf explicitly state that service is for children or has children of any age as its target audience If made available to all users without any age restrictions or when age restrictions allow users under the age of 18If only made available to users 18+ then no, but
• In the event of a complaint, may look for evidence that the limit is applied in practice.
• May also may consider evidence such as site content, marketing plans, systems or processes designed to limit access, and information provided to users, in this respect.
How do you know if you’re offering an ISS to a child? (cont’d)
Per ICO GuidanceNeed to carefully consider target audience and be clear about what age group intend to allow.
If decide not to offer service to children, need to consider how to mitigate the risk of them gaining access, using measures that are proportionate to the data protection risks inherent in the processing.
Need to do a DPIA?
Key Considerations for Kids in the EU
What is the age of consent where the service will launch?
What obligations do you incur if learn user’s age under 16 (or age for which parental consent is required in the relevant member state) after have collected personal information from the user?
What about third party technologies (e.g. trackers)?
Guidance on verifying parental consent?
Distinguish between child-safe pages (e.g. landing pages)?
Can a zero-data version be provided (e.g. for games)?
Does that mean you need to age-gate?
Is monetization possible?
Implications of offering content that may appeal to kids
ICO: consider whether children are able or likely to access the product or service, as if they are you may end up processing children’s personal data
Photo Source: https://giphy.com/gifs/baby-confused-idk-CPskAi4C6WLHa
Section 3
Kids Privacy Around the Globe
Identify and prioritize target jurisdictions• Outside of the U.S., children’s data is considered sensitive
by regulators, but there are generally no laws explicitly covering kids privacy like COPPA
Identify any regulatory guidance requiring parental consent or other protections for kids• E.g. Privacy Commissioner in Canada says that kids under 13 require parental
consent
• New Zealand Privacy Commissioner says that kids who are too young need to be represented by adult
Laws governing age to consent to contract are also important , particularly in absense of a privacy law directly governing kids privacy/parental consent
Key Steps for a Global Launch
Photo Source: https://dribbble.com/shots/3266597-Simple-Rocket-Ship
Determine overall approach for compliance• Global approach (e.g., COPPA compliance worldwide,
with tweaks)
• Regional approach (e.g., EU-wide policies and procedures)
• Country-by-country approach
Determine other requirements for launch • Age to enter into binding contract (varies by jurisdiction; parent’s consent may
be needed)
• Whether certain rights must be given to parents (e.g., rights of access/deletion)
• Security requirements
• Local laws on anti-sextortion, anti-grooming, anti-sexting, cyber-bullying/harassment, displaying obscene/inappropriate content, etc.
Key Steps for a Global Launch
Photo Source: https://giphy.com/explore/rotating-earth
Questions?
Meredith Halama | Washington, [email protected](202) 654-6303
Mark Watts | [email protected]+44 (0)20 7400 8343