CCPA Rule Deviations for Children
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
4 hours 41 minutes
welcome everyone to lessen 5.2
as we review all of the rule deviations for Children under the C c. P. A.
Our learning goals and objectives for less than 5.2.
First, we will review the unique CCP rules that apply to Children.
I'll let you know. Now there are certain opt in and opt out provision for Children that you will not have heard of up until this point.
Then item number two.
I left those out in module four when we were discussing notice and transparency obligations.
Because I figured in this module we were going to discuss all things related to Children.
here now in less than 5.2.
Let's jump into it
In module three, I mentioned that one of the rights that consumers now have under the C. C. P a. Is toe opt out of the sale of their personal information to third parties.
That rule still exists,
as it relates to Children. There is an outright ban on selling
Ah, business cannot sell the personal information of anyone under the age of 16,
unless a parent has consented or, as the phrase goes, opted into that sale.
My friends, this is huge because this is the first time I have mentioned at any point during this course that a business means to affirmatively build out a technical or organizational control to satisfy a CCP a privacy obligation
beforehand. It was just including stuff in your notice and privacy policies,
or it was allowing consumers to opt out if they needed.
But this is opt in.
You need to go ahead and get the consent of the parents ahead of time.
And if you don't do that thing, you are suddenly suffering from C C. P. A. Non compliance.
Please make sure that if your company does in fact come into contact with the information of Children that you are actually following through on these affirmative steps
on the subject of companies that interact with Children,
there is a rule built into the c c p. A.
A business that willfully and that's the term. Under the extent of the law, willfully disregards the consumers age shall be deemed to have had actual knowledge of the consumers age.
We cannot put our heads in the sand. As we saw under the cop a YouTube Google settlement from this summer,
Google and YouTube were not able to use the excuse that they didn't know the age of the visitors to their website as a defense against the cop a settlement.
The same rule is going to apply here under the C c. P. A.
You do need to perform basic data inventories, data mapping exercises to identify the age of the individuals who use your products, who by your services, who visit your company's website and whose information you collect.
This is the moment to take out a pen and paper.
You likely have an action item for you here if you collect the personal information of Children.
There is an interesting technicality built into the CCP, a reflecting how growing minds do eventually view the world differently. With each passing day, month and year,
Children who funny enough are the age of 13, 14 or 15 can provide their own opt in consent to sell it.
The rule again
is if a child is under the age of 16, you do need to obtain parental consent,
but If the child is 13, 14 or 15,
you can get the child's consent to
parents. Is Justus good? But you can also get the child's consent
to keep ourselves organized. I thought it would be helpful to build out a timeline here
for a child whose age 0 to 12, you cannot sell the personal information of that child without the opt in consent of the parent.
If a child is 13, 14 or 15, essentially a teenager,
you cannot sell the personal information without the opt in consent of either the parent or the child, either will do
then 16 year olds and 17 year olds. For the purposes of the CCP A are treated the same way that adults are.
It's important to note that I'm using phrases like consent and opt in,
but this is for the opting into the sale of personal information to third parties.
There are other consent obligations as it relates to the mere collection of the personal information of Children that exist.
The GDP are has a huge array of consent obligations that exist
that your company might be subject to,
and if you are a use, a only company Coppa also has a huge array of consent and opt in obligations as it relates to Children.
So please do not lose track of that.
This is a course on the CCP A. But there are other regimes out there that your business is likely subject to.
So I felt like I had to mention it.
There's five of them.
Let's run through them now.
If you genuinely believe that your company is
by its nature, not designed to interact with the personal information of Children,
you do need to be careful with that approach because you do need to actually put some thought into it.
There's an exercise called a privacy Impact assessment
P I A.
That you can conduct toe, identify whether you are collecting the personal information of Children.
We'll get to that in module eight.
Just please be aware of that. But you should include a declaration of some kind if you believe that your information that you are collecting is usually not within the scope of Children.
Item number two.
If you are at this step, this likely means that you understand that your company does, in fact collect some information that belongs to Children.
You need to outline the categories
in module form. I identified that you also need to put in the categories of personal information of anyone that you collect.
You also need to separately declare categories of personal information for Children.
Item number four.
If your website or if your service has certain age getting controls,
that will help parents understand the nature of your services a little better
you are going to notice that they are declaring age getting controls. Just pick a random video game company or another company along those lines, and you'll see it.
Item number five.
Now we'll get to this one in the next lesson. But there are exercise called VP seeds,
verifiable parental consent.
And those are the items that individuals, ideally the parent or guardian, can use to make sure that it is actually the parent that's consenting and not a tech savvy child that's playing with Mom or Dad's phone.
there are specific opt ins and opt outs that will govern the collection of personal information of Children again. This is Onley in the context of selling,
not mere data collection.
You need to go back to coppa or GDP are if that's your issue.
then item number three.
so audit your employer see if they include these additional protections
that summarizes everything in less than 5.2,
and I'll see you in the next lesson.