CCPA Rule Deviations for Children

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
4 hours 41 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Transcription
00:02
welcome everyone to lessen 5.2
00:05
as we review all of the rule deviations for Children under the C c. P. A.
00:11
Our learning goals and objectives for less than 5.2.
00:14
First, we will review the unique CCP rules that apply to Children.
00:19
I'll let you know. Now there are certain opt in and opt out provision for Children that you will not have heard of up until this point.
00:26
Then item number two.
00:28
There are additional privacy policy obligations that pertain to Children.
00:32
I left those out in module four when we were discussing notice and transparency obligations.
00:37
Why?
00:38
Because I figured in this module we were going to discuss all things related to Children.
00:43
There are additional privacy policy rules, and we'll talk about that
00:47
here now in less than 5.2.
00:52
Let's jump into it
00:53
In module three, I mentioned that one of the rights that consumers now have under the C. C. P a. Is toe opt out of the sale of their personal information to third parties.
01:03
That rule still exists,
01:06
however,
01:07
as it relates to Children. There is an outright ban on selling
01:11
Ah, business cannot sell the personal information of anyone under the age of 16,
01:15
unless a parent has consented or, as the phrase goes, opted into that sale.
01:22
My friends, this is huge because this is the first time I have mentioned at any point during this course that a business means to affirmatively build out a technical or organizational control to satisfy a CCP a privacy obligation
01:37
beforehand. It was just including stuff in your notice and privacy policies,
01:41
or it was allowing consumers to opt out if they needed.
01:45
But this is opt in.
01:46
You need to go ahead and get the consent of the parents ahead of time.
01:49
And if you don't do that thing, you are suddenly suffering from C C. P. A. Non compliance.
01:55
Please make sure that if your company does in fact come into contact with the information of Children that you are actually following through on these affirmative steps
02:05
on the subject of companies that interact with Children,
02:07
there is a rule built into the c c p. A.
02:10
A business that willfully and that's the term. Under the extent of the law, willfully disregards the consumers age shall be deemed to have had actual knowledge of the consumers age.
02:21
We cannot put our heads in the sand. As we saw under the cop a YouTube Google settlement from this summer,
02:27
Google and YouTube were not able to use the excuse that they didn't know the age of the visitors to their website as a defense against the cop a settlement.
02:36
The same rule is going to apply here under the C c. P. A.
02:39
You do need to perform basic data inventories, data mapping exercises to identify the age of the individuals who use your products, who by your services, who visit your company's website and whose information you collect.
02:53
This is the moment to take out a pen and paper.
02:55
You likely have an action item for you here if you collect the personal information of Children.
03:01
There is an interesting technicality built into the CCP, a reflecting how growing minds do eventually view the world differently. With each passing day, month and year,
03:12
Children who funny enough are the age of 13, 14 or 15 can provide their own opt in consent to sell it.
03:20
The rule again
03:21
is if a child is under the age of 16, you do need to obtain parental consent,
03:27
but If the child is 13, 14 or 15,
03:30
you can get the child's consent to
03:32
parents. Is Justus good? But you can also get the child's consent
03:38
to keep ourselves organized. I thought it would be helpful to build out a timeline here
03:44
for a child whose age 0 to 12, you cannot sell the personal information of that child without the opt in consent of the parent.
03:52
If a child is 13, 14 or 15, essentially a teenager,
03:57
you cannot sell the personal information without the opt in consent of either the parent or the child, either will do
04:04
then 16 year olds and 17 year olds. For the purposes of the CCP A are treated the same way that adults are.
04:12
Now.
04:13
It's important to note that I'm using phrases like consent and opt in,
04:16
but this is for the opting into the sale of personal information to third parties.
04:21
There are other consent obligations as it relates to the mere collection of the personal information of Children that exist.
04:29
The GDP are has a huge array of consent obligations that exist
04:32
that your company might be subject to,
04:35
and if you are a use, a only company Coppa also has a huge array of consent and opt in obligations as it relates to Children.
04:44
So please do not lose track of that.
04:46
This is a course on the CCP A. But there are other regimes out there that your business is likely subject to.
04:51
So I felt like I had to mention it.
04:55
Okay,
04:56
there are additional obligations, as I mentioned at the outset of this lesson that you need to put into your privacy policy.
05:01
There's five of them.
05:03
Let's run through them now.
05:05
Number one.
05:06
If you genuinely believe that your company is
05:10
by its nature, not designed to interact with the personal information of Children,
05:15
you could actually declare in your privacy policy that the goods and services that you sell are not directed to Children under the age of 13.
05:23
But
05:24
you do need to be careful with that approach because you do need to actually put some thought into it.
05:30
There's an exercise called a privacy Impact assessment
05:33
P I A.
05:34
That you can conduct toe, identify whether you are collecting the personal information of Children.
05:41
We'll get to that in module eight.
05:43
Just please be aware of that. But you should include a declaration of some kind if you believe that your information that you are collecting is usually not within the scope of Children.
05:54
Item number two.
05:56
You need to declare in your privacy policy the categories of personal information that your business collects regarding Children under the age of 13.
06:04
If you are at this step, this likely means that you understand that your company does, in fact collect some information that belongs to Children.
06:12
You need to outline the categories
06:15
in module form. I identified that you also need to put in the categories of personal information of anyone that you collect.
06:23
You also need to separately declare categories of personal information for Children.
06:29
Item three.
06:30
The privacy policy needs to explain or even include a mechanism that apparent can use in order to exercise consent or to opt into the collection.
06:40
That's where they will do it in the privacy policy or somewhere the privacy policy will redirect them to
06:46
Item number four.
06:48
If your website or if your service has certain age getting controls,
06:54
you need to declare that in the privacy policy
06:56
that will help parents understand the nature of your services a little better
07:00
If you want to Nome or feel free to look at any mature companies privacy policy,
07:04
you are going to notice that they are declaring age getting controls. Just pick a random video game company or another company along those lines, and you'll see it.
07:14
Item number five.
07:15
Now we'll get to this one in the next lesson. But there are exercise called VP seeds,
07:20
verifiable parental consent.
07:24
And those are the items that individuals, ideally the parent or guardian, can use to make sure that it is actually the parent that's consenting and not a tech savvy child that's playing with Mom or Dad's phone.
07:35
In summary,
07:38
there are specific opt ins and opt outs that will govern the collection of personal information of Children again. This is Onley in the context of selling,
07:46
not mere data collection.
07:47
You need to go back to coppa or GDP are if that's your issue.
07:50
There's also additional privacy policy obligations that you need to include in your notice and disclosure, so please keep an eye on that,
07:58
then item number three.
08:00
I think the best way to learn this is TOE actually review a really privacy policy,
08:05
so audit your employer see if they include these additional protections
08:09
that summarizes everything in less than 5.2,
08:13
and I'll see you in the next lesson.
Up Next
California Consumer Privacy Act (CCPA)

This course examines the privacy obligations that are established by the California Consumer Privacy Act (CCPA) and how students can help their employers implement changes to their organizations to remain compliant with this new law.

Instructed By