Children's Online Privacy Protection Act of 1998

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hello everyone,
00:00
>> I want to welcome you back to the course.
00:00
>> I'm Chris and I'm Cybrary's instructor
00:00
>> for its US information privacy course.
00:00
>> We're going to continue
00:00
our discussion on important laws
00:00
>> that apply to children online privacy
00:00
>> and educational privacy and it's in less than 8.3,
00:00
>> we're going to look at
00:00
the Children's Online Privacy Protection Act of 1998
00:00
>> as amended and we'll also look at the COPPA rule.
00:00
>> You may have seen recently in the press
00:00
>> or as you are watching the news that
00:00
>> the Federal Trade Commission that has
00:00
both rulemaking and oversight over COPPA
00:00
had reached an agreement with
00:00
YouTube regarding potential violations of COPPA
00:00
and really what it was was those content providers
00:00
that post content to YouTube itself
00:00
were engaging in a practices
00:00
that [inaudible] to them self oftentimes
00:00
that collected information from children
00:00
>> under the age of 13 without parental consent.
00:00
>> This is a law that the FTC enforces aggressively.
00:00
You might have also seen the settlement that it
00:00
had with Oath regarding this violation of COPPA,
00:00
the self in which led to a fine of $4.95 million,
00:00
which is the highest fine to date under COPPA.
00:00
We have several learning objectives.
00:00
First, we're going to talk about COPPA the act,
00:00
and then we're going to talk about COPPA's rule.
00:00
Let's talk about the act.
00:00
Those web owners and operators
00:00
>> that are collecting information from children
00:00
>> under the age of 13 must comply with this law.
00:00
When COPPA says that again
00:00
before they can collect that information,
00:00
they're supposed to have
00:00
>> parental legal guardian consent.
00:00
>> They're supposed to give notice
00:00
to those legal guardians
00:00
>> and parents of when information is
00:00
>> being collected, how it's being used,
00:00
with whom it's being shared,
00:00
for what purpose, it has a state,
00:00
what their rights are to access and review
00:00
that information and then upon request,
00:00
they can also request that their information be deleted
00:00
>> and no further information is collected.
00:00
>> It also states that, again,
00:00
these web owners and operators must respect
00:00
the rights of these parents and legal guardians.
00:00
Now, as the FTC that enforces COPPA,
00:00
it has both enforcement
00:00
>> and rulemaking authorities over this law.
00:00
>> Next, we're going to talk about
00:00
the rule and the rule was important.
00:00
It gives explicit guidance to
00:00
these web owners and
00:00
web operators that must comply with COPPA.
00:00
It were talking about website or
00:00
online services that directly collect
00:00
information from children under the age of
00:00
13 or use targeted
00:00
advertising to collect that information,
00:00
or those website or online services that allow others
00:00
operate on their websites
00:00
>> or online services that collect information.
00:00
>> Or if they have websites
00:00
or online services directed towards a general audience,
00:00
but they all know that again,
00:00
there's the possibility that they might
00:00
collect personal information from
00:00
children under the age of 13,
00:00
they have to comply with COPPA, this rule.
00:00
Now, when we talk about personal information,
00:00
we're talking about a name,
00:00
it could be address itself,
00:00
street name or town,
00:00
it could be device identifiers, screen names,
00:00
usernames, instant messaging name,
00:00
so security, photos, video,
00:00
audio files not containing
00:00
a child's image or voice, geolocation, or data.
00:00
All of that is considered as personal information
00:00
>> under the act and under the rule.
00:00
>> Now, we talked about that before,
00:00
a company can collect information
00:00
from these children that they have to have
00:00
parental consent and currently that they
00:00
have their own privacy policy and
00:00
their privacy policy has to have a list of
00:00
all the operators that could
00:00
potentially collect personal information,
00:00
has to provide a description of
00:00
the personal information collected on
00:00
these children and how that company plans to use it,
00:00
has to have a description of the parental rights.
00:00
It also requires that these companies then provide
00:00
notice to the parents before
00:00
collecting their personal information
00:00
and those privacy notices must tell
00:00
the parents that they're collecting
00:00
information for the purpose of getting their consent,
00:00
that they want to
00:00
collect personal information from their child,
00:00
but they require their consent
00:00
before they can collect it,
00:00
use it, or disclose the information.
00:00
They have to tell them the detailed information,
00:00
personal information they're going to collect,
00:00
to who they might disclose
00:00
it and they have to have a link
00:00
>> to their online privacy policy
00:00
>> and they have to list how their parent
00:00
>> could give their consent,
00:00
withdraw their consent and if they were to do that,
00:00
but the parent doesn't respond
00:00
>> with consent in a reasonable time,
00:00
>> then the company itself
00:00
>> must delete that information from its records.
00:00
>> When we talk about verifiable consent,
00:00
they are acceptable methods under COPPA.
00:00
They can have the parents sign a consent form
00:00
>> and send it back to the company using fax,
00:00
>> mail or electronic scans.
00:00
They can use a credit card, debit card,
00:00
or some other type of online payment system,
00:00
then provides notification
00:00
>> for each of those separate transactions.
00:00
>> They can have the parent call or toll-free number staff
00:00
by the company's trained personnel and COPPA.
00:00
Or they can have a parent or legal guardian
00:00
contact the company via video conferencing
00:00
>> and talk to those trained persons.
00:00
>> The parents can provide a copy,
00:00
a form of government issued ID, driver's licenses,
00:00
passport information that they
00:00
can check against the database,
00:00
and then as the response to that company
00:00
>> to leave that information once
00:00
>> it finishes that verification process.
00:00
>> They can have mass or series of
00:00
knowledge-based challenge questions that
00:00
someone else would have difficulty in answering.
00:00
Or they can verify a picture of a driver's license
00:00
or some other type of government issued photo ID,
00:00
then compare that photo against a second photo
00:00
submitted by the parent use
00:00
of facial recognition technology,
00:00
but they must give notice of that.
00:00
Parents have rights.
00:00
>> Parent asks, the company must give them away
00:00
>> to review their child's personal information,
00:00
>> give them away to revoke their consent,
00:00
and also to refuse future collection of
00:00
their child's information
00:00
>> and delete that information upon request.
00:00
>> COPPA also requires these companies
00:00
themselves to ensure that
00:00
they're protecting the confidentiality,
00:00
security, and integrity of
00:00
this personal information collected from the children.
00:00
Again, using those fair information practice principles
00:00
>> that we talked about.
00:00
>> Collection limitation, purpose specification,
00:00
individual participation, openness, accountability,
00:00
to ensure that they are compliant with COPPA
00:00
>> and ultimately, they're only supposed to retain
00:00
>> that information for long,
00:00
as long as it has a legal or legitimate purpose
00:00
and then afterwards they're supposed
00:00
to dispose that information
00:00
>> when it no longer has that legal or legitimate purpose.
00:00
>> Now Question 1 asks,
00:00
COPPA protects children at what age
00:00
>> from having their personal information
00:00
>> collected without parental consent?
00:00
The answer was A.
00:00
Question 2 ask,
00:00
which of the following covered entities
00:00
must comply with COPPA's provisions?
00:00
The appropriate answers are A, B, C,
00:00
and D. Question 3 ask,
00:00
COPPA defines a child's personal information as what?
00:00
The answers are A, B, C, and D.
00:00
>> I encourage you as privacy professionals
00:00
>> to read and review the COPPA rule.
00:00
>> It identifies other identifiers
00:00
>> as personal information.
00:00
>> Question 4 ask, under COPPA,
00:00
a covered entities privacy policy must
00:00
include which of the following choices?
00:00
The answers are A, B, and C.
00:00
>> Question 5 ask,
00:00
>> a parent's ongoing rights under COPPA include?
00:00
The answers are B, C, and D.
00:00
>> Congress enacted COPPA in 1988 to really
00:00
>> provide rid of privacy protections to children,
00:00
ensure that these web owners
00:00
>> and web operators, online services
00:00
>> weren't using child-directed advertising
00:00
>> and other methods to collect information
00:00
>> on these children under the age of 13 without consent.
00:00
>> They have to see promulgated as rule provide
00:00
further guidance to web owners
00:00
>> and web operators on how they might
00:00
>> best comply with the act and the rule
00:00
>> and it is the FTC that enforces
00:00
>> both COPPA the act and COPPA the rule.
Up Next