Verifiable Parental Consents – CCPA Collides with COPPA
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
4 hours 41 minutes
Welcome everyone. Toe lesson 5.3
as we review verifiable parental consent what those mechanisms are and how the CCP A collides with the Children's Online Privacy Protection Act,
better known as coppa.
Our learning goals and objectives for this lesson will be first to review how regulators have shifted the burden for protecting Children over to businesses
that burden used to fall on families and even Children themselves.
That burden now falls on businesses.
We will discuss that
item number two.
We will review the technical and organizational controls for obtaining verifiable parental consent.
Then item number three,
We will conduct a risk based industry assessment on what industries are most likely to collect the personal information of Children.
Let's get into it now.
There are a couple general golden rules as it applies to the collection of the personal information of Children.
But it comes down essentially to this.
Businesses must take affirmative steps to ensure that they are complying with the CCP rules that apply to Children's information.
They cannot be passive about it.
Rule number one
businesses must take reasonable steps to ensure that the person authorizing consent for the sale of a child's data
is actually the parent.
Regulators are absolutely aware that Children at this point
are smart enough toe easily fake parental consent. And it has to be up to the business to ensure that the person that is consenting to the collection of a child's data and in the case of the CCP A to the transfer of the personal information to a third party
in order to effectuate the sale
is actually being consented to by a parent.
Businesses cannot turn a blind eye to the reasonableness of their consent mechanisms.
And that phrase blind eye is ripped directly from regulatory guidance both in Coppa as well as the C c p A.
I am mentioning coppa here on several occasions.
The reason for that is privacy advocates and the Legislature's behind the CCP A have mimicked the jurist students off Coppa.
That's why I keep mentioning it.
And the California Attorney general has also indicated he will enforce the CCP A in a similar fashion to Coppa. So we will take a lot of our cues from that regime that's been around for over 20 years now.
Coppa already had established five different pre approved methods for obtaining verifiable parental consent,
and these five pre approved mechanisms also apply to the C C p A.
And we will dissect each one here now
The California attorney general has already approved parents completing and signing consent forms in order for personal information of their child to be sold to a third party.
This is obviously a more labor intensive mechanism to obtain parental consent.
However it is approved.
So if you are so inclined to deploy consent forms and ensure that they are being returned back to you before the sale of information goes to a third party,
feel free to do that.
Item number two.
And this is what I see most in my experience
using either a credit or debit card in order to effectuate the sale of the personal information.
The reason here basically, is
a child who is surfing through the Internet and at one point hits a roadblock where they need to use a credit or debit card.
Parents do review hopefully monthly their billing statements, and they will notice a merchant that they did not click on,
thus encouraging them to have a conversation with their child.
Why did you use my credit card.
The idea, basically, is that parents do have a constructive notice of their Children's activity
if they need to go through some sort of debit or credit card paywall.
And that's why it's a pre approved method of obtaining verifiable parental consent.
If you obtain a government, i d. From a parent
again, it's less likely for a child to be able to reach into mom or Dad's wallet and get either a driver's license or a passport.
And that is why that is a pre approved consent mechanism.
There is no specific methodology for doing this, but a Siris of knowledge based challenge questions.
Usually these apply to historical events of some kind.
Who is this person? And it's a pop culture icon from decades past,
less likely that a child will be able to identify who that person is.
you need to be careful here. But
facial recognition technology, funnily enough, is actually a pre approved method for obtaining verifiable parental consent.
The technology is now at the point where it can recognize the age of someone's facial structure, thus ensuring that it is actually an adult clicking Yes and not a child
These are the five ways you can obtain consent for selling personal information of a child over to a third party under the C c. P. A.
You need to use one of these five if you are going to move forward and sell the information of a child to a third party.
Otherwise you will be violating the c C p A.
I know there's a bunch of businesses out there that might be saying to themselves, Okay, we don't really collect the information of Children. This doesn't really apply to us.
We have created for you an unofficial, risk based approach to identify where your industry sits, in the likelihood that you are going to come into contact with personal information of Children.
Let's start at the top.
Any company that works in real estate or is in the business to business space,
meaning that its revenue comes from other businesses.
Energy utilities as well.
It's very unlikely that you're going to come into contact with Children,
so you don't really need to worry about Coppa or the ccps child based provision
moving down the line here.
Anything in the banking, insurance or investment space is also generally deemed not to be an issue for the collection of Children's information.
Normally because in order to engage in that type of activity,
it is either required by law
or just practical circumstance
that an adult be engaging with your business. You rarely see Children investing in stocks, for example,
moving further down the line, the one that I've highlighted here.
This is actually capturing a significant amount of the market,
and this is goods and services that might be used by Children but aren't necessarily marketed to Children.
Social media is marketed to everyone
e commerce and retail again.
The idea is
anyone can buy something online. And the problem with those scenarios is that the company that is effectuating the sale
isn't 100% sure of who they're working with.
And this right here is where a lot of the CCP noncompliance as it relates to Children comes from
because businesses are underestimating the amount of Children's data that they are collecting.
If your company falls into this highlighted section here,
you do need to have an honest conversation internally about how much information you are collecting about Children.
I highly recommend data mapping data audits and also something called K Y C. It stands for Know your customer exercises
that helps a lot to identify who you're interacting with
at the bottom of the list here.
Goods designated for Children
At that point. Companies understand that they make money by targeting Children,
and they're most likely tohave a cop A or C C. P a compliance regime deployed.
Funny enough, those types of companies are actually less likely to get fine.
In summary, we've got to make sure here that the point is clear.
You cannot turn a blind eye to who is interacting with your company. Theeighties of visitors to your Web site.
All that stuff needs to be affirmatively reviewed by your internal team.
Because the burden now falls on the business to ensure that Children's information is not being collected.
If you do, however, find yourself in an instance where you want to continue selling the personal information of a child.
You must make sure that you are using one of the pre approved consent mechanisms.
Otherwise, the ban on selling will apply to you, and you will be violating the c c p. A.
Take a look at the risk based approach we pursued in the last slide toe. Identify where your company sits
that might help you in terms of building out of compliance. Regime.
that completes module five.
We have a quick quiz question following up, but that summarizes everything you need to know about Children and privacy.
I'll see you in the next video.