Verifiable Parental Consents – CCPA Collides with COPPA

00:01

Welcome everyone. Toe lesson 5.3

00:04

as we review verifiable parental consent what those mechanisms are and how the CCP A collides with the Children's Online Privacy Protection Act,

00:13

better known as coppa.

00:16

Our learning goals and objectives for this lesson will be first to review how regulators have shifted the burden for protecting Children over to businesses

00:25

that burden used to fall on families and even Children themselves.

00:29

That burden now falls on businesses.

00:32

We will discuss that

00:34

item number two.

00:35

We will review the technical and organizational controls for obtaining verifiable parental consent.

00:42

Then item number three,

00:43

We will conduct a risk based industry assessment on what industries are most likely to collect the personal information of Children.

00:51

Let's get into it now.

00:54

There are a couple general golden rules as it applies to the collection of the personal information of Children.

00:59

But it comes down essentially to this.

01:03

Businesses must take affirmative steps to ensure that they are complying with the CCP rules that apply to Children's information.

01:11

They cannot be passive about it.

01:12

Rule number one

01:15

businesses must take reasonable steps to ensure that the person authorizing consent for the sale of a child's data

01:21

is actually the parent.

01:23

Regulators are absolutely aware that Children at this point

01:26

are smart enough toe easily fake parental consent. And it has to be up to the business to ensure that the person that is consenting to the collection of a child's data and in the case of the CCP A to the transfer of the personal information to a third party

01:40

in order to effectuate the sale

01:42

is actually being consented to by a parent.

01:46

Businesses cannot turn a blind eye to the reasonableness of their consent mechanisms.

01:51

And that phrase blind eye is ripped directly from regulatory guidance both in Coppa as well as the C c p A.

01:57

I am mentioning coppa here on several occasions.

02:00

The reason for that is privacy advocates and the Legislature's behind the CCP A have mimicked the jurist students off Coppa.

02:09

That's why I keep mentioning it.

02:10

And the California Attorney general has also indicated he will enforce the CCP A in a similar fashion to Coppa. So we will take a lot of our cues from that regime that's been around for over 20 years now.

02:25

Coppa already had established five different pre approved methods for obtaining verifiable parental consent,

02:32

and these five pre approved mechanisms also apply to the C C p A.

02:38

And we will dissect each one here now

02:40

to begin.

02:42

The California attorney general has already approved parents completing and signing consent forms in order for personal information of their child to be sold to a third party.

02:52

This is obviously a more labor intensive mechanism to obtain parental consent.

02:57

However it is approved.

02:59

So if you are so inclined to deploy consent forms and ensure that they are being returned back to you before the sale of information goes to a third party,

03:07

feel free to do that.

03:09

Item number two.

03:10

And this is what I see most in my experience

03:14

using either a credit or debit card in order to effectuate the sale of the personal information.

03:21

The reason here basically, is

03:23

a child who is surfing through the Internet and at one point hits a roadblock where they need to use a credit or debit card.

03:29

Parents do review hopefully monthly their billing statements, and they will notice a merchant that they did not click on,

03:35

thus encouraging them to have a conversation with their child.

03:38

Why did you use my credit card.

03:40

The idea, basically, is that parents do have a constructive notice of their Children's activity

03:46

if they need to go through some sort of debit or credit card paywall.

03:50

And that's why it's a pre approved method of obtaining verifiable parental consent.

03:55

Another mechanism.

03:57

If you obtain a government, i d. From a parent

04:00

again, it's less likely for a child to be able to reach into mom or Dad's wallet and get either a driver's license or a passport.

04:06

And that is why that is a pre approved consent mechanism.

04:11

Number four.

04:13

There is no specific methodology for doing this, but a Siris of knowledge based challenge questions.

04:18

Usually these apply to historical events of some kind.

04:21

Who is this person? And it's a pop culture icon from decades past,

04:27

less likely that a child will be able to identify who that person is.

04:31

Lastly,

04:32

you need to be careful here. But

04:34

facial recognition technology, funnily enough, is actually a pre approved method for obtaining verifiable parental consent.

04:44

The technology is now at the point where it can recognize the age of someone's facial structure, thus ensuring that it is actually an adult clicking Yes and not a child

04:53

again.

04:54

These are the five ways you can obtain consent for selling personal information of a child over to a third party under the C c. P. A.

05:00

You need to use one of these five if you are going to move forward and sell the information of a child to a third party.

05:08

Otherwise you will be violating the c C p A.

05:14

Now

05:15

I know there's a bunch of businesses out there that might be saying to themselves, Okay, we don't really collect the information of Children. This doesn't really apply to us.

05:25

We have created for you an unofficial, risk based approach to identify where your industry sits, in the likelihood that you are going to come into contact with personal information of Children.

05:35

Let's start at the top.

05:36

Any company that works in real estate or is in the business to business space,

05:42

meaning that its revenue comes from other businesses.

05:45

Energy utilities as well.

05:46

It's very unlikely that you're going to come into contact with Children,

05:49

so you don't really need to worry about Coppa or the ccps child based provision

05:58

moving down the line here.

06:00

Anything in the banking, insurance or investment space is also generally deemed not to be an issue for the collection of Children's information.

06:08

Normally because in order to engage in that type of activity,

06:11

it is either required by law

06:14

or just practical circumstance

06:15

that an adult be engaging with your business. You rarely see Children investing in stocks, for example,

06:21

moving further down the line, the one that I've highlighted here.

06:26

This is actually capturing a significant amount of the market,

06:29

and this is goods and services that might be used by Children but aren't necessarily marketed to Children.

06:35

Social media is marketed to everyone

06:39

e commerce and retail again.

06:41

The idea is

06:43

anyone can buy something online. And the problem with those scenarios is that the company that is effectuating the sale

06:48

isn't 100% sure of who they're working with.

06:53

And this right here is where a lot of the CCP noncompliance as it relates to Children comes from

06:59

because businesses are underestimating the amount of Children's data that they are collecting.

07:04

If your company falls into this highlighted section here,

07:08

you do need to have an honest conversation internally about how much information you are collecting about Children.

07:14

I highly recommend data mapping data audits and also something called K Y C. It stands for Know your customer exercises

07:21

that helps a lot to identify who you're interacting with

07:27

at the bottom of the list here.

07:29

Goods designated for Children

07:30

At that point. Companies understand that they make money by targeting Children,

07:34

and they're most likely tohave a cop A or C C. P a compliance regime deployed.

07:39

Funny enough, those types of companies are actually less likely to get fine.

07:45

In summary, we've got to make sure here that the point is clear.

07:47

You cannot turn a blind eye to who is interacting with your company. Theeighties of visitors to your Web site.

07:54

All that stuff needs to be affirmatively reviewed by your internal team.

07:59

Why?

07:59

Because the burden now falls on the business to ensure that Children's information is not being collected.

08:05

If you do, however, find yourself in an instance where you want to continue selling the personal information of a child.

08:11

You must make sure that you are using one of the pre approved consent mechanisms.

08:15

Otherwise, the ban on selling will apply to you, and you will be violating the c c p. A.

08:20

Take a look at the risk based approach we pursued in the last slide toe. Identify where your company sits

08:26

that might help you in terms of building out of compliance. Regime.

08:28

As always,

08:30

audit your employer. If you believe that Children might be interacting with your company or your website, take a look at your privacy policy in the internal controls you have built

08:39

that completes module five.

08:41

We have a quick quiz question following up, but that summarizes everything you need to know about Children and privacy.