Children

The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent under the General Data Protection Regulation (“GDPR”).  We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think will be of interest to clients and other readers of InsidePrivacy.  The draft guidance is open for consultation until 23 January 2018.
Continue Reading EU Regulators Provide Guidance on Notice and Consent under GDPR

Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment.  In advance of the workshop, the FTC and Department of Education are soliciting comments on several key questions regarding COPPA and FERPA compliance for educational technology providers.  This is a valuable opportunity for Ed Tech providers to provide feedback to both agencies on the practical application of COPPA and FERPA in this arena.
Continue Reading FTC and Department of Education Announce Joint Workshop on FERPA and COPPA Compliance for Ed Tech

A European Parliament policy department has released a report, entitled Big Data and Smart Devices and Their Impact on Privacy, that criticizes the lack of focus on privacy and data protection in the European Commission’s “Digital Single Market” policy agenda, noting a “conflicting” intersection between the Commission’s Digital Single Market objectives and the EU’s efforts, now in their hopefully final stages, to reform the EU’s general legislation around the protection of personal information.
Continue Reading EU Parliament Policy Report Takes Dim View of EU Commission’s “Pro-Market” Policies on Big Data and Smart Devices

State legislators have recently passed a number of bills that impose new data security and privacy requirements on companies nationwide. The laws include new data breach notification requirements, marketing restrictions, and data destruction rules. Below is an overview of the new laws and amendments that will go into effect on January 1, 2015.
Continue Reading New State Privacy Laws Go Into Effect on Jan. 1, 2015

The Federal Trade Commission (“FTC”) announced on Thursday, September 4 that Google has agreed to settle charges and refund no less than $19 million to consumers whose children were allegedly deceived into making mobile purchases through the Android app store.

Google offers thousands of apps for free or a specific dollar amount through its Google Play Store, which is preloaded on Android mobile devices.  In many children’s game apps, after installation, children may purchase virtual items within an app — “in-app charges.”Continue Reading Google to Refund Consumers at Least $19 Million to Settle FTC Complaint It Unlawfully Billed Parents for Children’s Unauthorized In-App Charges

The staff of the Federal Trade Commission (“FTC”) has released updated guidance on how the Children’s Online Privacy Protection Act (“COPPA”) and its implementing regulations apply to schools and educational online services through revisions to the Frequently Asked Questions (“FAQS”) that are published on the FTC website.  For a comparison between the old and new school FAQs, please click here.  The FAQs constitute informal guidance, but they are useful for understanding how FTC staff interprets COPPA’s application in different contexts.  Here is a brief summary:

  • The revised FAQs do not change the circumstances under which schools can provide verifiable parental consent on behalf of parents, that is, when an operator collects personal information from students “for the use and benefit of the school, and for no other commercial purposes.”  Examples of prohibited commercial purposes include online behavioral advertising and “building user profiles for commercial purposes not related to the provision of the online service” to the school.
  • While the prior FAQs noted that, in such circumstances, operators should provide schools with robust notice about their data collection, use, and sharing practices, the revised FAQs suggest that these disclosures should track the direct notice requirements outlined in the COPPA Rule.  In COPPA FAQ M.1, FTC staff explains that “the operator must provide the school with all the required notices.”

Continue Reading FTC Staff Updates Guidance on “COPPA and Schools” Through Revised FAQs

The Center for Digital Democracy (“CDD”) recently filed requests for investigation with the Federal Trade Commission (“FTC”) claiming that Marvel Entertainment and Sanrio Digital failed to comply with the Children’s Online Privacy Protection Act’s (“COPPA”) notice and consent requirements. 

  • Marvel.  The Marvel filing alleges that Marvelkids.com is a child-directed website that collects personal information,

The Federal Trade Commission (“FTC”) recently approved a new method of verifiable parental consent — knowledge-based authentication (“KBA”) — as consistent with the requirements of the Children’s Online Privacy Protection Act (“COPPA”).  COPPA generally requires operators of websites or online services that are directed to children under 13 or that have actual knowledge that they

The California legislature has enacted a flurry of privacy-related laws over the past few months.   Still more bills are pending.  This post provides a brief overview of new privacy laws enacted in California in 2013, including measures that will become effective on January 1, 2014.  For a more detailed look at some of these key laws, please see our recent client alert

  • A.B. 370 “Do-Not-Track” Amendment to California Online Privacy Protection Act (effective Jan. 1, 2014).  The California Online Privacy Protection Act (“CalOPPA”) requires that operators of commercial websites and online services that collect personal information conspicuously post a privacy policy disclosing certain information.  This amendment requires operators to further disclose (1) how they respond to “do-not-track” signals or “other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information,” and (2) whether they allow other parties to collect personally identifiable information when a consumer uses the operator’s service.  An operator may satisfy the first disclosure requirement by providing in its privacy policy a conspicuous link to a description of a program or protocol that offers consumers a choice regarding the collection of their personally identifiable information.
  • S.B. 46 Amendment to California’s Security Breach Notification Law (effective Jan. 1, 2014).  California’s existing breach notification law requires an entity to notify consumers following discovery of a data breach involving the unauthorized acquisition of “personal information.”  The law defines “personal information” as an individual’s first name or initial and last name in combination with one or more sensitive data elements, such as Social Security number, financial account number, or medical information.  This amendment expands the definition of “personal information” to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account,” regardless of whether name and/or other sensitive data elements are breached.

Continue Reading Roundup of Recently Enacted Privacy Legislation in California; Some Measures Will Become Effective on January 1, 2014