Tag: children online privacy

The Why and How of Privacy Policies

By: Jake Younts

Whenever you’ve used a new website or piece of software, it’s likely that you’ve had to agree to terms and conditions. You’ve probably also been asked separately to agree to the privacy policies of companies. A privacy policy is a useful way to alert customers as to what they can expect with their personal information. With rising concerns about data privacy among everyday consumers, having a privacy policy can be an important way of keeping your consumers informed and happy with your business.

Furthermore, depending on the industry or state you are operating in, some laws require businesses to have posted privacy policies. There are laws that apply to particular industries and that may require your business to have a privacy policy, such as if you fall under HIPAA, deal significantly with financials, or collect children’s information online. More information regarding some laws that can apply can be found here. Some states also require privacy policies. For example, California law requires that commercial websites have privacy policies posted on their websites.

This article will walk you through things to consider when drafting a privacy policy, but it will also go over things to keep in mind going into the future to avoid liability.

Drafting a Privacy Policy

Privacy policies should help consumers identify what information you will be collecting from them; what you will do with the information, including handling and storage; and what laws might be applicable to the policy. Best practices would also include adding how you obtain data and your reasons for collecting data.

You should define what kind of information you will collect from your clients. The kinds of information you collect also inform what laws apply to you. More information on personally identifiable information and the applicable laws can be found here. You should include exactly what types of information will be collected, such as credit card information, names or other personal identifiers, and any other information such as preferences or trends.

Example: When you register for our service you provide us with your name, birth date, and address. If you make purchases through our website, you will also be providing us with your credit card information. We also keep track of what purchases you make through our website in order to improve the quality of the services we provide you.

You also want to be clear about what your business will or can do with the collected information. If you will delete records at some point, make that clear. If the information will be used solely for internal purposes for records or facilitation, you should mention that too. If the information collected could be shared, you should list with whom and under what circumstances that information could be shared.

Your privacy policy should also include how your business will respond to related requests from your consumers, such as requests to not be tracked, and also how it will handle data breaches. For data breaches, you need to adhere to state and federal requirements, but being clear on your exact policy for when, how, and who you will notify is important. For example, some states require that you notify only a state agency while others require consumer notification or both. You will want to determine any applicable requirements and incorporate them into your policy. You can find more information on data breach requirements here. Given the many differences in state law, you may wish to include specific sections in your privacy policy for certain states such as California.

Example: In the event of a data breach, we will investigate the extent of the breach. If our investigation identifies a likelihood that data that could be linked to consumers was compromised, then we will provide notification to the (insert relevant state agency) and to any users who are identified as being of risk.

Considerations to Keep in Mind

Once you’ve drafted and posted a privacy policy, you can’t just forget about your policy. You need to keep some things in mind if you want to best protect your interests and your consumers. Though consumers generally haven’t been able to successfully sue businesses based on their privacy policies, that doesn’t mean you are free to violate your own policy. The Federal Trade Commission (“FTC”) can and has acted against businesses that violated their own policy. As such, you should generally treat the policy as binding.

Additionally, if there is a major change in privacy law or you change your business model, you might think about amending your privacy policy. Generally, nothing prevents you from amending your privacy policy at will, assuming you comply with applicable law. However, if you change your policy, you need to give consumers notice of the change. You also should be careful about applying changes retroactively without proper notice and opportunity.

Changing privacy policies without notice can be an unfair or deceptive practice that can and does lead to action from the FTC, fines, and ameliorative action requirements. You should notify your customers in a way that makes sense for your business. Typically, at least an email will be warranted for users of your services. Providing time to look at changes and ask for consent, if only by lack of action, rather than automatically applying the policy provides a chance to object. Most consumers will likely pay little attention to changes, but by giving them this opportunity you can lessen the chance of action from the FTC. Including language reserving the right to change your policies at any time can also help prevent suit by putting customers on notice that the policies can change. Regardless, giving notice and getting consent from continual customers when changing your policies is important for avoiding liability.

Conclusion

Ultimately, a privacy policy is an important tool for establishing your data handling procedures, informing your clients, and complying with the law. Many free templates exist online, but it will be in most businesses’ best interest to seek legal advice on crafting a custom privacy policy.

This post has been reproduced with the author’s permission. It was originally authored on March 29, 2021, and can be found here.

Jake Younts, at the time of this post, is a recent graduate of Penn State Dickinson Law and is originally from North Carolina. Jake has a background in Chemistry and a certificate in Business from the Kenan-Flagler Business School at UNC-Chapel Hill.

 

Sources:

Daniel J. Solove & Paul M. Schwartz, Information Privacy Law (6th edition)

Elizabeth C. Rogers, Lexis Practice Advisor Journal, 15 Points to Remember when Drafting Privacy Policies, https://www.lexisnexis.com/lexis-practical-guidance/the-journal/b/pa/posts/drafting-privacy-policies

Sara P., Termsfeed, Privacy Policies are Mandatory by Law, https://www.termsfeed.com/blog/privacy-policy-mandatory-law/
Termsfeed, Sample Privacy Policy Template, https://www.termsfeed.com/blog/sample-privacy-policy-template/

PrivacyPolicies, Privacy Policies are Legally Required, https://www.privacypolicies.com/blog/privacy-policies-legally-required/

Maria P., PrivacyPolicies, Sample Privacy Policy Template, https://www.privacypolicies.com/blog/privacy-policy-template/

Patrick Fowler, S&W Cybersecurity and Data Privacy Law Blog, Why You Need a Privacy Policy – Part 2: Avoiding Three Common Fumbles, https://www.swlaw.com/blog/data-security/2015/03/12/why-you-need-a-privacy-policy-part-2-avoiding-three-common-fumbles/#:~:text=There%20is%20no%20general%20federal,that%20can%20lead%20to%20liability.

Photo Sources:

https://www.picpedia.org/highway-signs/images/privacy.jpg

https://live.staticflickr.com/8116/29723649810_8cb4a06489_b.jpg

https://cdn.pixabay.com/photo/2012/04/16/13/54/federal-trade-commission-seal-36081_1280.png

A Beginners Guide to Complying with COPPA

By: Ashli Lyric Jones

As technology is advancing, children have the ability to access most websites, apps, and other technology with the click of a button. This access has given companies the ability to market directly towards children. Companies such as Youtube, TikTok, and Apple have been successful at appealing to children and adults of all ages. But with great success comes great responsibility and restrictions. And this responsibility needs to be taken seriously. Note that Google and Youtube violated COPPA and had to pay $170M.

When it comes to the collection of personal information from children under 13, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission (FTC) enforces COPPA, which spells out what operators of websites and online services must do to protect children’s privacy and safety online. The following list should serve as a guide for businesses that must comply with the COPPA.

step 1: Determine if coppa applies to your business

Does your website or online service collect personal information from kids under 13? If so, it is likely that COPPA applies to you. To be more specific, you must comply with COPPA if you meet any of the following criteria:

  1. Your website or online service is directed to children under 13 and you collect personal information from them.
  2. Your website or online service is directed to children under 13 and you let others collect personal information from them.
  3. Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13.
  4. Your company runs an ad network or plug-in, for example, and you have actual knowledge that you collect personal information from users of a website or service directed to children under 13.

The term “website” is defined broadly under COPPA. In addition to traditional websites, this Rule applies to:

  • mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads)
  • internet-enabled gaming platforms
  • plug-ins
  • advertising networks
  • internet-enabled location-based services
  • voice-over-internet protocol services
  • connected toys or other Internet of Things devices

step 2: post a privacy policy that complies with coppa

Once you have determined that COPPA applies to your business, the next step is to post a privacy policy that is clear and comprehensive. This notice must describe how personal information is being collected online from kids under 13 and how it is being used.  The notice must also describe the practices of any other services collecting personal information on your site — for example, plug-ins or ad networks.

A link to your privacy policy should be included on your homepage and anywhere you collect personal information from children.  Additionally, if you operate a site or service directed to a general audience, but have a separate section for kids, you must post a link to your privacy policy on the homepage of the kids’ part of your site or service.

step 3: notify parents directly about your data collection practices

Under COPPA, you are required to give parents “direct notice” of your information practices before collecting information from their kids. The notice must tell parents:

  • that you collected their online contact information for the purpose of getting their consent;
  • that you want to collect personal information from their child;
  • that their consent is required for the collection, use, and disclosure of the information;
  • the specific personal information you want to collect and how it might be disclosed to others;
  • a link to your online privacy policy;
  • how the parent can give their consent; and
  • that if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records.

Additionally, if you make a material change to the practices parents previously agreed to, you have to send an updated direct notice.

step 4: obtain parents’ verifiable consent

COPPA gives you the authority to choose a reasonable method to obtain parents’ verifiable parental consent before collecting, using, or disclosing personal information from children. Parents must have the option of allowing the collection and use of their child’s personal information without agreeing to disclose that information to third parties.

If you make any changes to your practice of collection, use, or disclosure of personal information from kids you must send the parent a new notice and get their consent. Parents may revoke their consent at any time.

step 5: protect the security of kids’ personal information

When collecting any data, it is important to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. If you minimize what information you collect from children, it will be easier to protect kids’ personal information.

conclusion

The FTC looks at a variety of factors to see if a site or service is directed to children under 13 such as the subject matter of the site or service, the use of animated characters or other child-oriented activities and incentives, the use of visual and audio content, the age of models, ads on the site or service that are directed to children, and the presence of child celebrities or celebrities who appeal to kids.

It is important to determine if COPPA applies to your business. If COPPA applies to your business, you must establish and publish a privacy policy. Next, you must notify parents directly about your data collection practices and obtain verifiable parental consent. Lastly, it is important to protect the security of kids’ personal information.

When COPPA was first drafted there was no Youtube, no Facebook, no TikTok, and no iPhone. With the advancements in technology occurring at a rapid pace, it is important to make sure you stay up to date with all of the changes regarding COPPA. You don’t want to be the next business to get fined.

This post was originally authored on March 18, 2020, and can be found here. Ashli Jones, at the time of this post, is a rising third-year law student at Penn State Dickinson Law. She is from Long Island, New York and is a graduate of Spelman College in Atlanta, Georgia. Ashli is pursuing a certificate in Entrepreneurship with an Intellectual Property and Technology concentration. She is interested in intellectual property within the entertainment law field. Ashli is the President of the Sports & Entertainment Law Society, Mentorship Chair for the Women’s Law Caucus, and Social Chair for the Black Law Students Association.

 

Sources:

https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance#step1

https://www.washingtonpost.com/

https://www.ftc.gov/news-events/blogs/business-blog/2019/11/youtube-channel-owners-your-content-directed-children

Photo Source: https://termly.io/resources/articles/coppa/