Why is this so hard???
Why did I say that??

Famous last words. How many times has a company told you they would never sell your personal information, in order to get you to sign up, give them your name, your email, your phone number? It sounds great. Hey, I can trust those guys, they will protect my information. And the company is probably sincere when it says that to you.

The problem is that we live in the age of Big Data. For many companies, the most valuable asset they own is their database about their customers. Would Facebook have any value at all without all that information about you and your Facebook friends? Promises not to share or sell customer information can come back to bite your company in the ass. Don’t take my word for it. Just ask Radio Shack.

Radio Shack recently filed for bankruptcy, closing hundreds of stores nationwide. When it filed its bankruptcy petition, Radio Shack stated that it intended to sell customer records, along with other assets, to raise money to pay off its creditors. The Texas Attorney General filed an objection, and then a bunch of other state attorneys general and the Federal Trade Commission filed similar objections. They claimed that selling customer data would violate Radio Shack’s privacy policy, which contained a provision that consumers’ personally identifiable information would not be sold. To sell customer data, therefore, would violate the Texas Deceptive Trade Practices Act (and many similar state and federal laws), which prohibits false or deceptive practices in the conduct of trade or commerce.

The result of all this was that Radio Shack had to enter into an agreement with a number of parties, substantially limiting its ability to sell 117 million customer records. That’s 117,000,000 customer records. Instead of being able to sell the entire set of data, which would include credit and debit card information, transaction history, phone numbers, mailing addresses, and email addresses, Radio Shack has to destroy most of the data and can sell only a subset of the email addresses. And that subset of email addresses is also subject to various restrictions. Consequently, the data asset is of far less value to Radio Shack than originally anticipated.

This problem doesn’t just arise in bankruptcy cases. It could happen with a merger or acquisition, where a company’s database of customer information is an asset being transferred to a new owner. A poorly thought-out promise in the company’s privacy policy could substantially reduce the sale price, or even kill the sale outright.

The bottom line is, don’t make promises you may not want to keep. When creating a privacy policy, it’s important to preserve some room to include customer data as an asset being transferred in connection with the sale or change of ownership of the business. Failing to do so could substantially lower the value of your business, as well as open you up to lawsuits.

Online Privacy Rights for Minors

In a previous post, I wrote about a new California law addressing online privacy rights of minors. That law (California Business & Professions Code Section 22580 to 22582), which took effect on January 1, 2015, does a couple of things. As I wrote in the previous post, the law restricts the kinds of products that can be marketed online to minors under the age of 18. The second thing the new law does is impose content-removal obligations on these website and mobile app operators. That is the subject of this post. The law protects minors who live in California, but it broadly applies to websites and mobile apps located anywhere, if they have users located in California. Since California has more than 9 million residents under the age of 18, out-of-state website and mobile app operators cannot afford to assume that the law doesn’t reach them.

These new content-removal obligations apply to websites and mobile apps that are directed at minors, and also at any websites or mobile apps where the operator has actual knowledge that minors are using it. The operators of these websites and apps must permit minors who are registered users to remove or, if the operator prefers, request and obtain removal of, content or information posted by that registered user. The operator also must notify minors who are registered users that they have these content-removal rights, and provide clear instructions on how to go about getting content or information removed. The operator also has to notify the minors who are registered users that the removal does not ensure complete or comprehensive removal of the content or information.

The operator (or a third party) does not have to erase or eliminate the content or information in any of the following circumstances:

  1. If any other provision of state or federal law requires keeping that content or information.
  2. If the content or information was stored on or posted to the website or mobile app by a third party other than the minor, including content or information that was posted by the minor that the third party has republished or reposted.
  3. If the operator anonymizes the information posted by the minor, so that the minor cannot be individually identified.
  4. If the minor does not follow the instructions on how to obtain the removal of the content.
  5. If the minor has received some kind of compensation for posting the content.

An operator will be considered in compliance with its obligations if it makes the content no longer visible to registered users or the public, even if the content still remains on the operator’s servers. Also, the operator will be in compliance if it removes the content, and then the content remains visible because a third party has reposted it.

If you are operating a website or mobile app directed at minors, or if you know that minors are using your website or app, now is a good time to start implementing procedures to comply with this new law. You will need to set up a mechanism for minors to remove content themselves, or you will need a mechanism for minors to request that you remove the content. You will also need notice provisions. While you might try to implement these changes only with respect to minors who are in California, it may be easier to grant the same rights to minors no matter where they live. Finally, this new law will also require changes to your website’s (or app’s) terms of use and privacy policy.

Follow me on Twitter @PaulHSpitz


FTC Slaps Yelp on Children’s Online Privacy

Head in HandsYou might think that only companies that operate websites directed at children need to worry about complying with COPPA, the Children’s Online Privacy Protection Act. A recent case involving Yelp, the online review site, however, shows that websites that aren’t specifically geared towards children need to worry about COPPA, too. Yelp recently reached an agreement with the Federal Trade Commission to settle charges that it had violated COPPA. Yelp agreed to pay $450,000 in civil penalties.

So what happened to bring the wrath of the FTC down on Yelp, every retailer’s favorite review site? The FTC claimed that Yelp had collected personal information from children over a four-year period that began when Yelp’s mobile app launched in 2009. According to the FTC, when users registered with the Yelp site and entered a date of birth showing that they were under the age of 13, Yelp collected the person’s name, e-mail address, and location. COPPA requires that prior to collecting such information from children under the age of 13, a website operator must notify the child’s parent or guardian and get the parent or guardian’s express consent. The FTC claimed that Yelp did not take these actions with respect to thousands of registered users, even though Yelp could tell from the registration information that they were triggering COPPA. The FTC also claimed that Yelp failed to implement or properly test its apps to ensure that children under the age of 13 could not register.

In addition to paying a $450,000 penalty, Yelp agreed to delete the information it had collected about children who had registered, and to comply with COPPA going forward.

Why is the Yelp case important? There are two reasons:

• First, the settlement shows that COPPA applies to mobile apps, in addition to conventional websites.
• Second, the case shows that website and app operators need to worry about COPPA, even if their site or app isn’t directed specifically at children. If your website or app is collecting personal information about users, you need to consider whether some of those users might be under the age of 13. If you are collecting information about children under the age of 13, COPPA applies. So you have two options at this point. You can develop COPPA compliance procedures, or you can implement software tools to block users under the age of 13 from registering and providing personal information.

Follow me on Twitter @PaulHSpitz

Children’s Online Privacy Compliance – Part 2

In my last post, I discussed how to determine if your website or mobile app collects personal information from children under the age of 13, which would make it subject to the Children’s Online Privacy Protection Act (COPPA). In today’s post, I’ll discuss posting a privacy policy that complies with COPPA. Such a policy has to clearly describe how personal information collected from children under age 13 is handled. Not only must this privacy policy describe how you handle the information, it has to describe the information handling practices of others that collect personal information through your site or app (such as plug-in services or advertising networks). 
In a previous post, I discussed general principles for privacy policies. For example, you should provide a prominent link to your privacy policy on your website, ideally using a larger font or different color. Companies subject to COPPA need to go further, by posting a link to the privacy policy wherever they collect personal information from children under the age of 13. For example, if your website is designed for a general audience, but you have a separate section for kids, there should be a link to the privacy policy on the homepage, as well as on the main page for the kids’ section.To comply with COPPA, your privacy policy must include three things:

  1. A list of all operators collecting personal information;
  2. A description of the personal information collected and how it is used; and
  3. A description of parental rights.

List of Operators

You will need to provide a list of all operators, including third parties, that collect personal information from kids. The list must include the name and contact information for each operator. If you have several operators collecting information, you can provide contact information for only one, as long as that operator agrees to respond to all inquiries from parents about your site or service’s practices. You will still have to list the names of all the other operators, however.

Description of Personal Information Collected

The policy must also describe:

  • The types of personal information collected from children (such as name, address, e-mail address, hobbies, etc.)
  • How the information is collected (for example, is it collected actively by filling out a form, or passively, through cookies?)
  • How the information will be used (marketing to the child, notifying winners of contests, allowing the child to make information publicly available through a forum or chat room, etc.)
  • Whether any personal information is disclosed to third parties, and if so, what kinds of third parties and how they use the information.

Description of Parental Rights

Finally, the policy must describe the rights parents have with respect to your collection of personal information:

  • That you won’t require a child to disclose any more information that is reasonably necessary to participate in an activity
  • That parents can review their child’s personal information, and direct you to delete it, and refuse to allow any further collection or use of personal information from their child
  • That parents can agree to the collection and use of their child’s personal information, but still refuse to allow disclosure to third parties unless that is a part of the service (for example, social networks)
  • The procedures parents need to follow to exercise these rights.

As the various requirements for a privacy policy show, you must put a great deal of thought into how your website or service operates, in order to make the proper disclosures. In addition, there is a substantial amount of programming involved, so that parents can properly exercise their rights to delete personal information or limit its collection and use.

In the next installment, I will discuss the issues of parental notification and consent.

Follow me on Twitter @PaulHSpitz

Children’s Online Privacy Compliance – Part 1

Today I start a multi-part series on compliance with the Children’s Online Privacy Protection Act, commonly known as “COPPA.” COPPA is a federal law governing the online privacy rights of children under the age of 13, passed in 1998 and updated in 2013. The Federal Trade Commission is the federal agency with enforcement authority under COPPA. This installment will discuss how to determine if your company has a website or online service that collects personal information from children under the age of 13 (for clarity’s sake, we will call these children “COPPA Kids,” to distinguish them from children ages 13 and up). Future installments will cover the requirements of a COPPA-compliant privacy policy, parental notification requirements, parental consent requirements, and reasonable procedures to protect the security of COPPA Kids’ personal information.
How do you know if your company has a website or online service that collects personal information from COPPA Kids? Start by asking four questions:

1. Is your website or online service directed at COPPA Kids and you collect personal information from them?

2. Is your website or online service directed at COPPA Kids and you let others collect personal information from them?

3. Is your website or online service directed to a general audience, but you actually know that you collect personal information from COPPA Kids?

4. Is your company running an ad network or plug-in, or a similar type of service, and you actually know that you collect personal information from users of a website or online service directed at COPPA Kids? (this makes you one of the “others” referred to in Question 2).

If the answer to any of the four questions is yes, your company is subject to COPPA.

Let’s break it down a little further. First, you will notice that I used the phrase “website or online service” several times. COPPA and the FTC define this phrase very broadly. It includes:

  • Standard websites, obviously, and this being 2014, you should know what they are
  • Mobile apps that send or receive information online, such as network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads
  • Internet-enabled game platforms
  • Plug-ins
  • Advertising networks
  • Internet-enabled location-based services
  • Voice-over-internet-protocol (VoIP) services

Next, how do you know if your site or service is directed at COPPA Kids? The FTC will look at a variety of factors to decide if a website or online service is directed to COPPA Kids. Factors could include one or more of the following:

  • the subject matter or the website or service, 
  • visual and audio content, 
  • the use of animated characters,  
  • the use of child-oriented activities and incentives, 
  • the age of models, 
  • the use of child celebrities or celebrities who appeal to kids (that includes you, Justin Bieber, and you too, Katey Perry), 
  • ads directed to children, and 
  • other evidence about the age of the actual or intended audience.

What are the kinds of “personal information” that might trigger COPPA? Some items are pretty obvious, while others should get your immediate attention:

  1. Full name 
  2. Home or other physical address, including street name and city 
  3. Online contact information, such as an email address or other identifier that permits someone to contact a person directly – these include instant messaging (IM) names, VoIP names, and video chat names
  4. Screen name or user name where it functions as online contact information
  5. Telephone number
  6. Social Security number
  7. A persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, IP address, processor or device serial number, or a unique device identifier
  8. A photo, video, or audio file containing a COPPA Kid’s image or voice
  9. Geolocation information sufficient to identify a street name and city
  10. Other information about the COPPA Kid or parent that is collected from the child and combined with one of these other identifiers

Finally, what does it mean to “collect?” First, you are collecting personal information if you request, prompt, or encourage the submission of such information, even if it is optional. Second, you are collecting if you let information be made publicly available (for example, an open chat or posting function), unless you take reasonable measures to delete all or virtually all personal information before the postings are public and delete all information from your records. Third, you are collecting information if you passively track a COPPA Kid online.

Those are the basics for determining if your website or online service is subject to COPPA. If you have applied the above factors and determined that COPPA applies, then you will need a privacy policy that complies with COPPA. I will cover that subject in the next installment.

Follow me on Twitter @PaulHSpitz