Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Dimitri Sirota
Dimitri Sirota
Connect Directly
E-Mail vvv

Data Privacy Protections for the Most Vulnerable Children

The business case for why companies that respect the privacy of individuals, and especially minors, will have a strong competitive advantage.

The news last month that Google agreed to pay $170 million to settle alleged privacy violations related to YouTube and children and an October 7 Federal Trade Commission review of Children's Online Privacy Protection Act (COPPA) are bringing a critical focus on protecting minors, who can't take action or understand the concept of privacy enough to protect their data. 

The COPPA review, which is coming several years ahead of schedule, aims to bring US privacy regulations up to speed with the latest technologies and trends, including growing numbers of minors using online services and being targeted with ads. It's a clear acknowledgement that traditional legislative and regulatory standards and processes are failing to keep up with the rapidly evolving digital landscape. Not only have online services changed greatly since COPPA was last revised in 2013, but the nature of data has changed, as have notions about what constitutes "personal information." There are more data sources and types of information being collected from everyone, particularly children. And the uses of data today have increased beyond what we could have imagined six years ago. All of this means companies need to rethink the nature of their role; they are data stewards, responsible for securing and caring for their customers' information, and not owners of the data. This is a crucial distinction. 

COPPA critics who dismiss the regulations as onerous for business are overlooking an important duty of online providers — that of protecting children who can't provide legal consent for data use. Society has a responsibility to its most vulnerable group of online citizens. The California Consumer Privacy Act (CCPA) has an opt-in standard for the sale of data belonging to minors, requiring websites to explicitly get permission from parents of children under 13 and from teenagers themselves up to age 16. This will become the norm going forward. To comply with both COPPA and CCPA, online providers will need to ask users to confirm that they are 16 or older. This won't solve all the privacy issues for minors, but it's a step in the right direction. With COPPA, the conversation about data privacy gets right to the heart of the matter: why and how things need to change.

So, knowing that changes in COPPA will be coming in the near future, and given the requirements of CCPA and the General Data Protection Regulation (GDPR), what steps can companies take? At the highest level, companies need to be prepared to embrace consumer data privacy both culturally and technologically — and do so in a way that allows their organization to evolve alongside technology and regulatory changes. There are three keys to making this vision a reality:

Step 1: Make Data Privacy Part of Corporate DNA
Embracing consumer data privacy starts with culture change, and it must come from the top. This means aligning the company's culture and values with the privacy program and reinforcing this in internal and external messaging, product design choices and engineering. From the board of directors and the CEO, to the chief information security officer and chief privacy officer and on down, everyone needs to be committed to making data privacy a business priority. Companies should integrate the data privacy program into the code of conduct and existing business processes; conduct regular privacy trainings with employees; add risk management assessment to new business, mergers, and other business arrangements; and regularly assess the efficacy and performance of data privacy processes and practices throughout the organization.

Step 2: Create the Competency to Become (and Stay) Compliant
Don't wait for regulators to come knocking. The sooner you get ahead of data compliance, the more readily you can adapt to changes in the regulatory environment. First, you need systems in place to help you understand what data you have and where it's stored. Ask important questions such as: Should we be collecting it? Is it properly secured? Who is it being shared with? Companies need to understand identity based on whose data they have, where it resides, and how it is used. Companies can't just rely on manually doing surveys of their data and filling in spreadsheets for privacy assessments.

Because GDPR, CCPA, and other regulations are predicated on the notion of user consent, the inability of children to provide consent underscores one of the key challenges — the need to locate both PI (personal information) and PII (personally identifiable information). Most children don't have credit cards or even email addresses that can be linked with their identity, but their online activities generate lots of personal data that can be indirectly tied back to their identities. GDPR and CCPA require businesses to be able to know what PII and PI they collect, where it is, and how it's being used. This data is typically scattered around different applications and in both structured and unstructured formats in the data center and the cloud. Companies must be able to discover and manage all of it.

Step 3: Be Good Data Stewards
For too long, companies have made use of and built businesses around customer data without acknowledging that they are merely guardians of the data, not owners. In a post-Cambridge Analytica and post-GDPR world, companies can't be careless with data. They need to be transparent about what information they are collecting and recognize customer rights to control how their data is used. This shift is vital for businesses to keep customers happy.

Protecting data privacy isn't just about being compliant, it's also smart business. Consumers are increasingly attentive to how companies treat their data and upset when companies show a disregard for data privacy. A survey late last year of US consumers found that nearly 40% were cutting back on social media use due to privacy concerns and 80% or more want to know where the data is and would like a say in whether their data is sold or shared.

Companies that don't prioritize their responsibilities related to data ownership and care — particularly regarding children's data — will lose customer trust and harm their brand, as well as face fines and other penalties that will no doubt come with a revised COPPA. Companies that respect the privacy of individuals and especially minors and view data privacy as a fundamental business objective and not just an obligation will have a strong competitive advantage. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Build a Rock Solid Culture"

Dimitri Sirota is a 10+ year privacy expert and identity veteran. He is CEO and cofounder of data protection and privacy software company BigID. Prior to starting BigID, Dimitri founded two enterprise software companies focused on security (eTunnels) and API management (Layer ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/19/2019 | 2:46:59 AM
Re: Also schools
Data plays an important role in the progress of any business. Sometimes some data are needed to keep private for the proper functioning of the process and the work. There re many problems associated with the processing of the data. It is not easy to store big data and keep it safe. The data backups are good to keep. The it supports West Palm Beach provides the best services of data and its process at the best deals.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.