Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Dimitri Sirota
Dimitri Sirota
Connect Directly
E-Mail vvv

Data Privacy Protections for the Most Vulnerable Children

The business case for why companies that respect the privacy of individuals, and especially minors, will have a strong competitive advantage.

The news last month that Google agreed to pay $170 million to settle alleged privacy violations related to YouTube and children and an October 7 Federal Trade Commission review of Children's Online Privacy Protection Act (COPPA) are bringing a critical focus on protecting minors, who can't take action or understand the concept of privacy enough to protect their data. 

The COPPA review, which is coming several years ahead of schedule, aims to bring US privacy regulations up to speed with the latest technologies and trends, including growing numbers of minors using online services and being targeted with ads. It's a clear acknowledgement that traditional legislative and regulatory standards and processes are failing to keep up with the rapidly evolving digital landscape. Not only have online services changed greatly since COPPA was last revised in 2013, but the nature of data has changed, as have notions about what constitutes "personal information." There are more data sources and types of information being collected from everyone, particularly children. And the uses of data today have increased beyond what we could have imagined six years ago. All of this means companies need to rethink the nature of their role; they are data stewards, responsible for securing and caring for their customers' information, and not owners of the data. This is a crucial distinction. 

COPPA critics who dismiss the regulations as onerous for business are overlooking an important duty of online providers — that of protecting children who can't provide legal consent for data use. Society has a responsibility to its most vulnerable group of online citizens. The California Consumer Privacy Act (CCPA) has an opt-in standard for the sale of data belonging to minors, requiring websites to explicitly get permission from parents of children under 13 and from teenagers themselves up to age 16. This will become the norm going forward. To comply with both COPPA and CCPA, online providers will need to ask users to confirm that they are 16 or older. This won't solve all the privacy issues for minors, but it's a step in the right direction. With COPPA, the conversation about data privacy gets right to the heart of the matter: why and how things need to change.

So, knowing that changes in COPPA will be coming in the near future, and given the requirements of CCPA and the General Data Protection Regulation (GDPR), what steps can companies take? At the highest level, companies need to be prepared to embrace consumer data privacy both culturally and technologically — and do so in a way that allows their organization to evolve alongside technology and regulatory changes. There are three keys to making this vision a reality:

Step 1: Make Data Privacy Part of Corporate DNA
Embracing consumer data privacy starts with culture change, and it must come from the top. This means aligning the company's culture and values with the privacy program and reinforcing this in internal and external messaging, product design choices and engineering. From the board of directors and the CEO, to the chief information security officer and chief privacy officer and on down, everyone needs to be committed to making data privacy a business priority. Companies should integrate the data privacy program into the code of conduct and existing business processes; conduct regular privacy trainings with employees; add risk management assessment to new business, mergers, and other business arrangements; and regularly assess the efficacy and performance of data privacy processes and practices throughout the organization.

Step 2: Create the Competency to Become (and Stay) Compliant
Don't wait for regulators to come knocking. The sooner you get ahead of data compliance, the more readily you can adapt to changes in the regulatory environment. First, you need systems in place to help you understand what data you have and where it's stored. Ask important questions such as: Should we be collecting it? Is it properly secured? Who is it being shared with? Companies need to understand identity based on whose data they have, where it resides, and how it is used. Companies can't just rely on manually doing surveys of their data and filling in spreadsheets for privacy assessments.

Because GDPR, CCPA, and other regulations are predicated on the notion of user consent, the inability of children to provide consent underscores one of the key challenges — the need to locate both PI (personal information) and PII (personally identifiable information). Most children don't have credit cards or even email addresses that can be linked with their identity, but their online activities generate lots of personal data that can be indirectly tied back to their identities. GDPR and CCPA require businesses to be able to know what PII and PI they collect, where it is, and how it's being used. This data is typically scattered around different applications and in both structured and unstructured formats in the data center and the cloud. Companies must be able to discover and manage all of it.

Step 3: Be Good Data Stewards
For too long, companies have made use of and built businesses around customer data without acknowledging that they are merely guardians of the data, not owners. In a post-Cambridge Analytica and post-GDPR world, companies can't be careless with data. They need to be transparent about what information they are collecting and recognize customer rights to control how their data is used. This shift is vital for businesses to keep customers happy.

Protecting data privacy isn't just about being compliant, it's also smart business. Consumers are increasingly attentive to how companies treat their data and upset when companies show a disregard for data privacy. A survey late last year of US consumers found that nearly 40% were cutting back on social media use due to privacy concerns and 80% or more want to know where the data is and would like a say in whether their data is sold or shared.

Companies that don't prioritize their responsibilities related to data ownership and care — particularly regarding children's data — will lose customer trust and harm their brand, as well as face fines and other penalties that will no doubt come with a revised COPPA. Companies that respect the privacy of individuals and especially minors and view data privacy as a fundamental business objective and not just an obligation will have a strong competitive advantage. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Build a Rock Solid Culture"

Dimitri Sirota is a 10+ year privacy expert and identity veteran. He is CEO and cofounder of data protection and privacy software company BigID. Prior to starting BigID, Dimitri founded two enterprise software companies focused on security (eTunnels) and API management (Layer ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/19/2019 | 2:46:59 AM
Re: Also schools
Data plays an important role in the progress of any business. Sometimes some data are needed to keep private for the proper functioning of the process and the work. There re many problems associated with the processing of the data. It is not easy to store big data and keep it safe. The data backups are good to keep. The it supports West Palm Beach provides the best services of data and its process at the best deals.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS build 20210202 (and later) QT...