Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/17/2019
10:00 AM
Dimitri Sirota
Dimitri Sirota
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Privacy Protections for the Most Vulnerable — Children

The business case for why companies that respect the privacy of individuals, and especially minors, will have a strong competitive advantage.

The news last month that Google agreed to pay $170 million to settle alleged privacy violations related to YouTube and children and an October 7 Federal Trade Commission review of Children's Online Privacy Protection Act (COPPA) are bringing a critical focus on protecting minors, who can't take action or understand the concept of privacy enough to protect their data. 

The COPPA review, which is coming several years ahead of schedule, aims to bring US privacy regulations up to speed with the latest technologies and trends, including growing numbers of minors using online services and being targeted with ads. It's a clear acknowledgement that traditional legislative and regulatory standards and processes are failing to keep up with the rapidly evolving digital landscape. Not only have online services changed greatly since COPPA was last revised in 2013, but the nature of data has changed, as have notions about what constitutes "personal information." There are more data sources and types of information being collected from everyone, particularly children. And the uses of data today have increased beyond what we could have imagined six years ago. All of this means companies need to rethink the nature of their role; they are data stewards, responsible for securing and caring for their customers' information, and not owners of the data. This is a crucial distinction. 

COPPA critics who dismiss the regulations as onerous for business are overlooking an important duty of online providers — that of protecting children who can't provide legal consent for data use. Society has a responsibility to its most vulnerable group of online citizens. The California Consumer Privacy Act (CCPA) has an opt-in standard for the sale of data belonging to minors, requiring websites to explicitly get permission from parents of children under 13 and from teenagers themselves up to age 16. This will become the norm going forward. To comply with both COPPA and CCPA, online providers will need to ask users to confirm that they are 16 or older. This won't solve all the privacy issues for minors, but it's a step in the right direction. With COPPA, the conversation about data privacy gets right to the heart of the matter: why and how things need to change.

So, knowing that changes in COPPA will be coming in the near future, and given the requirements of CCPA and the General Data Protection Regulation (GDPR), what steps can companies take? At the highest level, companies need to be prepared to embrace consumer data privacy both culturally and technologically — and do so in a way that allows their organization to evolve alongside technology and regulatory changes. There are three keys to making this vision a reality:

Step 1: Make Data Privacy Part of Corporate DNA
Embracing consumer data privacy starts with culture change, and it must come from the top. This means aligning the company's culture and values with the privacy program and reinforcing this in internal and external messaging, product design choices and engineering. From the board of directors and the CEO, to the chief information security officer and chief privacy officer and on down, everyone needs to be committed to making data privacy a business priority. Companies should integrate the data privacy program into the code of conduct and existing business processes; conduct regular privacy trainings with employees; add risk management assessment to new business, mergers, and other business arrangements; and regularly assess the efficacy and performance of data privacy processes and practices throughout the organization.

Step 2: Create the Competency to Become (and Stay) Compliant
Don't wait for regulators to come knocking. The sooner you get ahead of data compliance, the more readily you can adapt to changes in the regulatory environment. First, you need systems in place to help you understand what data you have and where it's stored. Ask important questions such as: Should we be collecting it? Is it properly secured? Who is it being shared with? Companies need to understand identity based on whose data they have, where it resides, and how it is used. Companies can't just rely on manually doing surveys of their data and filling in spreadsheets for privacy assessments.

Because GDPR, CCPA, and other regulations are predicated on the notion of user consent, the inability of children to provide consent underscores one of the key challenges — the need to locate both PI (personal information) and PII (personally identifiable information). Most children don't have credit cards or even email addresses that can be linked with their identity, but their online activities generate lots of personal data that can be indirectly tied back to their identities. GDPR and CCPA require businesses to be able to know what PII and PI they collect, where it is, and how it's being used. This data is typically scattered around different applications and in both structured and unstructured formats in the data center and the cloud. Companies must be able to discover and manage all of it.

Step 3: Be Good Data Stewards
For too long, companies have made use of and built businesses around customer data without acknowledging that they are merely guardians of the data, not owners. In a post-Cambridge Analytica and post-GDPR world, companies can't be careless with data. They need to be transparent about what information they are collecting and recognize customer rights to control how their data is used. This shift is vital for businesses to keep customers happy.

Protecting data privacy isn't just about being compliant, it's also smart business. Consumers are increasingly attentive to how companies treat their data and upset when companies show a disregard for data privacy. A survey late last year of US consumers found that nearly 40% were cutting back on social media use due to privacy concerns and 80% or more want to know where the data is and would like a say in whether their data is sold or shared.

Companies that don't prioritize their responsibilities related to data ownership and care — particularly regarding children's data — will lose customer trust and harm their brand, as well as face fines and other penalties that will no doubt come with a revised COPPA. Companies that respect the privacy of individuals and especially minors and view data privacy as a fundamental business objective and not just an obligation will have a strong competitive advantage. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Build a Rock Solid Culture"

Dimitri Sirota is a 10+ year privacy expert and identity veteran. He is CEO and cofounder of data protection and privacy software company BigID. Prior to starting BigID, Dimitri founded two enterprise software companies focused on security (eTunnels) and API management (Layer ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DavidCarrillo
50%
50%
DavidCarrillo,
User Rank: Apprentice
10/19/2019 | 2:46:59 AM
Re: Also schools
Data plays an important role in the progress of any business. Sometimes some data are needed to keep private for the proper functioning of the process and the work. There re many problems associated with the processing of the data. It is not easy to store big data and keep it safe. The data backups are good to keep. The it supports West Palm Beach provides the best services of data and its process at the best deals.
WarnR
50%
50%
WarnR,
User Rank: Apprentice
10/17/2019 | 3:02:58 PM
Also schools
Sadly, it’s not just companies that need to change their focus to protect children but also schools. Schools will bypass getting parents consent by allowing companies, like Google (Google Classroom) or DoJo, to be “School Officials”. This allows companies to collect information on students without letting the parents know. There is also questions regarding how long the data is retained, who has access, how data backups are secured.
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15815
PUBLISHED: 2019-11-12
ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges.
CVE-2019-17360
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.7.0-00 allows an unauthenticated remote user to trigger a denial of service (DoS) condition because of Uncontrolled Resource Consumption.
CVE-2018-21026
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.6.5-00 allows an unauthenticated remote user to read internal information.
CVE-2012-1572
PUBLISHED: 2019-11-12
OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space
CVE-2019-17234
PUBLISHED: 2019-11-12
includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion.