The news last month that Google agreed to pay $170 million to settle alleged privacy violations related to YouTube and children and an October 7 Federal Trade Commission review of Children's Online Privacy Protection Act (COPPA) are bringing a critical focus on protecting minors, who can't take action or understand the concept of privacy enough to protect their data.
The COPPA review, which is coming several years ahead of schedule, aims to bring US privacy regulations up to speed with the latest technologies and trends, including growing numbers of minors using online services and being targeted with ads. It's a clear acknowledgement that traditional legislative and regulatory standards and processes are failing to keep up with the rapidly evolving digital landscape. Not only have online services changed greatly since COPPA was last revised in 2013, but the nature of data has changed, as have notions about what constitutes "personal information." There are more data sources and types of information being collected from everyone, particularly children. And the uses of data today have increased beyond what we could have imagined six years ago. All of this means companies need to rethink the nature of their role; they are data stewards, responsible for securing and caring for their customers' information, and not owners of the data. This is a crucial distinction.
COPPA critics who dismiss the regulations as onerous for business are overlooking an important duty of online providers — that of protecting children who can't provide legal consent for data use. Society has a responsibility to its most vulnerable group of online citizens. The California Consumer Privacy Act (CCPA) has an opt-in standard for the sale of data belonging to minors, requiring websites to explicitly get permission from parents of children under 13 and from teenagers themselves up to age 16. This will become the norm going forward. To comply with both COPPA and CCPA, online providers will need to ask users to confirm that they are 16 or older. This won't solve all the privacy issues for minors, but it's a step in the right direction. With COPPA, the conversation about data privacy gets right to the heart of the matter: why and how things need to change.
So, knowing that changes in COPPA will be coming in the near future, and given the requirements of CCPA and the General Data Protection Regulation (GDPR), what steps can companies take? At the highest level, companies need to be prepared to embrace consumer data privacy both culturally and technologically — and do so in a way that allows their organization to evolve alongside technology and regulatory changes. There are three keys to making this vision a reality:
Step 1: Make Data Privacy Part of Corporate DNA
Embracing consumer data privacy starts with culture change, and it must come from the top. This means aligning the company's culture and values with the privacy program and reinforcing this in internal and external messaging, product design choices and engineering. From the board of directors and the CEO, to the chief information security officer and chief privacy officer and on down, everyone needs to be committed to making data privacy a business priority. Companies should integrate the data privacy program into the code of conduct and existing business processes; conduct regular privacy trainings with employees; add risk management assessment to new business, mergers, and other business arrangements; and regularly assess the efficacy and performance of data privacy processes and practices throughout the organization.
Step 2: Create the Competency to Become (and Stay) Compliant
Don't wait for regulators to come knocking. The sooner you get ahead of data compliance, the more readily you can adapt to changes in the regulatory environment. First, you need systems in place to help you understand what data you have and where it's stored. Ask important questions such as: Should we be collecting it? Is it properly secured? Who is it being shared with? Companies need to understand identity based on whose data they have, where it resides, and how it is used. Companies can't just rely on manually doing surveys of their data and filling in spreadsheets for privacy assessments.
Because GDPR, CCPA, and other regulations are predicated on the notion of user consent, the inability of children to provide consent underscores one of the key challenges — the need to locate both PI (personal information) and PII (personally identifiable information). Most children don't have credit cards or even email addresses that can be linked with their identity, but their online activities generate lots of personal data that can be indirectly tied back to their identities. GDPR and CCPA require businesses to be able to know what PII and PI they collect, where it is, and how it's being used. This data is typically scattered around different applications and in both structured and unstructured formats in the data center and the cloud. Companies must be able to discover and manage all of it.
Step 3: Be Good Data Stewards
For too long, companies have made use of and built businesses around customer data without acknowledging that they are merely guardians of the data, not owners. In a post-Cambridge Analytica and post-GDPR world, companies can't be careless with data. They need to be transparent about what information they are collecting and recognize customer rights to control how their data is used. This shift is vital for businesses to keep customers happy.
Protecting data privacy isn't just about being compliant, it's also smart business. Consumers are increasingly attentive to how companies treat their data and upset when companies show a disregard for data privacy. A survey late last year of US consumers found that nearly 40% were cutting back on social media use due to privacy concerns and 80% or more want to know where the data is and would like a say in whether their data is sold or shared.
Companies that don't prioritize their responsibilities related to data ownership and care — particularly regarding children's data — will lose customer trust and harm their brand, as well as face fines and other penalties that will no doubt come with a revised COPPA. Companies that respect the privacy of individuals and especially minors and view data privacy as a fundamental business objective and not just an obligation will have a strong competitive advantage.