FTC Provides Insight into COPPA Deletion Requirements
Posted on July 12, 2018
The Federal Trade Commission recently posted a blog entry reminding companies about the deletion requirements under the Children’s Online Privacy Protection Act. Namely, that companies under the Act must give parents the right to review and delete their children’s information. In addition COPPA also requires companies to delete children’s personal information when the information is no longer necessary to fulfill the purpose for which it was originally requested. An example given is when a parent decides not to renew a subscription on behalf of their child. In that case, the company must delete the information even if the parent has not specifically requested deletion. The FTC recommends that companies make sure that their document retention policies take into account the stated purposes for which children’s personal information is collected, and under what circumstances the information will no longer be needed for those purposes. The FTC also recommends that companies ensure that they have secure deletion practices in place.
PUTTING IT INTO PRACTICE: Companies who collect personal information about children under 13 should keep in mind that the FTC is thinking about COPPA’s deletion requirements. These include not only if a parent asks for deletion, but also when the information is no longer needed.
NJ AG Settles with Chinese Firm Over COPPA Violations, FTC Sends Warning Letters
Posted on May 10, 2018
The NJ attorney general recently announced that it settled with a Chinese entity over violations of COPPA. The company promotes itself as a “virtual beauty counter,” and makes a variety of apps that let consumers virtually try on makeup. These apps include facial recognition technology, as well as photo-editing tools that allow users to customize and touch up their photos (the apps include Beauty Plus, AirBrush, and Meitu). The apps, according to the AG, allowed children under 13 to submit personal information without first getting parental consent, in violation of the Children’s Online Privacy Protection Act.
The company has agreed to pay a $100,000 civil penalty as well as to block children under 13 from submitting information to the apps. The company further specifically agreed to provide notice of what information it collects from children, how it uses the information, and whether it discloses children’s information. The company also agreed to get parental consent as required under COPPA, and to give parents a way to reasonably review their children’s information.
The New Jersey settlement comes at almost the same time that the FTC warned two foreign companies (Chinese- based Gator Group Co., Ltd., and the Swedish company Tinitell, Inc.) that they needed to comply with COPPA when collecting children’s geo-locations. Both companies provide location services for watch-type devices. The companies allow users to track the child who is wearing the device. The FTC’s concern for both was that they appeared to collect precise location without notifying parents of this practice. The FTC was also concerned that the companies were not getting parental consent as required under COPPA.
PUTTING IT INTO PRACTICE: These cases are a reminder that both the FTC and state AGs are looking at whether companies are complying with COPPA when creating devices or apps that are appealing to or intended for children.
                    Eye on Privacy 2018 Year in Review 10