Financial Advisory Blog

Armanino’s Financial Advisory blog is your source for thought leadership around cloud ERP and accounting solutions and integrations. Supported by the Cloud Accounting Institute and numerous experts in cloud, finance, reporting, integration, compliance, and technology, Armanino’s Financial Advisory blog features must-read content on what’s happening in the finance industry, case studies, white papers, and much more.

November 6, 2019

How the CCPA Impacts the Handling of Children’s Data

Posted by Pippa Akem

Childrens Data Privacy CCPA

The CCPA impacts the handling of children’s data and a lot is going to change when the California Consumer Privacy Act (CCPA) takes effect on January 1, 2020. If your organization does not have a policy already in place for the handling of children’s data, it’s time to consider the issues raised in this post and decide whether you need one. 

The CCPA carries steep penalties for companies who overlook or fail to honor the new consumer rights that give consumers more control over their data. It reinforces the need for greater data protections when dealing with the personal information of children, who, unlike other consumers, don’t readily comprehend the gravity of their online activities.

What Are the CCPA Consumer Rights?

 The CCPA provides four basic rights to consumers:

  • Right to know:  Consumers have the option to find out what personal information a business has about them, the source of this information, whether it has been disclosed or sold, and who the recipients are.
  • Right to opt out: Consumers are given the choice to refuse the sale of their personal information to third parties.  Stringent consent rules extend to protect children’s personal data and to be included in an incentive program.
  • Right to delete: Consumers can request that a business delete the personal information it has about them. There are exceptions.
  • Right to equal service: Consumers cannot be discriminated against for exercising their rights.  They should receive similar services after they exercise any of the rights.

Implications for Children’s Information

A noticeable change, come January 1, 2020, is that the regular opt-out process won’t apply to children under 16.  Companies must collect the consent of children under 16 to sell their personal information. And for children under 13, a parent or guardian will need to consent to the sale of information. In practice, this means companies cannot sell the consumer data of children under 16 unless they opt in.  The regulations clarify that the consent rules apply in addition to any other consents under the US Children’s Online Privacy Protection Act (COPPA).

The broad definition of personal information under the CCPA poses some challenges to companies.    The law defines personal information to include the collection of IP addresses, purchasing or browsing histories, geolocation data, consumption behaviors, psychological profiles, and consumer preferences.  This definition holds broad implications for the collection of children’s data on popular devices and platforms likely to attract children, and more.  

Companies subject to the CCPA can’t disregard the consumer’s age and claim they didn’t know they were dealing with a child’s data. Although the law as drafted requires companies to acquire actual knowledge of a consumer’s age to mitigate the risk of selling the personal information of minors, a business that  willfully disregards the consumer’s age has actual knowledge of the consumer’s age under the law. The regulations are requiring businesses with actual knowledge that they collect or maintain children’s data to implement specific processes to obtain the appropriate consent and disclosed that in the privacy policy. Consequently, companies will need to ask consumers who live in California about their age in order to comply with the children’s consent provision.

What should you do?

One of the first important steps is to create an inventory of all the personal data processing activities at your organization. Some companies choose to filter out the personal information of children under 16 and establish stringent controls for handling that particular data.  

The CCPA holds businesses responsible for taking affirmative steps to verify the age of the consumer whose data is being collected/sold. Studies show that the number of U.S. children who have an online footprint is increasing. With this trend, there is a clear need to protect the privacy of children and to protect your organization from  failing to comply with the new privacy requirements.

For more information on Armanino’s data privacy solutions visit Risk Assurance & Advisory Privacy Services.

COMMENTS

comments powered by Disqus
« | »