November 6, 2019
How the CCPA Impacts the Handling of Children’s Data
Posted by Pippa Akem
The CCPA impacts the handling of children’s data and a lot is going to change when the California Consumer Privacy Act (CCPA) takes effect on January 1, 2020. If your organization does not have a policy already in place for the handling of children’s data, it’s time to consider the issues raised in this post and decide whether you need one.
The CCPA carries steep penalties for companies who overlook or fail to honor the new consumer rights that give consumers more control over their data. It reinforces the need for greater data protections when dealing with the personal information of children, who, unlike other consumers, don’t readily comprehend the gravity of their online activities.
What Are the CCPA Consumer Rights?
The CCPA provides four basic rights to consumers:
- Right to know: Consumers have the option to find out what personal information a business has about them, the source of this information, whether it has been disclosed or sold, and who the recipients are.
- Right to opt out: Consumers are given the choice to refuse the sale of their personal information to third parties. Stringent consent rules extend to protect children’s personal data and to be included in an incentive program.
- Right to delete: Consumers can request that a business delete the personal information it has about them. There are exceptions.
- Right to equal service: Consumers cannot be discriminated against for exercising their rights. They should receive similar services after they exercise any of the rights.
Implications for Children’s Information
A noticeable change, come January 1, 2020, is that the regular opt-out process won’t apply to children under 16. Companies must collect the consent of children under 16 to sell their personal information. And for children under 13, a parent or guardian will need to consent to the sale of information. In practice, this means companies cannot sell the consumer data of children under 16 unless they opt in. The regulations clarify that the consent rules apply in addition to any other consents under the US Children’s Online Privacy Protection Act (COPPA).
The broad definition of personal information under the CCPA poses some challenges to companies. The law defines personal information to include the collection of IP addresses, purchasing or browsing histories, geolocation data, consumption behaviors, psychological profiles, and consumer preferences. This definition holds broad implications for the collection of children’s data on popular devices and platforms likely to attract children, and more.
What should you do?
One of the first important steps is to create an inventory of all the personal data processing activities at your organization. Some companies choose to filter out the personal information of children under 16 and establish stringent controls for handling that particular data.
The CCPA holds businesses responsible for taking affirmative steps to verify the age of the consumer whose data is being collected/sold. Studies show that the number of U.S. children who have an online footprint is increasing. With this trend, there is a clear need to protect the privacy of children and to protect your organization from failing to comply with the new privacy requirements.
For more information on Armanino’s data privacy solutions visit Risk Assurance & Advisory Privacy Services.
Prior to joining Armanino, she held privacy functions at Fortune 500 companies supporting General Data Protection Regulation (GDPR) implementation and the transition to California Consumer Privacy Act (CCPA) compliance. Pippa holds the Certified in Healthcare Privacy Compliance (CHPC) designation and is a member of the Health Care Compliance Association (HCCA) and the International Association of Privacy Professionals (IAPP).