Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) went into effect to regulate children’s online privacy, and operators of websites and online services directed to children or knowingly collecting information from children under 13, regardless of their location if they target U.S. residents. It requires organisations to operationalize and verify compliance by preserving children’s data and preventing a data breach.
The legislation establishes stronger standards for the use of data from and about children under the age of 13, and it gives parents the authority to monitor and authorise some of the information their children share
Obligations & Consequences
The following are few key obligations & consequences, flowing from the COPPA, on any organization to whom these provisions apply:
- Clear and comprehensive online privacy policy including what information is collected, how the information is used, and the collector’s disclosure practices.
- Provide direct notice to parents of the privacy policy and the data collected from children.
- Obtain verifiable parental consent to data collection.
- Make it possible for a parent to evaluate the PI obtained from their child.
- Establish and maintain appropriate processes to safeguard the confidentiality, security, and integrity of personally identifiable information obtained from minors under the age of 13.
- Retain PI obtained online from a kid for no longer than is required to accomplish the reason for which it was collected.
Challenges
The following are the issues created by COPPA that the majority of organizations face:
- The operators of websites and online services collect massive amounts of data but lacks the capability to comply with privacy and security rules for the regulation.
- Manually managing data mapping and inventory to provide adequate security based on the risk related to the respective data collected.
- Lack of provision or process to destroy data despite the fact that the COPPA mandates that data be destroyed when the lawful basis for processing expires.
- Organisations do not have a mechanism in place to generate record of assurance that provide the proof of permanent deletion.
Solutions
-
Our AI-based, patented solution, TurtleShield DD (Data Discovery and Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. It enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.
Often, organizational silos between business and IT teams make it difficult to get a complete view of data flowing in and out, especially when shared with third parties or partners. TurtleShield DD automatically maps your “data sharing” to provide clear visibility and actionable insights.