1. Consider your audience. Whether a service is “targeted to children” may seem like a simple concept generally, but it can be difficult to apply to specific examples, particularly in the realm of games and entertainment. As we describe in our guide to compliance with the amended COPPA Rule, there are a number of factors that should be considered when determining whether a website or online service or portion thereof is directed to children.
Identify which website(s)/ services are covered by your policy and provide the effective date of the policy.
List the categories of information is collected on the website/service. It is not sufficient to simply state that information is or may be collected on your website/service, you must also inform users what information is being collected, why it is collected, how it is collected, and when it is collected. Where information is collected automatically (e.g., cookies or other tracking technologies), disclose in detail the methods used to collect the information and describe how individuals can prevent the automatic collection.
Clearly describe how the information collected is used, including if and when the information collected will be provided to any third party.
Where applicable, give users the choice of whether or not to have their information disclosed to third parties (e.g., your commercial partners) or used for certain purposes (e.g., to receive marketing communications). Opt-in methods are customer friendly and encouraged, however, if opt-out methods are used (e.g., unsubscribe button), ensure that they actually work.
Provide contact information that can be used to ask questions or provide comments about your privacy practices.
Before sharing personal information collected on the website/service with a service provider or other third party, do your diligence to determine what the service providers’ or third parties’ data practices are for maintaining the confidentiality and security of the information and preventing unauthorized access to or use of the information. Release the personal information only to service providers and third parties capable of maintaining its confidentiality, security, and integrity and get those assurances in writing.
3. Collect and retain only the personal information required to provide the website/service. Minimize what you collect, keep personal information only as long as reasonably necessary to fulfill the collection purpose, and securely delete personal information you no longer need to retain. The easiest way to reduce your risk profile is to limit what you collect and retain.
6. Security. Describe the security measures you have in place to safeguard the personal information collected on the website/service. Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected on the website, commensurate with the sensitivity of the data collected. Reassess your security measures periodically.
9. International Considerations. Be aware that if you operate in other countries or collect personal information from residents of other countries, your business may be subject to the privacy and data protection laws of such countries, which may be more stringent than U.S. laws. You should consult with legal counsel in the applicable jurisdictions to determine compliance obligations.
2. FTC’s Report: Protecting Consumers in an Era of Rapid Change
Be sure to also check our Privacy and Security Matters blog for other resources and up to date information on privacy and security.