The law and policy of internet and digital technology use

Tag Archives: security

FTC Updates COPPA Guidance for Connected Toys

COPPA regulates websites and online services that collect personal information from kids under 13. The FTC revised its COPPA Compliance Plan for businesses a few days ago. The major revisions address “changes in technology,” namely the proliferation of connected toys and other internet-connected devices aimed at kids.

In this revised guidance, the FTC concludes that online services include internet-connected toys and other internet-connected devices that collect personal information from children under 13. If a toy or device collects pictures of the child, for example, it’s covered. If it records the child’s actions or voice, that’s covered too. If it uses persistent identifiers associated with a child, that’s also in. The same for toys that collect geolocation data which would disclose the child’s location.

If you make an implicated product, you’ll need a COPPA-compliant privacy policy. A compliant policy properly discloses the PI your business collects from kids, as well as that collected by any third-party. The policy must also explain parents’ rights under COPPA. You’ll also have to give affected parents direct notice of these things and get their verified consent to the collection of PI.

The new Plan does identify two new options for obtaining verified parental consent—knowledge-based authentication questions and facial recognition against a verified photo ID.

COPPA makes some exceptions. The FTC views these exceptions as applicable to “a narrow class of personal information” in “certain circumstances.” Be careful if you intend to rely on one of them.

HIPAA and the Cloud—Considerations for Cloud Service Providers Serving Covered Entities and Business Associates

This is the flip side of last week’s post. Here’s a quick summary of some key compliance points for Cloud Service Providers (CSPs) who serve medical practitioners and their business associates. (1) Information de-identified per HIPAA’s Privacy Rule is not ePHI. If that’s all a CSP is hosting, HIPAA will not regulate the hosting. (2) CSPs can… Continue Reading

NAIC Adopts Cybersecurity Principles

The National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force just adopted regulatory guidance on cybersecurity. This guidance for regulators comes in the form of 12 “Principles for Effective Cybersecurity” designed to promote uniformity in an industry regulated by the states. Most of the principles are standard issue stuff: regulators must ensure protection for PII collected, stored, or… Continue Reading

Markey Report Highlights Security Issues with Car Electronics

United States Senator Edward J. Markey of Massachusetts recently issued a report on the security of car electronics. How secure are they? Not very. Today’s cars contain more than 50 networked electronic control units that may collect data, some of which are collecting data we might not want collected and some or all of which are typically vulnerable to… Continue Reading

FINRA’s Report on Cybersecurity Practices

FINRA just published a report on the cybersecurity practices of member firms based on the targeted examinations it recently conducted on this very topic. While the report  claims that it creates no new legal or regulatory requirements, it doesn’t read that way, and broker-dealers would be foolish to overlook it. (NB: Cybersecurity goes beyond protecting customer information from disclosure to hackers.… Continue Reading