California Leads The Way On Children’s Privacy Protection Laws


By Andrew McDevitt, Senior Privacy Consultant at TRUSTe


California has always been known as a trailblazer state within the entertainment and technology sectors. This has significantly influenced our society, both at the national and global levels. The golden state is no different when it comes to public policy trends. California has historically served as a national bellwether on a variety of political issues and matters pertaining to data privacy are no different.

During the 2013 and 2014 legislative cycles state lawmakers enacted legislation to provide more robust data privacy protections for California’s children.


Student Online Personal Information Protection Act (SOPIPA)

One of these laws is Senate Bill 1117, also known as the Student Online Personal Information Protection Act (SOPIPA). Effective as of Jan. 1, 2016, SOPIPA would preclude online service companies that focus on the K-12 educational offerings to engage in targeted advertising to minor students and their parents or legal guardians and to collect information about these students to establish individual profiles about them. SOPIPA also bans the sale of a student’s information and requires the K-12 online service organizations to implement and maintain reasonable security to protect the data they do collect. In addition, these service entities must delete student data upon the request of a K-12 school or district that has had its students use a company’s online educational services.


Privacy Rights for California Minors in the Digital World

The other significant child privacy legislation passed in 2013 was Senate Bill 568 titled, Privacy Rights for California Minors in the Digital World. Effective as of Jan. 1, 2015, this law prohibits online service companies from marketing a variety of products and services to minors when such products and services can only be purchased by a person 18 years of age or older. The law also prohibits the collection of personal data of minors that would be shared with third parties for the purpose of advertising or marketing these same types of products and services. The most noteworthy aspect of S.B. 568 is the “right to be forgotten” clause in the context of minors. Essentially, this means that a California resident who is under 18 years of age now has the ability to have the online content that is collected and stored about them by an online service company to be permanently deleted. In fact, the website owner must actually disclose to minors that they indeed have this right and they must be educated about the actual process to make such a request when desired.

Some of the key drivers for the passage of these two significant child privacy protection laws are that the public now has a heightened awareness and concern about data privacy matters. At the same time, K-12 public schools are increasingly looking for free or low-cost online technology services to successfully educate students during extreme budgetary shortfalls at the state and school district levels. In addition, the current trajectory of negative online activities and behaviors of some California minors were potentially leading toward long-term ramifications if students were not provided the opportunity to delete their online mistakes. According to a recent study about parents’ concerns regarding their pre-teens’ Internet usage, 43% of parents think their child will share personal information online that they will later regret.

What this means for online service organizations is that they will need to clearly establish a mechanism to identify minors who are using their site if they are not doing so already. These websites will also need to establish effective legal and technological mechanisms, as well as policies and programs to ensure that they are fully compliant with these new child privacy protection laws. This includes providing minors an easy method to exercise their new “right to be forgotten” rights. Online tracking partners and technologies will also need to be fine-tuned to ensure that California’s minors are not included in online advertising programs in the K-12 context or being served advertisements that are not deemed age appropriate by the state. This will also be a perfect opportunity for these organizations to evaluate their current data security programs and address any new gaps or vulnerabilities found.



Visit TRUSTe at the RSA Conference in San Francisco This Week!


The RSA Conference 2015 is taking place this week in San Francisco at the Moscone Center. We’ll be demoing TRUSTe’s Assessment Manager, our automated privacy solution, starting Tuesday and going through Thursday evening. Stop by the TRUSTe booth located in the North Hall, booth #N3022. We’ll be handing out some fun swag and gift cards for visitors interested in taking a survey or watching a demo.

RSA is a security conference and, yes, security and privacy are different but the two are both essential areas for companies to understand and implement smart practices in order to mitigate risk.

The RSA Conference is one of the largest security events in the US. The event draws in nearly 30,000 attendees each year.

We perused the list of other privacy-related events taking place at RSA and compiled this must-see list:

We hope to see you there!




How the Privacy Landscape is Creating In-Demand Jobs

Image converted using ifftoany

By KimAnh Tran, Associate Legal Counsel, CIPP/US, Contributor

High profile breaches seem to arise almost weekly across all industries and verticals, making privacy and security top-of-mind for organizations large and small. Fear has proven to be a strong motivator for many organizations, as an expensive remediation process, a regulatory audit and a public relations disaster looms with any breach. Predictably, companies are reacting by trying to clean up their own privacy practices company-wide. This objective, though admirable, is not easily accomplished, and typically requires the skills of experienced privacy professionals.

Privacy management as an industry is still relatively young and consequently, privacy veterans are few and far between. However, more and more job descriptions express a need for seasoned privacy professionals with experience in tracking and understanding privacy regulations and best practices, and applying such knowledge in a variety of different roles and functions.

Though official titles may vary, there are several roles and functions that seem to be in-demand in the privacy space. The qualifications for each may differ depending on company size, the company’s industry and need for privacy support. However, a CIPP certification through the International Association of Privacy Professional may indicate a certain level of credibility and dedication to privacy in the eyes of a hiring manager.

Read the rest of this entry »


Privacy Assessment Best Practices Roundtable in London


Privacy experts and business leaders from various industries gathered on April 14th for the fourth Roundtable event in our successful Privacy Insight Series. In the stylish setting of the Malmaison Hotel, the focus was on Privacy Assessment Best Practices.

Stewart Room, Partner, Head of Cyber Security and Data Protection at PwC Legal LLP kicked-off the event with a lively group discussion on key data privacy challenges with topics ranging from dealing with activism and a growing compensation culture to defining success metrics and prioritization.

After Eleanor Treharne-Jones from TRUSTe shared our recent research on how Fortune 1000 companies are using Privacy Assessments a distinguished panel of speakers shared insights into how they are using Privacy Assessments within their organizations. Our panel speakers included Nina Barakzai, Group Head of Data Protection & Privacy, Sky; Amanda Chandler, Group Privacy Manager, Vodafone and Chris Davies, General Counsel, EMEA & Head of Privacy, InMobi with Ralph O’Brien from TRUSTe in the chair.

The privacy conversations continued over drinks in the Mal Lounge at the Malmaison where privacy professionals gathered at TRUSTe’s annual Cocktail and Canapes event on the eve of the IAPP Data Protection Intensive.

The roundtable was the eighth event in the Privacy Insight Series, which consists of webinars and live roundtables where professionals can discuss and hear from experts and practitioners on hot topics in data privacy. TRUSTe created this series to give people access to key insights in the evolving privacy landscape. To view and register for future events and webinars, click here.


As the Internet of Things Continues to Grow, More Questions Arise

Modern communication technology mobile phone

What happens when 50 billion machines connect? That’s one of the big questions privacy advocates, business leaders and government agencies are asking themselves when strategizing for the future safety of our data as the Internet of Things (IoT) grows. The privacy challenges of today’s connected world can seem daunting – and these challenges will continue to deepen as the IoT expands.

Anyone interested in connected technology or buying smart gadgets knows that connected devices are everywhere. Ideas such as the connected car, the connected home (refrigerator, heating and air conditioning, alarm system, etc.), and wearable fitness devices are all concepts that quickly blossomed beyond the tech community and sparked the interest of the general population. This is exciting for many people but also raises a number of concerns around how consumers’ personal data will be protected.

Read the rest of this entry »


Canada Signs On to APEC’s Cross-Border Data Privacy Rules System


Today, Canada announced that it has formally joined to APEC’s Cross-Border Privacy Rules (CBPR) system. Canada is the fourth member economy to sign on to the system, which facilitates cross-border data flows in the APEC region. So far, the U.S., Mexico and Japan have joined the voluntary CBPR system.

APEC originally began in 1989 to promote free trade throughout the region and includes 21 member economies in the Pacific Rim. APEC leaders saw the need to create rules to govern data transfers across borders.

The Cross-Border Data Privacy Rules system was developed by APEC economies in consultation with industry, academia and civil society to build consumer, business and regulator trust in cross-border flows of personal information. In order for business in participating economies to become CBPR certified, they must develop and implement data privacy policies that align with the system requirements. These policies must then be verified by a third party, an “Accountability Agent.” TRUSTe is currently the only Accountability Agent recognized by APEC economies to perform CBPR certification.

Read the rest of this entry »


Meet TRUSTe: Eleanor Treharne-Jones, Director, EMEA & Global Communications


Name: Eleanor Treharne-Jones

Job Title: Director, EMEA & Global Communications

How long have you worked at TRUSTe? 3 Years

Tell us about your role at TRUSTe: As Global Communications Director at TRUSTe, I am responsible for overseeing all of TRUSTe’s external communications from our PR, blog newsletter and social media channels to our ongoing consumer research series, whitepapers and extensive live event programme. In the last few months alone we have started a series of client updates on new regulatory developments, launched the 12 part Privacy Insight Series and just published a fantastic line up of speakers for our second IoT Privacy Summit in Silicon Valley in June.

As a communications team, our aim is to ensure that TRUSTe is at the centre of the evolving data privacy debate and that we consistently provide informative and useful content for our clients on key data privacy challenges facing the industry.

Working out of our London office I have also supported TRUSTe’s expansion into the European market as the global demand for solutions to meet EU privacy requirements (such as the Cookie Directive) continues to grow.

Read the rest of this entry »


TRUSTe Introduces Device Fingerprinting Detection


TRUSTe introduces device fingerprinting as part of its Website Monitoring Service. Similar to cookies, device recognition fingerprinting tracks consumers online and allows companies to serve them relevant targeted ads based on their online activity. What makes fingerprinting unique is that it allows companies to collect consumer characteristics via desktop or mobile device, usually without consent from the consumer.

With fingerprinting detection, online companies can identify third party trackers that are using fingerprinting techniques to collect personal data from their customers without their knowledge or consent. This new technology enables companies to identify unwanted or unknown third party trackers on websites, as well as provide accurate information to consumers regarding such trackers and request consumer consent or provide opt-out.

Under the EU Cookie Directive companies are required to provide consent to consumers before tracking. After reports that companies were looking into device fingerprinting to get around these requirements, European Data Protection Authorities confirmed that the Directive also applies to fingerprinting.

In the US, the Advertising Self-Regulation Council’s Accountability Program has also recently added “cookie-less” technologies to its enforcement program requirements. Companies must provide a way for consumers to opt-out of this more sophisticated method of tracking in order to stay compliant, avoid enforcement and build trust.

Read more about device fingerprinting detection here.

Older posts «