US Federal Regulation
Children’s Online Privacy Protection Rule (COPPA)
- The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children
- Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.
Fair Credit Reporting Act/Fair and Accurate Credit Transactions Act (FCRA/FACTA)
- U.S. resolution passed in 2003 that is aimed at enhancing protection measures for identity theft by creating standards for the handling of credit card numbers. This act allows individuals free access to their own credit reports and has created a nationwide alerts system.
Right to Financial Privacy Act
- Gives the customers of financial institutions the right to some level of privacy from government searches.
Electronic Communications Privacy Act
- Extends restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer (18 U.S.C. § 2510 et seq.), added new provisions prohibiting access to stored electronic communications
Computer Fraud and Abuse Act (CFAA)
- The law prohibits accessing a computer without authorization, or in excess of authorization.
Health Insurance Portability and Accountability Act (HIPAA)
- The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.
- Title I of HIPAA regulates the availability and breadth of group health plans and certain individual health insurance policies.
- Title II of HIPAA establishes policies and procedures for maintaining the privacy and the security of individually identifiable health information, outlines numerous offenses relating to health care, and establishes civil and criminal penalties for violations.
- Title III standardizes the amount that may be saved per person in a pre-tax medical savings account.
- Title IV specifies conditions for group health plans regarding coverage of persons with pre-existing conditions.
- Title V includes provisions related to company-owned life insurance for employers providing company-owned life insurance premiums
Health Information Technology for Economic and Clinical Heath Act (HITECH)
- The HITECH Act was created to motivate the implementation of electronic health records (EHR) and supporting technology in the United States.
CAN-SPAM and Telephone Marketing Restrictions
- The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.
1. What is the Children’s Online Privacy Protection Rule?
Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998. COPPA required the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The Commission’s original COPPA Rule became effective on April 21, 2000. The Commission issued an amended Rule on December 19, 2012. The amended Rule took effect on July 1, 2013.
The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Operators covered by the Rule must:
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- Provide parents access to their child's personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child's personal information;
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
2. Who is covered by COPPA?
The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
3. What is Personal Information?
The amended Rule defines personal information to include:
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or user name that functions as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.