1.1 What is personal information?

Any personally identifiable information about an individual; i.e. information that, alone or in combination with information from other sources, could lead to the identification of that person*:

• Last name and first name
• Physical address, including the name of the street, neighbourhood or city
• Online contact information (e.g., email address, instant messaging ID)
• Telephone number
• Place and date of birth
• Social insurance number
• Audio, video or photographic documents containing the person’s likeness or voice
• Geographic location information, including GPS data
• Persistent identifiers, such as IP, MAC addresses or a cookie number, unique device identifier for telephones and tablets, etc.
• Data on the individual’s online activity, browsing history, bookmarks
• Data created by the user or social networks, e.g. comments, reviews, “Likes,” Twitter feeds, interactions with customer-service pages

Information about an individual can be divided into two types of identifier:

• Direct identifiers: last name and first name, social insurance number, photo or video, etc.
• Indirect identifiers: date and place of birth, mother’s maiden name, school name, school board name, teacher’s name, etc.

*Beware of the risk of re-identification of anonymized data: discrete elements of information from several sources, when combined, can lead to creation of detailed profiles that can be used to identify someone.

1.2 What are metadata?

Metadata are data that lend meaning and context to other data. Often, this means usage statistics about your product, like the number of tries that it took a user to complete a level in a game.

Anonymized metadata, i.e. data stripped of direct and indirect identifiers, are not considered personal data. For example, you can use and analyze the city of residence of competition entrants as long as you dissociate it from the direct and indirect identifiers. Use of anonymized metadata does not require consent.

1.3 What is meant by “collection of personal information”?

This refers to all practices surrounding the handling of users’ personal data; in other words, the actual gathering of the data, but also use and storage as well as sharing and/or sale of the data with/to a third party.

Among Canada, the United States, the European Union (EU), France and Australia, only the United States has specific legislation governing the collection of personal information about children under 13 years of age.

Canada, the EU, France and Australia all deal with the issue of personal information under general-scope laws covering the entire population. Each of these laws applies to companies doing business in the respective territories.

CANADA

Personal Information Protection and Electronic Documents Act (PIPEDA)

Federal statute defining the rules for the personal information handling practices of private-sector organizations. Under PIPEDA, every private-sector company must obtain valid or meaningful consent to collect, use or share personal information. In addition, the company must notify any individual affected by the theft or loss of personal information, indicating whether there is a risk of harm (e.g. identity theft) and informing them of the safeguards they can apply. Furthermore, the company must report the incident to the Office of the Privacy Commissioner of Canada.

Companies must use clear and simple language to ensure that vulnerable Canadians, particularly children, fully understand the possible consequences of sharing their personal information online.

Careful! The Act does not apply to companies operating exclusively in a province that has essentially similar provincial legislation:

• Alberta
• British Columbia
• Québec

Additional information:

Office of the Privacy Commissioner of Canada:

Securing Personal Information: A Self-Assessment Tool for Organizations

Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps

UNITED STATES

Children’s Online Privacy Protection Act (COPPA)

Federal law that sets high standards for the protection of personal information about children collected online. Its goal is to enable parents to supervise personal information handling practices with respect to their children under 13 years of age.

It applies to products that collect personal information about U.S. children under 13 years of age, including collection by companies based outside the U.S. and products for use by the general public that include U.S. children aged under 13 among their users (i.e. casts a wider net than youth products).

• If you know that you are collecting personal information about U.S. children under 13 years of age, you must obtain verifiable parental consent before beginning collection.

• If you make any changes to the practices to which the parent has consented, you must notify the parent in a direct notice and again request their verifiable parental consent before resuming collection.

• Upon request from a parent, you must be able to provide:
  • A description of the personal information collected about the child and a clear explanation of how it is used, stored and shared.
  • The opportunity to revoke consent, refuse any further use and collection of the child’s personal information, and have previously collected information deleted.

Additional information:

Federal Trade Commission (FTC): COPPA Rule: A Six-Step Compliance Plan for Your Business

FTC: Complying with COPPA: Frequently Asked Questions

FRANCE

Act on Information Technology, Data Files and Civil Liberties

Law defining the principles with which companies must comply when collecting, handling and storing personal information. It covers companies that do business in France or conduct data processing there.

Before collecting any personal information online, you must make a declaration stating each purpose for which personal data is processed to the Commission nationale de l’informatique et des libertés (CNIL). This must be validated by issuance of a registration number to be posted on your website along with contact information for the department that will be handling the data.

This law forbids collection by illegal means. For example, cookies may only be installed on a user’s browser if they agree to it beforehand (opt-in basis).

Additional information : Commission nationale de l’informatique et des libertés

EUROPEAN UNION

Directive on Protection of personal data

Directive on Privacy and Electronic Communications

These directives frame privacy protection for residents of the EU and cover companies that do business in one or more EU Member States.

Safe Harbor Framework: This is a joint U.S.–EU program under which U.S. companies are required to comply with European confidentiality principles when handling European data. It does not apply to Canadian companies because the EU considers Canada’s legal framework for privacy protection to be compatible with its own framework.

Additional information : Handbook on European Data Protection Law

AUSTRALIA

Privacy Act

Federal law, general in scope, on the protection of personal information as it affects companies engaged in business activities in Australia. It states that a company must have an easily accessible privacy policy  explains its overseas data disclosure practices.

Additional information : Office of the Australian Information Commissioner: Privacy law reform

Apple App Store The App Store has a Kids section featuring applications for young users. Developers wishing to distribute apps through that section of the store must comply with specific rules, including:

• Incorporating a mechanism allowing the user to provide their date of birth so as to comply with COPPA

• Obtaining parental consent or using a parental gate before allowing the user to link out of the app and/or engage in commerce

Additional information

Amazon Appstore

Amazon rates the applications in its Appstore using a number of parameters to define appropriate ages for each. Various criteria serve to safeguard children’s privacy: for example, apps rated “All Ages” cannot collect personal information or use location data.

Apps for children aged under 13 cannot link to the Amazon Mobile Ad Network because it uses behavioural advertising, which is forbidden under COPPA.

Additional information:

• FAQ
• App Distribution and Service Agreement

Google Play store

Google Play uses a content-based applications rating system. A number of child privacy safeguards have been implemented; for example, an app that can be used to locate a user cannot be rated for “Everyone.” These instructions apply to all of an app’s content, including user-generated content and embedded ads.

Additional information:

• Google Play Content ratings for apps & games
• Google Play Developer Program Policies
• Developer Distribution Agreement

This backgrounder does not address self-regulation since the collection of personal information is an area well covered by legislation.

• Prefer a transparent approach: post a privacy policy even if you do not collect any personal information.

• Do not require users to provide any more personal information than is necessary to take part in an activity. For example, if possible, give children the option to not identify themselves and/or use an alias.

• Make sure your privacy policy is visible and easily accessible: use a large typeface and/or a contrasting colour.

• Ensure your privacy policy is up to date, and provide clear, concise explanations of your personal data collection and handling Avoid legal jargon and superfluous information.

• Your privacy policy should provide the names of any third parties that collect personal information using your product.

• Periodically review the personal information handling practices of service providers and third parties with whom you share data.

• Although you are not required to obtain parental consent to use anonymized metadata, we do recommend that you explain this practice transparently in your privacy policy.

• Obtain parental consent before beginning collection. Provide parents with a link to your privacy policy to help them provide informed consent.

• Use personal information solely for the purposes for which parental consent has been secured.

• Avoid collecting precise location data on the child. If such data are necessary for your product to function, explain to parents why this is so and for what purposes location data will be collected, and obtain verifiable parental consent.

• Help the child understand what will be done with their personal information; for example, if the product is about to use the location data, a symbol can be activated to alert the user to what is happening.

• You must be able to provide access to the personal information collected about a child to parents who request it. Explain the procedure for doing so in your privacy policy.

• Notify parents of any changes you make to your personal information handling practices.

• Implement procedures to protect the confidentiality, security and integrity of the personal information that you store. In the event that the data are compromised, notify parents and explain what actions you are taking to remedy the situation.

• Delete all data that you no longer need.

• *United States*: COPPA requires the implementation of mechanisms such as verifiable parental consent. There are FTC-approved accreditation programs that can help you achieve compliance.
  • iKeepSafe
  • Privo

MOBILE

• Inform users of the data required by the application and explain why they are required.

• Post a simple, clear notice explaining how the personal information will be used.

• Obtain the user’s consent when the application is first launched: present the notice in a dialogue box prompting the user to agree to the conditions before using the app:

1. NO: The information is hidden in the EULA (End-User Licence Agreement). The user has to scroll far enough to find it.

2. YES: The information is presented up front, transparently and clearly. The user doesn’t have to go looking for it.

• Make sure the information on collection of personal information remains available in the privacy policy and/or easily accessible via a link on the home screen or the section reserved for parents.

• It is your obligation and responsibility to understand users’ rights and comply with local laws wherever your product is available via an online app store.

3. NO: Explains how the app uses the information, but doesn’t state clearly how it will be used and why it will be collected.

4. YES: Clearly states why the app must access personal information, how it will be used, and why.

**Images from Android Developer Console Help