1.1 What are some of the particularities of the educational market?

Among Canada, the United States, the European Union, France and Australia, currently, the United States is the sole country with federal and state legislation (FERPA and COPPA) governing the handling of student personal information. If your educational product is not marketed in the United States, refer to the backgrounder on the collection of personal information.

1.2 What is an EdTech product?

Current U.S. legislation identifies two categories of EdTech (educational technology) products:

1. Formal: educational material developed based on a curriculum and sold to schools on a contractual basis. Any student information collected therein is solely for the school’s use and benefit.

1. Informal: educational material developed in whole or in part based on the learning objectives of a curriculum. Distributed to the general public through various business models, these products can also be used in the classroom. How the information collected through such platforms is used remains at the producer’s discretion.

1.3 The notion of consent with regard to educational data mining

In an educational setting, schools are recommended to obtain parental consent as soon as the collection of personal information is involved. Teachers can send parents an explanatory note describing the application they wish to use. Parents could then be asked to register their child online, which would give them the opportunity to review the producer’s privacy policy. However, it must be remembered that in Canada, there is no law obliging educational institutions to take this approach.

*In the United States* For “formal” products, schools can act on parents’ behalf and consent to the collection of personal information, since the data collected is solely for the school’s use and benefit. For “informal” products, parental consent must be obtained.

Among Canada, the EU, France, Australia and the United States, the United States is the sole country with specific legislation governing the management of personal information collected from students.

Canada, the EU, France and Australia all deal with the issue of student privacy under more general laws governing the protection of personal information:

• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
• European Union: Directive on Protection of personal data and Directive on Privacy and Electronic Communications, Handbook on European Data Protection Law
• France: Act on Information Technology, Data Files and Civil Liberties
• Australia: Privacy Act

United States

1. Family Educational Rights and Privacy Act (FERPA)

The FERPA is a federal law that protects the personally identifiable information of students who attend federally funded schools.

For “formal” educational products, schools can act on parents’ behalf and consent to the collection of personal information from students, since the data gathered is solely for the school’s use and benefit. The FERPA requires schools to maintain direct control of any information they share with a producer. Ensure that the data you store can be easily accessed at all times.

Additional information : U.S. Department of Education. Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices

2. Children’s Online Privacy Protection Act (COPPA)

COPPA is a federal law that governs the online collection of information about children. It applies to products that collect personal information about U.S. citizens under 13 years of age in a private or educational context, even if the company in question is based outside of the U.S.

Schools cannot grant consent on the parent’s behalf for “informal” educational products. For example, should a teacher want students to use a virtual world in a school project, he or she must obtain verifiable parental consent for each student.

Additional information : Federal Trade Commission: Complying with COPPA: Frequently Asked Questions

See Backgrounder Collection of Personal Information

Apple App Store

The Volume Purchase Program (VPP) provides educational institutions with flexible distribution options

Google Play

*In March 2015, Google Play for Education was available in Canada, the United States and England.

Google Play for Education, a service available to primary and secondary schools, offers teacher-approved educational content categorized by subject and level.

Apps must meet certain criteria to be part of the selection. For details.

In the United States, various pledges issued by the EdTech industry demonstrate its commitment to protecting the confidentiality and security of personal information collected from students.

• K-12 School Service Provider Pledge to Safeguard Student Privacy
• Student Data Principles

1.1 What is identification through a third-party website?

It’s when a digital platform wholly or partly delegates the user authentication process to a third party. For example, users who download your application are offered the option of signing in through their Facebook account and thereby skipping the registration process. Simplified authentication of this kind is offered by most mainstream social networks like Facebook, Google+ or Twitter.

1.2 Identification of children through third-party websites

While third-party authentication can be convenient for the user and of interest to the owner of a platform, the practice raises ethical questions when it comes to youth production.

The regulatory framework is designed to protect children who do not necessarily understand all the risks and issues associated with the collection and use of their personal information. To comply with this framework, most mainstream social networks prohibit users under 13 years of age from opening accounts. However, a number of studies have shown that young people regularly lie about their age in order to create a profile.

The United States addresses the question of third-party authentication in the Children’s Online Privacy Protection Act (COPPA).

UNITED STATES

Children’s Online Privacy Protection Act (COPPA)

Federal law to protect personal information about children collected online. COPPA applies to products that collect personal information from U.S. children under 13 years of age, including collection by companies based outside the U.S.

COPPA applies equally to social media. If your target audience is exclusively within the “under 13 years of age” group, integrating authentication through a public social network into your platform is strongly discouraged.

Additional information : Federal Trade Commission: Complying with COPPA: Frequently Asked Questions

Apple App Store

Applications that propose using an existing account for user authentication must have a privacy policy.

Additional information

The major Canadian self-regulatory organizations do not mention third-party authentication.

1.1 What do “personalization” and “profiling” mean?

Personalization is a broad term encompassing the features that let users adjust items to their tastes and preferences — for example, choosing their page colour, creating an avatar, filling in a free text field, selecting a profile photo, saving links, etc.

Personalization data are what let children create online profiles (avatars) or manage personal spaces according to their preferences (“My home page”).

Be careful when personalization enables personal information to be publicly shared. For example, in the “About you” field on a personal page that other users can view, a child might be tempted to disclose personal information that identifies her/him. To protect users who are children, you must be attentive to this and regulate your personalization options.

1.2 What aspects of profile creation require particular attention?

Creating a user profile can involve personal information. The golden rule is to limit the collection of personal information to the minimum necessary to provide your service. For example, during registration, it’s better to ask for an alias (username) rather than someone’s real name. Click here for details on registering through third-party sites (e.g. Facebook Login).

It is also essential to link profile creation and personalization to privacy policies and the protection of personal data. In this sense, parents should be informed of these practices and asked to provide their consent, especially when such practices target sites or applications aimed at users under 13 years of age. For users aged 13 and up, the personalization and profile creation processes can be considered as similar to those authorized for social networks.

Personalization and profile creation both affect the protection of personal data. For more information on this topic, click here.

UNITED STATES

Children’s Online Privacy Protection Act (COPPA)

Federal law to protect personal information about children collected online. COPPA applies to products that collect personal information from U.S. children under 13 years of age, including collection by companies based outside the U.S.

Under COPPA, you cannot ask a child for more information than what is required to take part in the activity. Ensure that the information requested for profile creation is “reasonable.”

COPPA holds you responsible for all personal information collected through your platform. This includes information that you request from the child as well data colleted inadvertently — for example, personal information revealed while filling out fields. Ensure that children share no personal information for which you have not obtained verifiable parental consent.

Additional information:

Federal Trade Commission: COPPA Rule: A Six-Step Compliance Plan for Your Business

Collection of Personal Information

CANADA, EUROPEAN UNION, FRANCE & AUSTRALIA

Personalization and profile creation both affect the protection of personal data. For more information on this topic, click here.

Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)

Getting Accountability Right with a Privacy Management Program

European Union: Directive on Privacy and Electronic Communications

Handbook on European Data Protection Law

France: Act on Information Technology, Data Files and Civil Liberties

Commission nationale de l’informatique et des libertés (CNIL)

Australia: Privacy Act

Office of the Australian Information Commissioner: Privacy law reform

Apple App Store

An application cannot require users to provide personal information in order to use it.

Additional information

Personalization and profile creation are not covered by any self-regulatory programs. Users can rely on the regulation in effect.

1.1 What is online behavioural advertising?

It’s the collection of tracking data through tracking tools that record users’ online activity and habits through time and across non-affiliated websites. The data gathered are used to infer the user’s preferences with a view to showing them ads that may interest them (known in the industry as “interest-based ads”). Such practices allow companies to deliver advertisements or content they believe to be more relevant to the user.

Online behavioural advertising raises ethical questions since the data on which it is based are often collected without the user’s knowledge.

1.2 Profiling

Profiling consists of aggregating data from various sources (tracking tools) to build a user profile. Tracking data are combined with other types of information to create detailed profiles. Two elements make profiling possible: the persistent identifier that’s part of the device’s unique identifier; and the tracking tools that recognize a user through time and across websites. The more third-party cookies there are on sites visited by the same user, the more detailed that user’s profile will be.

Profiling is one of the cornerstones of digital marketing. It is used to detect market trends as well as for behavioural advertising.

Apart from the province of Québec, most countries monitor advertising through self-regulatory programs. However, since behavioural advertising is based on collecting user data, it is also covered by laws that govern the protection of personal information.

CANADA

Personal Information Protection and Electronic Documents Act (PIPEDA) — Policy Position on Online Behavioural Advertising

Federal statute defining the rules for the personal information handling practices of private-sector organizations in the course of commercial activities. The Policy Position on Online Behavioural Advertising represents the application of PIPEDA to the collection and use of data for the purposes of online behavioural advertising.

PIPEDA considers data collected for such purposes to be personal information. Accordingly, you must obtain valid or meaningful consent to collect such data; you must also give the user a chance to opt out. PIPEDA does not refer to specific age thresholds for providing consent, but underscores that practices need to correspond to the user’s cognitive and emotional development.

Children’s personal information should not be tracked for the purposes of behavioural advertising. This practice is deemed inappropriate, since children cannot be expected to understand or appreciate the issues associated with tracking their data and are thus unable to provide meaningful consent. Simply put, platforms aimed at children should avoid including any third-party tracking technologies.

**QUÉBEC: Consumer Protection Act

Québec’s Consumer Protection Act prohibits commercial advertising directed at children aged under 13, regardless of the platform, barring certain exceptions prescribed by regulation. Accordingly, it is prohibited to use data from Québec children under 13 years of age for the purposes of behavioural advertising. This prohibition is also applicable to companies based outside the province. For more information about advertising directed at children in Québec, click here.

Additional information:

Office of the Privacy Commissioner of Canada: Policy Position on Online Behavioural Advertising

Consumer Protection Act – Advertising Directed at Children Under 13 Years of Age

UNITED STATES

Children’s Online Privacy Protection Act (COPPA)

Federal law that governs the online collection of information about children. It applies to products that collect personal information about U.S. children aged under 13, even if the company in question is based outside of the U.S.

COPPA does not consider behavioural advertising as necessary to supporting internal operations). Consequently, if you and/or a third party collect data for the purposes of behavioural advertising, you must obtain verifiable parental consent before starting collection. Furthermore, you must clearly outline your practices linked to behavioural advertising in your privacy policy.

Seek COPPA-compliant services. For example, for mobile apps can use the “kid-safe” marketing platform SuperAwesome as well as the analytics services Flurry and PreEmptive Solutions.

*The U.S. self-regulation program Your AdChoices is similar to its Canadian counterpart AdChoices.

Additional information:

Federal Trade Commission: COPPA Rule: A Six-Step Compliance Plan for Your Business

Your AdChoices

EUROPEAN UNION & FRANCE

Directive on Protection of personal data and Directive on Privacy and Electronic Communications

These directives frame privacy protection for citizens of the European Union and cover companies that do business in one or more EU Member States.

With the exception of cookies that are used to facilitate navigation (e.g. user authentication, content personalization, shopping carts), any use of tracking tools requires the user’s consent. You must also offer the option of refusal. Information about the use of tracking tools along with the right to refuse should be offered the first time the user connects and cover future use.

Additional information:

European Union Agency for Fundamental Rights, Handbook on European Data Protection Law

Your Online Choices: A guide to online behavioural advertising

AUSTRALIA

Privacy Act

Federal law, general in scope, on the protection of personal information as it affects companies engaged in business activities in Australia. If you collect personal information using a tracking tool, you must inform the user (a notice on the home page is sufficient) and explain what the information is used for in your privacy policy.

Additional information : Office of the Australian Information Commissioner, Privacy fact sheet 4: Online behavioural advertising – know your options

Apple App Store

Apps in the Kids Category may not use behavioural advertising.

Additional information

Google Play

Apps cannot include features that track user behaviour or incite the user to click them inadvertently. These must be clearly identified at all times by an icon and accompanying notification.

Additional information

The Digital Advertising Alliance of Canada (DAAC)

Consisting of Canadian advertising and marketing trade associations, the DAAC is a national self-regulation program launched to increase consumer understanding of online behavioural advertising. Its proposed system is based on the opt-out mechanism. Under this system, the AdChoices icon appears near an ad whenever data is collected and/or used for behavioural advertising purposes. By clicking on the icon, users can see the name of the company collecting the data, a description of its usage practices and a link to a consumer opt-out page.

The DAAC advises its members not to use tracking tools or any other means to collect personally identifiable information from children known to be under 13 years of age for the purposes of behavioural advertising.

Additional information:

Canadian Self-Regulatory Principles for Online Behavioural Advertising

Advertising Standards Canada

Unless authorized by law, advertisers cannot disclose personal information collected from children to any third party without first obtaining parental consent. The exception to this is third parties who support the platform’s internal operations and neither use nor disclose personal information for any other purposes.

Additional information: Interpretation Guideline # 2 – Advertising to Children

Canadian Marketing Association

Marketers must not participate in the use of behavioural advertisements that knowingly or directly target websites aimed mainly at audiences under 13 years of age, nor do so through a third party, except in situations where a parent or legal guardian grants their explicit consent.

Additional information: Code of Ethics and Standards of Practice, see section K. Special Considerations in Marketing to Children

1.1 What is “usage analysis”?

It’s when data collected from users and generated by their interactions with your platform are analyzed based on specific objectives like assessing the platform’s effectiveness, quantifying usage with statistical reports, personalizing the user experience or optimizing marketing efforts.

Different data will be harnessed based on the analysis to be performed: personal information provided by the user, data from user interactions with the platform or other data collected by web analytics tools like Google Analytics or Flurry.

1.2 What are “tracking data”?

These are data that track user activity through time and across platforms, thus enabling in-depth analysis. For example, by analyzing a user’s browsing history, content can be personalized according to their preferences. Tracking data are collected through the device’s unique identifier or via tracking (monitoring) tools. Below are the most common:

• Cookies (also called web cookies, browser cookies or HTTP cookies): small encrypted text files placed by a website on a user’s hard drive that let the website identify the user and track the browsing history. A given website can have different kinds of cookies. First-party cookies come directly from the publisher’s domain, whereas third-party cookies come from other domain sources (g. an advertising network or web analytics service) and are embedded in the actual page the user is visiting.

• Web beacons (also known as web bugs, pixel tags or clear GIFs): typically a transparent graphic image coded into a web page. Web beacons monitor the user’s journey through a single website or series of sites and can be used in combination with cookies.

The device’s unique identifier and the tracking tool both have a persistent identifier that identifies a user through time and across platforms.

Apart from the United States, usage and user activity analyses are fairly unregulated. In general, the explanation provided in your privacy policy on how you use the data collected, including tracking data, is sufficient. The use of tracking tools is restricted by law in certain countries.

CAREFUL!! Click here for information on profiling for behavioural advertising.

CANADA

Personal Information Protection and Electronic Documents Act (PIPEDA)

Federal statute defining the rules for the personal information handling practices of private-sector organizations in the course of commercial activities. You must obtain valid or meaningful consent to collect, use or share personal information, regardless of the collection technology used.

Canada’s Anti-Spam Legislation (CASL)

Federal law establishing the regulatory framework for the sending of commercial electronic messages and the installation of computer programs as part of business activities. It is prohibited to install software on a user’s computer system without obtaining their consent. However, you do not need consent to install a cookie, HTML code or Java Scripts.

Additional information:

Office of the Privacy Commissioner of Canada: Securing Personal Information: A Self-Assessment Tool for Organizations

Canada’s Anti-Spam Legislation

UNITED STATES

Children’s Online Privacy Protection Act (COPPA)

Federal law to protect personal information about children collected online. COPPA applies to products that collect personal information from U.S. children aged under 13, including collection by companies based outside the U.S.

You are responsible for all personal information collected through your platform, including any collection by third parties. Because of this, you must choose services that comply with COPPA. For example, on mobile platforms, the SuperAwesome advertising network and analytics tools Flurry and PreEmptive Solutions are COPPA-compatible.

If the persistent identifier is the only personal information collected and is needed to support the platform’s internal operations, you do not have to seek verifiable parental consent. COPPA defines “internal operations” as the activities necessary for:

• Maintaining or analyzing the functioning of the site or service
• Performing network communications
• Authenticating users or personalizing content
• Issuing and/or capping the frequency of contextual advertisements
• Protecting the user’s security or integrity
• Ensuring legal or regulatory compliance
• Fulfilling a request from a child

If you and/or a third party use a persistent identifier for purposes other than to support internal operations — for instance, for behavioural advertising, you must obtain verifiable parental consent prior to collection and provide a clear explanation of your practices in the privacy policy.

Additional information:

Federal Trade Commission: COPPA Rule: A Six-Step Compliance Plan for Your Business

FRANCE & THE EUROPEAN UNION

Directive on Protection of personal data and Directive on Privacy and Electronic Communications

These directives frame privacy protection for residents of the European Union and cover companies that do business in one or more EU Member States. France’s Act on Information Technology, Data Files and Civil Liberties is based on these directives.

Tracking tools are authorized provided you obtain the user’s consent and offer them the option to refuse. Information on the installation of tracking tools along with the right to refuse should be offered the first time the user connects and cover future use. You are also responsible for the collection of information by third-party cookies.

Cookies that facilitate navigation (e.g. user authentication, content personalization, shopping carts) constitute an exception: they do not require consent.

Additional information:

European Agency for Fundamental Rights, Handbook on European Data Protection Law

Act on Information Technology, Data Files and Civil Liberties

AUSTRALIA

Privacy Act

Federal law, general in scope, on the protection of personal information as it pertains to companies that do business in Australia.

If you collect personal information using a tracking tool, you must inform the user — a notice on the home page is sufficient — and explain what the information is used for in the privacy policy. Consent is not required.

Additional information : Office of the Australian Information Commissioner, The Privacy Act

Amazon Appstore

The app distribution agreement states that Amazon reserves the right to “modify and add to your Apps so that we can collect analytics.”

Additional information : Amazon Appstore App Distribution Agreement

The Digital Advertising Alliance of Canada

This organization advises its members not to use tracking tools or any other means to gather data liable to be used for behavioural advertising with children known to be under 13 years of age.

Additional information on Canadian self-regulatory principles for online behavioural advertising

• If your practices involve the collection of personal information and/or tracking data, explain how they apply to usage and activity analyses in your privacy policy.

• Provide users with clear notification if your platform uses tracking tools.

• A banner on the home page specifying that the site uses cookies, providing a clickable link

to the privacy policy and specifying that continued navigation will be taken as the user’s

consent to the use of cookies.

• Offer parents the right to refuse consent to the use tracking tools.

• The means used to communicate with parents and offer the right to refuse consent should be as user-friendly as possible.

• Be transparent regarding your use of tracking tools: on your privacy policy, describe your information collection practices and provide the names of third-party operators who use tracking tools through your platform.

• Keep the number of tracking tools on your platform to a minimum.

• If you accept plug-ins (additional software), verify whether they incorporate tracking technologies. If so, draw up agreements to restrict the collection of tracking data.

• Periodically review the terms and conditions of service and the privacy policies of any third parties on your platform to ensure that their practices meet your requirements.

• Careful!!! If you use tracking data for the purposes of profiling and/or behavioural advertising, be sure to consult our backgrounder on this topic.

1.1 What is a privacy policy?

A privacy policy is a legal document whose purpose is to inform your users about your personal information collection and protection practices.Having a privacy policy that’s easy to find, uses clear and comprehensible language and is transparent about personal information handling practices is an excellent means for a youth enterprise to gain parental trust.

1.2 What information should a privacy policy include?

Your privacy policy should clearly lay out your practices concerning how you handle personal information (collection, tracking tools, usage, sharing, protection, storage, deletion, etc.). The challenge lies in presenting this mass of information concisely and in terms simple enough for the average consumer to read and understand.

While there is no one universal approach, your communication style must be appropriate to your audience and the nature of your platform. For youth production professionals, this could mean adapting your level of language (i.e. avoiding legal jargon) and limiting the information you provide to only what is strictly necessary (i.e. excluding superfluous information).

See our recommendations for more on what your privacy policy should contain.

1.3 Where should the privacy policy be posted?

Privacy policies are generally posted on the home page. For mobile apps, if the distribution platform allows this, you can include a link to your privacy policy on your product description page. This shows transparency, since you are enabling parents to consult your policy before downloading your app. You can also post it in a dialogue box that appears when users visit for the first time.

Regardless of the platform, the privacy policy must be easy to find: users shouldn’t have to go looking for it.

The privacy policy is a universal tool that works in tandem with parental consent for the collection of personal information. Producers must assume that the user’s consent rests on their full understanding of the information contained in the policy. Every country requires websites who collect personal information to post a privacy policy; however, the United States imposes stricter requirements as to what the policy must include.

UNITED STATES

Children’s Online Privacy Protection Act (COPPA)

Federal law to protect personal information about children collected online. COPPA applies to products that collect personal information from U.S. children aged under 13, including collection by companies based outside the U.S.

Under COPPA, your privacy policy must be clear and easy to read. The policy must feature on the home page and in each section where personal data is collected. Links to your privacy policy must be readily apparent (a link in small font at the bottom of the page is not considered “apparent”). Your policy cannot include promotional materials.

The contents of a COPPA privacy policy are divided into three main categories:

• The contact information of third parties who collect personal information through your platform
• A description of the personal information you collect and how you use it
• A description of parents’ rights and the procedures to follow to exercise these rights

For details on what to include in a COPPA privacy policy, see our recommendations.

Additional information:

Federal Trade Commission: COPPA Rule: A Six-Step Compliance Plan for Your Business

iubenda: service for generating COPPA-compliant privacy policies

CANADA, EUROPEAN UNION, FRANCE & AUSTRALIA

All of these countries require you to post a clearly intelligible privacy policy describing your personal information handling practices.

Additional information per country:

Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)

Office of the Privacy Commissioner of Canada, Getting Accountability Right with a Privacy Management Program

Office of the Privacy Commissioner of Canada, Mobile – Good Privacy Practices for Developing Mobile Apps

France: Act on Information Technology, Data Files and Civil Liberties

Commission nationale de l’informatique et des libertés (CNIL), Rights and Obligations

European Union: Directive on Privacy and Electronic Communications

European Union Agency for Fundamental Rights, Handbook on European Data Protection Law

Australia: Privacy Act

Office of the Australian Information Commissioner: Privacy law reform

Apple App Store

Apple requires apps in the Kids Category to display a privacy policy that complies with applicable local children’s privacy laws.

Additional information

Amazon Appstore

If you and/or any third party plug-ins or services you use collect personal information, you must provide legally adequate privacy notices.

Additional information

Google Play

Google asks you to publish a disclosure informing users what information the app would like to access and how such information will be used.

Ensure that users are aware of this by putting your disclosure in a prominent place. Display your disclosure in an End User License Agreement (EULA) so that the user can provide their consent at first launch. The disclosure should be clear and succinct and displayed in a modal window that asks the user to consent to the terms before using the app.

Additional information

1.1 What is consent?

Consent essentially consists of granting permission. Under the law, for consent to be valid or meaningful, it must result from an informed decision based on the person’s full understanding of why their consent is being requested.

The ability of children to provide meaningful consent depends greatly on their level of cognitive and emotional development. It can be unrealistic to expect a child to understand the complexities and potential risks associated with certain online practices. Accordingly, in some cases it may be preferable to obtain valid consent through an authorized person like a parent or legal guardian.

1.2 Types of consent and ways of obtaining it

Consent falls into two main categories:

• Express (explicit): the user grants consent explicitly through a specific action (e.g. an electronic signature) that indicates their understanding of what they are consenting to.
• Implicit (tacit): when consent may be reasonably inferred from the circumstances of a particular situation, relationship or transaction. For example, consent can be implied from an existing business relationship with the user.

There are various mechanisms for obtaining consent, based on the situation:

• Positive (opt-in): a specific action on the part of the user to express positive agreement to the identified purpose (e.g. “If you agree to let your child participate in our contest, check this box.”)
• Negative or passive (opt-out): a specific action on the part of the user to express non-agreement to the identified purpose (e.g. “Your child would like to enter our contest. If you do not consent to this, check the box.”)

1.3 What is parental consent?

Parental consent is when the parent or legal guardian provides the producer or operator with the authorization needed to allow the child to engage in certain activities.

When is it required? While regulations can vary between countries, parental consent is rarely required by law. However, the law often encourages producers to seek parental consent for anything involving the collection of personal information.

1.4 What is “verifiable” parental consent?

Verifiable parental consent aims to have the producer adopt measures that are reasonably calculated to ensure that the person providing the consent is indeed the child’s parent. One such measure is to have parents call a telephone number staffed by trained personnel.

1.5 What is direct notice to parents?

Direct notice is when the producer contacts the parent, normally through the email address provided by the child. Direct notices are used for various reasons, but generally to seek parental consent or to inform parents of changes to practices to which parents have previously consented.

1.6 The right to revoke consent

Parents have the right to revoke their consent. Doing so prevents the future collection and use of personal information and in some cases, allows previously collected information to be deleted.

In the digital space, the notion of consent is most commonly linked to personal information handling practices and online transactions. For more information on the regulatory framework governing online consent, consult backgrounders Collection of personal information and Online transactions.

The United States is the sole country among those presently studied with specific legislation (COPPA) based on obtaining verifiable parental consent to collect personal information about children under 13 years of age.

UNITED STATES

Children’s Online Privacy Protection Act (COPPA)

COPPA is a federal law that protects the privacy of children under 13 years of age. Based on verifiable parental consent, its goal is to enable parents to supervise and intervene in the online collection of personal information about their children. It applies to products that collect personal information from U.S. children under 13 years of age, including collection by companies based outside the U.S.

Before collecting any personal information about a child, you must send a direct notice to the parents. The direct notice must:

1. State that you are contacting them for the purpose of obtaining their consent
2. State that you wish to collect personal information about their child
3. State that their consent is required for the collection, use and disclosure of this information
4. Specify the type of information you wish to collect and how it will be shared
5. Include a hyperlink to your privacy policy
6. Indicate the means by which the parent can provide their consent
7. Indicate your time frame for deleting their online contact information from your records should you fail to secure their consent

Since children are quick to learn how to bypass typical parental consent mechanisms, the law requires you to take “reasonable measures” to ensure that it is the parents you have contacted. COPPA sets forth a number of non-exhaustive options for obtaining verifiable parental consent — for example, mailing parents a consent form to be signed and returned.

Should you make changes to the personal information handling practices for which consent has previously been secured, you must notify the parent with a direct notice and again request their verifiable parental consent before resuming collection.

For more information on verifiable parental consent and direct notice under COPPA

App stores incorporate parental consent systems but disclaim any responsibility regarding compliance with different privacy policies. Because of this, you must ensure that your product complies with the regulations in effect wherever it is available.

1.1 What is personal information?

Any personally identifiable information about an individual; i.e. information that, alone or in combination with information from other sources, could lead to the identification of that person*:

• Last name and first name
• Physical address, including the name of the street, neighbourhood or city
• Online contact information (e.g., email address, instant messaging ID)
• Telephone number
• Place and date of birth
• Social insurance number
• Audio, video or photographic documents containing the person’s likeness or voice
• Geographic location information, including GPS data
• Persistent identifiers, such as IP, MAC addresses or a cookie number, unique device identifier for telephones and tablets, etc.
• Data on the individual’s online activity, browsing history, bookmarks
• Data created by the user or social networks, e.g. comments, reviews, “Likes,” Twitter feeds, interactions with customer-service pages

Information about an individual can be divided into two types of identifier:

• Direct identifiers: last name and first name, social insurance number, photo or video, etc.
• Indirect identifiers: date and place of birth, mother’s maiden name, school name, school board name, teacher’s name, etc.

*Beware of the risk of re-identification of anonymized data: discrete elements of information from several sources, when combined, can lead to creation of detailed profiles that can be used to identify someone.

1.2 What are metadata?

Metadata are data that lend meaning and context to other data. Often, this means usage statistics about your product, like the number of tries that it took a user to complete a level in a game.

Anonymized metadata, i.e. data stripped of direct and indirect identifiers, are not considered personal data. For example, you can use and analyze the city of residence of competition entrants as long as you dissociate it from the direct and indirect identifiers. Use of anonymized metadata does not require consent.

1.3 What is meant by “collection of personal information”?

This refers to all practices surrounding the handling of users’ personal data; in other words, the actual gathering of the data, but also use and storage as well as sharing and/or sale of the data with/to a third party.

Among Canada, the United States, the European Union (EU), France and Australia, only the United States has specific legislation governing the collection of personal information about children under 13 years of age.

Canada, the EU, France and Australia all deal with the issue of personal information under general-scope laws covering the entire population. Each of these laws applies to companies doing business in the respective territories.

CANADA

Personal Information Protection and Electronic Documents Act (PIPEDA)

Federal statute defining the rules for the personal information handling practices of private-sector organizations. Under PIPEDA, every private-sector company must obtain valid or meaningful consent to collect, use or share personal information. In addition, the company must notify any individual affected by the theft or loss of personal information, indicating whether there is a risk of harm (e.g. identity theft) and informing them of the safeguards they can apply. Furthermore, the company must report the incident to the Office of the Privacy Commissioner of Canada.

Companies must use clear and simple language to ensure that vulnerable Canadians, particularly children, fully understand the possible consequences of sharing their personal information online.

Careful! The Act does not apply to companies operating exclusively in a province that has essentially similar provincial legislation:

• Alberta
• British Columbia
• Québec

Additional information:

Office of the Privacy Commissioner of Canada:

Securing Personal Information: A Self-Assessment Tool for Organizations

Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps

UNITED STATES

Children’s Online Privacy Protection Act (COPPA)

Federal law that sets high standards for the protection of personal information about children collected online. Its goal is to enable parents to supervise personal information handling practices with respect to their children under 13 years of age.

It applies to products that collect personal information about U.S. children under 13 years of age, including collection by companies based outside the U.S. and products for use by the general public that include U.S. children aged under 13 among their users (i.e. casts a wider net than youth products).

• If you know that you are collecting personal information about U.S. children under 13 years of age, you must obtain verifiable parental consent before beginning collection.

• If you make any changes to the practices to which the parent has consented, you must notify the parent in a direct notice and again request their verifiable parental consent before resuming collection.

• Upon request from a parent, you must be able to provide:
  • A description of the personal information collected about the child and a clear explanation of how it is used, stored and shared.
  • The opportunity to revoke consent, refuse any further use and collection of the child’s personal information, and have previously collected information deleted.

Additional information:

Federal Trade Commission (FTC): COPPA Rule: A Six-Step Compliance Plan for Your Business

FTC: Complying with COPPA: Frequently Asked Questions

FRANCE

Act on Information Technology, Data Files and Civil Liberties

Law defining the principles with which companies must comply when collecting, handling and storing personal information. It covers companies that do business in France or conduct data processing there.

Before collecting any personal information online, you must make a declaration stating each purpose for which personal data is processed to the Commission nationale de l’informatique et des libertés (CNIL). This must be validated by issuance of a registration number to be posted on your website along with contact information for the department that will be handling the data.

This law forbids collection by illegal means. For example, cookies may only be installed on a user’s browser if they agree to it beforehand (opt-in basis).

Additional information : Commission nationale de l’informatique et des libertés

EUROPEAN UNION

Directive on Protection of personal data

Directive on Privacy and Electronic Communications

These directives frame privacy protection for residents of the EU and cover companies that do business in one or more EU Member States.

Safe Harbor Framework: This is a joint U.S.–EU program under which U.S. companies are required to comply with European confidentiality principles when handling European data. It does not apply to Canadian companies because the EU considers Canada’s legal framework for privacy protection to be compatible with its own framework.

Additional information : Handbook on European Data Protection Law

AUSTRALIA

Privacy Act

Federal law, general in scope, on the protection of personal information as it affects companies engaged in business activities in Australia. It states that a company must have an easily accessible privacy policy  explains its overseas data disclosure practices.

Additional information : Office of the Australian Information Commissioner: Privacy law reform

Apple App Store The App Store has a Kids section featuring applications for young users. Developers wishing to distribute apps through that section of the store must comply with specific rules, including:

• Incorporating a mechanism allowing the user to provide their date of birth so as to comply with COPPA

• Obtaining parental consent or using a parental gate before allowing the user to link out of the app and/or engage in commerce

Additional information

Amazon Appstore

Amazon rates the applications in its Appstore using a number of parameters to define appropriate ages for each. Various criteria serve to safeguard children’s privacy: for example, apps rated “All Ages” cannot collect personal information or use location data.

Apps for children aged under 13 cannot link to the Amazon Mobile Ad Network because it uses behavioural advertising, which is forbidden under COPPA.

Additional information:

• FAQ
• App Distribution and Service Agreement

Google Play store

Google Play uses a content-based applications rating system. A number of child privacy safeguards have been implemented; for example, an app that can be used to locate a user cannot be rated for “Everyone.” These instructions apply to all of an app’s content, including user-generated content and embedded ads.

Additional information:

• Google Play Content ratings for apps & games
• Google Play Developer Program Policies
• Developer Distribution Agreement

This backgrounder does not address self-regulation since the collection of personal information is an area well covered by legislation.

• Prefer a transparent approach: post a privacy policy even if you do not collect any personal information.

• Do not require users to provide any more personal information than is necessary to take part in an activity. For example, if possible, give children the option to not identify themselves and/or use an alias.

• Make sure your privacy policy is visible and easily accessible: use a large typeface and/or a contrasting colour.

• Ensure your privacy policy is up to date, and provide clear, concise explanations of your personal data collection and handling Avoid legal jargon and superfluous information.

• Your privacy policy should provide the names of any third parties that collect personal information using your product.

• Periodically review the personal information handling practices of service providers and third parties with whom you share data.

• Although you are not required to obtain parental consent to use anonymized metadata, we do recommend that you explain this practice transparently in your privacy policy.

• Obtain parental consent before beginning collection. Provide parents with a link to your privacy policy to help them provide informed consent.

• Use personal information solely for the purposes for which parental consent has been secured.

• Avoid collecting precise location data on the child. If such data are necessary for your product to function, explain to parents why this is so and for what purposes location data will be collected, and obtain verifiable parental consent.

• Help the child understand what will be done with their personal information; for example, if the product is about to use the location data, a symbol can be activated to alert the user to what is happening.

• You must be able to provide access to the personal information collected about a child to parents who request it. Explain the procedure for doing so in your privacy policy.

• Notify parents of any changes you make to your personal information handling practices.

• Implement procedures to protect the confidentiality, security and integrity of the personal information that you store. In the event that the data are compromised, notify parents and explain what actions you are taking to remedy the situation.

• Delete all data that you no longer need.

• *United States*: COPPA requires the implementation of mechanisms such as verifiable parental consent. There are FTC-approved accreditation programs that can help you achieve compliance.
  • iKeepSafe
  • Privo

MOBILE

• Inform users of the data required by the application and explain why they are required.

• Post a simple, clear notice explaining how the personal information will be used.

• Obtain the user’s consent when the application is first launched: present the notice in a dialogue box prompting the user to agree to the conditions before using the app:

1. NO: The information is hidden in the EULA (End-User Licence Agreement). The user has to scroll far enough to find it.

2. YES: The information is presented up front, transparently and clearly. The user doesn’t have to go looking for it.

• Make sure the information on collection of personal information remains available in the privacy policy and/or easily accessible via a link on the home screen or the section reserved for parents.

• It is your obligation and responsibility to understand users’ rights and comply with local laws wherever your product is available via an online app store.

3. NO: Explains how the app uses the information, but doesn’t state clearly how it will be used and why it will be collected.

4. YES: Clearly states why the app must access personal information, how it will be used, and why.

**Images from Android Developer Console Help