Indeed, to maximize COPPA’s privacy and security protections, the Commission should further augment the list of data types explicitly covered by the Rule to include government-issued identifiers, avatars generated from a child’s image, and any other data type that is linkable to the identity of a child in the Commission’s view. [...] Narrowing the Internal Operations Exception Loophole Responsive to Questions 9 and 10 The Commission should revise the use and purpose limitations in the internal operations exception significantly to bar any secondary use of the information collected for the internal operations of a website. [...] The iterative nature of the required steps, from identifying and mitigating risks to testing and monitoring the efficacy of those safeguards, is a significant improvement from the broader language that currently exists in the rule requiring just “reasonable procedures.” The Commission should consider strengthening or expanding a few key elements of the required security program. [...] Data minimization provides that data should only be collected, used, or disclosed to the extent reasonably necessary and proportionate to provide the service requested by the consumer.40 Data security is intrinsically tied to data minimization: the higher volume of data that a company collects and retains, the higher data security risk.41 In the COPPA context, operators pose a higher data security. [...] The proposed risk assessment requirement instructs operators to identify and assess data security risks and sufficient safeguards “to control such risks.”42 The excessive data collection of personal data— here, the collection of a child’s personal beyond what is necessary and proportionate to provide the service requested by the child or parent—is a well-established data security risk, and data mi.
- Pages
- 18
- Published in
- United States of America
