Could Regulators’ Re-Aimed Focus on Children’s Privacy Affect CUs?

Children’s privacy and security issues have continued to surface and receive negative public attention as regulators try to amend and update existing guidelines. One insider explained how this might impact credit unions.

Last September, Google, the parent company of YouTube, received a $170 million fine for violating children’s privacy. Regulators said the site knowingly and illegally gathered personal data from children and then exploited the young people with targeted advertising.

This led to vigorous policy changes in January in which YouTube started setting limits on its gathering and usage of personally identifiable information from individuals watching children’s videos, no matter the viewer’s age. The penalty and YouTube’s alterations were part of an arrangement with the Federal Trade Commission and the New York Attorney General, which blamed YouTube of violating the federal Children’s Online Privacy Protection Act.

Congress enacted the COPPA in 1998, which required the FTC to issue and enforce regulations concerning online privacy for children under 13. The FTC’s original COPPA Rule took effect in 2000. In 2013, the FTC amended COPPA, expanding the definitions of operators to include creators who publish on ad-assisted platforms; and personal information to include persistent identifiers (such as web cookies). The FTC has indicated its intent to start enforcing the regulations on creators individually, and consideration for more COPPA revisions.

Eve Maler, interim chief technology officer at the San Francisco-based identity and access management software company ForgeRock, weighed in on the possible changes and its potential impact on credit unions and other financial institutions. Among the considerations with a new COPPA update are parental consent protections stretched up to age 16. “This is a concern to us because consent management is something we at ForgeRock have a big stake in.”

For credit unions, new possible COPPA rules might come into play in the event of savings accounts opened on behalf of kids, or for teenagers younger than 16 who have jobs. “Somebody who’s 13 or younger doesn’t really interact with the financial system as much,” Maler pointed out. But somebody who is 13 to 16 might interact with a financial system more, even if only to check a balance from a paystub.

“When it comes to these sorts of journeys it’s really down to building trust with customers. And when it comes to trust, it is up to organizations like credit unions to make choices that give people options and control. If parents are credit union members and they do have kids who interact with accounts, consent is a big part of that,” Maler said.

Referring to COPPA, Maler noted regulators initially wanted to ensure people have a say in where their personal data goes, but not everybody is old enough to be legally able to consent, and overall organizations lacked experience and understanding of how to protect personal data, which they could easily transfer to third parties, especially in areas of social media geolocation and biometrics. “It was sort of data privacy 1.0; now we’ve got data privacy 2.0.”

Maler added, “Data privacy 1.0 was largely about a static view of the universe where we mostly concerned ourselves with security of personal data. That is really not enough.” She mentioned the EU’s GDPR and the California Consumer Privacy Act as examples of the stepped-up concern over consumer privacy. “There’s been a kind of ratcheting up of sophistication around data privacy, data portability and security.” Requirements we now see include more data transparency requirements. “That means enterprises are now required to say what they do in terms of the data, what they are asking you, what kind of data they want to hold; and why people want to hold that personal data,” Maler said.

There tends to be another requirement on top of that, Maler pointed out. “This is more discretionary on the part of the individual business and that is control. The bottom layer again is data protection, data transparency and then data control.”

Maler held the digital world is not just about websites and mobile apps but also many other smart devices that collect information. It can mean car Wi-Fi, games, fitness monitors and even smart basketballs. “We’re really concerned with not just a secure experience, but also a personalized, pleasant, consented experience.”