Monthly Archives: March 2019

New bill would give parents an “Eraser Button” to delete kids data

.@NakedSecurity: New bill would give parents an ‘Eraser Button’ to delete kids’ data – The COPPA overhaul would ban targeting ads at kids under 13 and ad targeting based on race, socioeconomics or geolocation on kids under 15.

Two US senators on Tuesday proposed a major overhaul of the Children’s Online Privacy Protection Act (COPPA) that would give parents and kids an “Eraser Button” to wipe out personal information scooped up online on kids.

The bipartisan bill, put forward by Senators Edward J. Markey (D-Mass.) and Josh Hawley (R-Mo.), would also expand COPPA protection beyond its current coverage of children under 13 in order to protect kids up until the age of 15.

The COPPA update also packs an outright ban on targeting ads at children under 13 without parental consent, and from anyone up until the age of 15 without user consent. The bill also includes a “Digital Marketing Bill of Rights for Minors” that limits the collection of personal information on minors.

The proposed bill would also establish a first-of-its-kind Youth Privacy and Marketing Division at the Federal Trade Commission (FTC) that would be responsible for addressing the privacy of children and minors and marketing directed at them.

“Rampant and nonstop” marketing at kids

Markey said in a press release that COPPA will remain the “constitution for kids’ privacy online,” and that the senators’ proposed changes would introduce “an accompanying bill of rights.”

As it is, Markey said, marketing at kids nowadays is rampant and nonstop:

In 2019, children and adolescents’ every move is monitored online, and even the youngest are bombarded with advertising when they go online to do their homework, talk to friends, and play games. In the 21st century, we need to pass bipartisan and bicameral COPPA 2.0 legislation that puts children’s well-being at the top of Congress’s priority list. If we can agree on anything, it should be that children deserve strong and effective protections online.

The right of kids to be forgotten

The proposed law has the flavor of the EU General Protection Data Regulation (GDPR), what with the greater control it grants citizens over how their personal data is obtained, processed, and shared, as well as visibility into how and where that data is used.

The citizens, in this case, would be children and their parents, who would be entitled to get their hands on any personal information of the child or minor that’s been collected, “within a reasonable time” after making a request, without having to pay through the nose to get it, and in a form that a child or minor would find intelligible.

The bill also requires that online operators provide a “clear and prominent means” to correct, complete, amend, or erase any personal information about a child or minor that’s inaccurate: in other words, what the senators are calling an Eraser Button.

What would change?

These are the specific privacy protections that the bill would strengthen:

  • Prohibiting internet companies from collecting personal and location information from anyone under 13 without parental consent, and from anyone 13 to 15 years old without the user’s consent.
  • Banning targeted advertising directed at children.
  • Revising COPPA’s “actual knowledge” standard to a “constructive knowledge” standard for the definition of covered operators. Here’s a discussion of the difference.
  • Requiring online companies to explain the types of personal information collected, how that information is used and disclosed, and the policies for the collection of personal information.
  • Prohibiting the sale of internet-connected devices targeted towards children and minors unless they meet robust cybersecurity standards.
  • Requiring manufacturers of connected devices targeted to children and minors to prominently display on their packaging a privacy dashboard detailing how sensitive information is collected, transmitted, retained, used, and protected.

Recently, the FTC has been flexing its COPPA bicep like never before. Last week, video-streaming app TikTok agreed to pay a record $5.7 million fine for allegedly collecting names, email addresses, pictures and locations of children younger than 13 – all illegal under COPPA.

These tech companies know too much about our kids, and we don’t know what they’re doing with that data, Senator Hawley was quoted as saying in Markey’s press release:

Big tech companies know too much about our kids, and even as parents, we know too little about what they are doing with our kids’ personal data. It’s time to hold them accountable. Congress needs to get serious about keeping our children’s information safe, and it begins with safeguarding their digital footprint online.

“Landmark legislation”

Markey’s press release quoted multiple children’s rights campaigners who lauded the bill. One was Josh Golin, Executive Director, Campaign for Commercial-Free Children, who called it “landmark legislation.”

The Markey-Hawley bill rightly recognizes that the internet’s prevailing business model is harmful to young people. The bill’s strict limits on how kids’ data and can be collected, stored, and used – and its all-out ban on targeted ads for children under 13 – would give kids a chance to develop a healthy relationship with media without being ensnared by Big Tech’s surveillance and marketing apparatuses. We commend Senators 
Markey and Hawley for introducing this landmark legislation and urge Congress to act quickly to put children’s needs ahead of commercial interests.

Citrix admits attackers breached its network

.@NakedSecurity: Citrix admits attackers breached its network – what we know – On Friday, software giant Citrix issued a short statement admitting that hackers recently managed to get inside its internal network. According to a statement by chief information security officer Stan Black, the company was told of the attack by the FBI on 6 March, since when it had established that attackers had taken “business documents” […]


Citrix admits attackers breached its network – what we know
nakedsecurity.sophos.com