Regulators Find Apps & Websites Aimed at Children Show Lack of Privacy Controls

Family computer

This week, regulators published the findings from their annual global privacy sweep which reviewed the privacy practices of nearly 1,500 apps and websites aimed at children. The review found that 67 percent harvested personal information, while only 31 percent employed controls. The investigation was conducted by the Global Privacy Enforcement Network in May and involved 29 data protection regulators.

“The attitude shown by a number of these websites and apps suggested little regard for how anyone’s personal information should be handled, let alone that of children,” said Adam Stevens of the UK Information Commissioner’s Office.

The FTC posted a response on its blog on Sept. 3 written by a couple officials from the Bureau of Consumer Protection, Office of Technology Research and Investigation.

After the sweep, Alberta Canada’s privacy commissioner immediately spearheaded a privacy education program for all Canadian students in grades 7-8. Canadian Privacy Commissioner Daniel Therrien added that a small number of websites and apps “did not collect any personal information at all, demonstrating it is possible to have a successful, appealing and dynamic product that is also child friendly and worry-free for parents.”


End of Month Recap: What You May Have Missed [August]

At the end of each month we’ll compile a list featuring some of the most informative and interesting privacy blog posts to let you know what topics are driving the privacy agenda this month.


This month on the blog we covered data breaches, ‘Right to be Forgotten,’ and the new IoT Trust Framework, among other topics. This was the second month of our new series featuring the leading players in the Privacy Ecosystem. Check out the list below for some of the most popular blog posts this month:


New IoT Trust Framework Addresses Privacy Risks & Guidelines

On Aug. 11, the Online Trust Alliance released its Internet of Things Trust Framework to address IoT privacy and security risks. The Framework provides guidelines for IoT manufacturers, developers and retailers to follow when designing, creating, adapting and marketing connected devices in two key categories: home automation, and consumer health and fitness wearables.


Popular Webinar Tackles How Privacy Practices Can Help Prepare for a Data Breach

In this blog post, we introduce our first webinar teaser video. You’ll be seeing more of these short clips in future blog posts. The idea is to let visitors to the blog watch a minute of blog content before downloading the full version.


13 Companies Settle with FTC for False US-EU & US-Swiss Safe Harbor Claims

On Aug. 17, 13 companies settled with the Federal Trade Commission (FTC) for falsely claiming they were certified and in compliance with the US-EU or US-Swiss Safe Harbor Framework. Compliance with the Framework means companies must follow established requirements for meeting adequacy standards to transfer customer or employee data from the EU or Switzerland to the U.S. Then, companies must self-certify with the Department of Commerce. The self-certification needs to be renewed annually.


Survey Compares American and British Opinions on the ‘Right to be Forgotten’

This blog post coincided with the release of a new survey about the ‘Right to be Forgotten.’ Both American and British adults were asked their thoughts about this ruling and the results were interesting. While more British online adults (44%), than American online adults (29%), think that the ‘Right to be Forgotten’ ruling allows for censorship, both American and British adults’ responses were similar when it came to what type of data they would request removed from company databases.


This month in the Privacy Ecosystem series:

Meet the Leading Players in the Privacy Ecosystem: Craig Spiezle, Executive Director & President, Online Trust Alliance

Meet the Leading Players in the Privacy Ecosystem: Daniel J. Solove, Founder, TeachPrivacy

Meet the Leading Players in the Privacy Ecosystem: Gabe Totino, President & CTO, AssertID


What else would you like to read about on the TRUSTe blog?

13 Companies Settle with FTC for False US-EU & US-Swiss Safe Harbor Claims


Thirteen companies settled with the FTC yesterday for falsely claiming they were certified and in compliance with the US-EU or US- Swiss Safe Harbor Framework.

Compliance with the US-EU and US-Swiss Safe Harbor Frameworks means companies follow established requirements for meeting adequacy standards to transfer customer or employee data from the European Union or Switzerland to the United States. To be in compliance, companies must self-certify with the Department of Commerce and are required to show compliance with the seven privacy principles. These principles are notice, choice, onward transfer, security, data integrity, access and enforcement. This self-certification needs to be renewed annually.

Of the 13 companies that settled, seven were previously in compliance with the US-EU and US-Swiss Safe Harbor Frameworks but failed to renew their self-certification.

The FTC has demonstrated that it monitors and cracks-down on violations of US-EU and US-Swiss Safe Harbor Frameworks. Prior to yesterday’s announcement, the FTC has settled with more than two-dozen companies allegedly making false claims regarding Safe Harbor compliance.

This news underscores the importance of maintaining US-EU and US-Swiss Safe Harbor compliance. TRUSTe can help companies to conduct gap assessments, remediate practices to stay compliant, and prepare for Safe Harbor self-certification. To find out more, click here.




TRUSTe finds extensive number of Third Parties on Kids sites – What this means for COPPA Compliance

Tony Berman
Sr. Product Manager | TRUSTe

As most website operators know, the updated COPPA Rule goes into effect July 1, 2013. Included in the update comes an obligation to clearly list all third party operators who collect personal information along with their name and contact information.

With this in mind, earlier this month I used TRUSTe’s Website Monitoring Service to find aggregate data for the top 25 Alexa ranked kids gaming websites. My findings indicate that these sites utilize a great number of third parties including service providers that may be collecting personal information such as persistent identifiers directly from children under the age of 13. These third parties may need to be listed in the gaming website’s privacy policy as collecting data directly from children in order to comply with the updated COPPA Rule. The FTC addresses this requirement in its updated COPPA FAQS in question C.5.

Summary of findings: On average there are over 47 third parties per website. Over 62% of third parties found are advertising related companies, while the next largest category of social/sharing tools is at just over 7%. 77% of third party cookies found are persistent.


The FTC’s Mobile Privacy Report : Building Trust by Giving the User Notice and Choice (Part 1)

Saira Nayak
Director of Policy | TRUSTe

TRUSTe’s analysis on FTC’s Mobile Privacy Report: Building Consumer and Brand Confidence In Mobile Advertising.

 Photo Source

On Friday, the FTC issued a staff report entitled “Mobile Privacy Disclosures: Building Trust with Transparency”.  The report was endorsed by four commissioners (Julie Brill, Jon Leibowitz, Maureen Ohlhausen and Edith Ramirez, with newest commissioner Joshua Wright abstaining).

The report articulates a framework for mobile privacy based on the testimony of several industry experts (including TRUSTe VP of Product Kevin Trilli) at its May 2012 workshop on mobile disclosures.  The framework builds on the concepts of privacy by design, simplified choice and transparency that are the pillars of the FTC’s final privacy report that was issued in March 2012. The FTC also published an accompanying business guide, which recommends app developers consider important issues like security and data flows before an app is designed – and incorporating privacy by design into their business practice.

Much of the initial news cycle on was consumed with the FTC’s settlement and $800,000 fine (announced at the same time for COPPA and FTC Act violations by social networking app Path).  As the dust settles, and attention turns to the report itself, it’s becoming very clear that the FTC’s guidance goes much further than just COPPA and deceptive privacy policies. (more…)