With over 200 privacy laws and regulations possibly applicable to an organization, Privacy 101* introduces three of the most common of these laws - GLBA, COPPA, and CalOPPA - in Indium's easy to follow Q&A format. Indicium's Privacy Compendium** provides deeper coverage.
California Online Privacy Protection Act (CalOPPA)
Who does CalOPPA apply to? It applies to any person or company anywhere in the world whose commercial website or online service collects and maintains personally identifiable information from a consumer residing in California who uses or visits the website or online service.
- Who does GLBA apply to? GLBA applies to a business if the business is a “financial institution” or if the business receives “nonpublic personal information” from a financial institution with which it is not affiliated.
- What does GLBA require? Financial institutions must give their customers – and in some cases their consumers – a “clear and conspicuous” written notice describing their privacy policies and practices.
- What are the consequences of failing to comply with GLBA? Federal regulatory authorities and state insurance authorities may bring enforcement actions for violations of GLBA.
Children's Online Privacy Protection Act (COPPA)
Who does COPPA apply to? COPPA applies to operators of commercial websites and online services directed to children 12 and under that collect, use or disclose personal information as well as to operators of general audience websites or online services that have actual knowledge that they are collecting, using or disclosing personal information from a child 12 and under. As well as to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
What does COPPA require? Principally COPPA requires operators to:
post a clear and comprehensive online privacy notice describing their information practices for personal information collected online from children,
provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children,
give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case this must be made clear to parents),
provide parents access to their child’s personal information to review and/or have the information deleted, and
- give parents the opportunity to prevent further use or online collection of a child’s personal information.
What are the consequences of failing to comply with COPPA? Federal and state regulatory authorities may bring enforcement actions for violations of COPPA. A court can hold operators liable for civil penalties of up to $16,000 per violation. The largest COPPA fine obtained by the FTC is $3 million.
*Privacy 101 is freely accessed above; however, these three laws summarized briefly are just an introduction. Indicium encourages organizations to deepen their privacy knowledge and practices.