Inversoft has provided a shortened version of the ‘Business and Parents and Small Entity Compliance Guide’.
1. If I want to share children’s personal information with a service provider or a third party, how should I evaluate whether the security measures that entity has in place are “reasonable” under the Rule?
You need to determine what data practices the third parties have in place for maintaining the confidentiality of that data, and what security is in place to prevent unwanted exposure or access to personal information.
How your users data is being used by the third party' or service' needs to be thoroughly defined and addressed by contractual agreement.
It is important to periodically monitor/checkup on the third party to confirm they are maintaining confidentiality and security of your users personal information.
2. If a third party discovers that it has been collecting information via a child-directed service, what are its obligations regarding information it has already collected?
It must comply with COPPA by:
- Stop collecting any personal information
- Delete all relevant information on users and close their accounts or;
- Take all information offline and take the necessary steps the Rule requires for parental notification and consent
- If immediate consent is not obtained by the parent the information must be deleted and account closed
For more information on COPPA FAQs click here.