Feuer brings more than two decades of experience in consumer protection and privacy policy and enforcement to the ESRB. In her past role as the Assistant Director for International Consumer Protection at the Federal Trade Commission (FTC), she represented the U.S. and the FTC internationally on consumer-related advertising, marketing, and data privacy issues involving new and emerging digital technologies. She also investigated and litigated advertising cases and coordinated the FTC’s work on the U.S. SAFE WEB Act, legislation that enhances the FTC’s cross-border cooperation powers.

“The ESRB Privacy Certified program continues to set a high bar with its self-regulatory standards and commitment to best practices,” said Feuer. “As a result, consumers, parents, and caregivers can be assured that their and their children’s personal data will be protected whenever they see Privacy Certified seals displayed. I am thrilled to join ESRB at this pivotal moment for data privacy to help Privacy Certified members meet ongoing and future compliance challenges creatively.”

“Stacy’s deep expertise in navigating the domestic and global regulatory landscape for privacy, consumer protection and e-commerce makes her a perfect choice to lead the Privacy Certified program,” said ESRB President Patricia Vance. “Stacy will bring enormous value to our member companies, helping guide them on compliance with an ever-increasingly complex array of consumer privacy regulations on the state, federal and global levels.”

Before joining the FTC, Stacy practiced international law at a Washington, DC firm, and served as a law clerk for a federal district court judge. Stacy graduated from Cornell University and the New York University School of Law. She holds a CIPP-US accreditation from the International Association of Privacy Professionals.

About ESRB

The ESRB is a non-profit, self-regulatory body that independently assigns age and content ratings for video games and mobile apps so parents can make informed choices. It also enforces advertising guidelines adopted by the video game industry and helps companies implement responsible online, mobile and internet connected device privacy practices under its Privacy Certified program. Visit www.esrb.org for more information.

About Privacy Certified

ESRB’s Privacy Certified program, an authorized Safe Harbor under the Children’s Online Privacy Protection Act (COPPA), helps companies comply with online and mobile privacy protection laws in the United States and beyond. Privacy Certified protects consumer privacy and is consistent with ESRB’s mission to help interactive entertainment companies conduct business responsibly while assuring consumers, especially parents, that their personal data is collected and managed responsibly. Look for the Privacy Certified seal. For more information, visit esrb.org/privacy.

Contact:

Johner Riehl
858.220.5626
johner@zebrapartners.net

The post Former FTC Regulator Stacy Feuer Joins ESRB as Senior Vice President, Privacy Certified appeared first on ESRB Ratings.

Feuer brings more than two decades of experience in consumer protection and privacy policy and enforcement to the ESRB. In her past role as the Assistant Director for International Consumer Protection at the Federal Trade Commission (FTC), she represented the U.S. and the FTC internationally on consumer-related advertising, marketing, and data privacy issues involving new and emerging digital technologies. She also investigated and litigated advertising cases and coordinated the FTC’s work on the U.S. SAFE WEB Act, legislation that enhances the FTC’s cross-border cooperation powers.

“The ESRB Privacy Certified program continues to set a high bar with its self-regulatory standards and commitment to best practices,” said Feuer. “As a result, consumers, parents, and caregivers can be assured that their and their children’s personal data will be protected whenever they see Privacy Certified seals displayed. I am thrilled to join ESRB at this pivotal moment for data privacy to help Privacy Certified members meet ongoing and future compliance challenges creatively.”

“Stacy’s deep expertise in navigating the domestic and global regulatory landscape for privacy, consumer protection and e-commerce makes her a perfect choice to lead the Privacy Certified program,” said ESRB President Patricia Vance. “Stacy will bring enormous value to our member companies, helping guide them on compliance with an ever-increasingly complex array of consumer privacy regulations on the state, federal and global levels.”

Before joining the FTC, Stacy practiced international law at a Washington, DC firm, and served as a law clerk for a federal district court judge. Stacy graduated from Cornell University and the New York University School of Law. She holds a CIPP-US accreditation from the International Association of Privacy Professionals.

About ESRB

The ESRB is a non-profit, self-regulatory body that independently assigns age and content ratings for video games and mobile apps so parents can make informed choices. It also enforces advertising guidelines adopted by the video game industry and helps companies implement responsible online, mobile and internet connected device privacy practices under its Privacy Certified program. Visit www.esrb.org for more information.

About Privacy Certified

ESRB’s Privacy Certified program, an authorized Safe Harbor under the Children’s Online Privacy Protection Act (COPPA), helps companies comply with online and mobile privacy protection laws in the United States and beyond. Privacy Certified protects consumer privacy and is consistent with ESRB’s mission to help interactive entertainment companies conduct business responsibly while assuring consumers, especially parents, that their personal data is collected and managed responsibly. Look for the Privacy Certified seal. For more information, visit esrb.org/privacy.

Contact:

Johner Riehl
858.220.5626
johner@zebrapartners.net

The post Former FTC Regulator Stacy Feuer Joins ESRB as Senior Vice President, Privacy Certified appeared first on ESRB Ratings.

First, privacy policies must be updated. Your privacy policies should contain a section that specifically addresses the requirements of the CCPA. Specifically, your privacy policy must:

• Identify the categories of personal information collected in the last 12 months, the sources from which they were collected, and how they are used and shared;
• Notify consumers of and provide instructions on how to exercise their rights to know and delete;
• Tell consumers whether their information is “sold” as that term is broadly defined in the CCPA and, if so, what their rights are to opt-in or opt-out of the sale;
• Notify consumers that they cannot be discriminated against for exercising their rights; and
• Include a “last updated” date and contact information for consumers to ask you questions or voice concerns.

Second, your privacy policy should be available to consumers before they download your app with a link on the app storefront’s product page (or, if available outside the storefronts, on the download page), as well as from within the app. The link in the app would most commonly be found in the Settings menu; however, there is some flexibility concerning placement so long as it is reasonably accessible.

Third, you should also provide a link directly to the California section of your privacy policy in both the app storefront’s product page and within the app. The link should take consumers directly to the section of your privacy policy that contains the disclosures required by the CCPA.

Fourth, if you collect personal information for purposes consumers would not reasonably expect, you must provide consumers a just-in-time notice, usually in the form of a pop-up within the app. For example, if you operate a flashlight app that collects geolocation data, you must provide your consumers with a pop-up notice, alerting them to that unexpected collection of data.

Fifth, if you share consumers personal information with other companies, at the very least, you must take the steps to determine whether that sharing falls within the CCPA’s broad definition of “sale.” In many cases, it will. This is critically important because the “sale” of consumers’ personal information triggers opt-in and opt-out requirements.

Specifically, for consumers under 13 years old, you cannot “sell” personal information without first obtaining consent from a parent or guardian, verified by one of the methods approved within the CCPA. If this situation applies to you, I recommend you reach out to me directly to discuss further because you also have obligations under the Children’s Online Privacy Protection Act (COPPA). For consumers 13 to 15 years old, you must obtain opt-in consent, whereby the consumer must opt-in and then separately confirm the opt-in. Parental consent and opt-in consent from minors must occur before any information is “sold,” meaning it would most likely occur at startup. For consumers 16 and older, you must provide a “Do Not Sell My Info” link in your privacy policy and directly within the app (e.g., in the Settings menu).

These five steps will help you begin down the path of CCPA compliance. However, the law is complicated and goes beyond these basic requirements. If you do not have the internal resources (and, even if you do), it is a good idea to consult a professional.

• • •

Have more questions about CCPA compliance? Feel free to reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.CC

The post The California Consumer Privacy Act: 5 Steps Mobile App Developers Should Be Taking Now appeared first on ESRB Ratings.

Under Section 1798.120(c) of the CCPA, absent opt-in consent, a business is prohibited from selling the personal information of a California resident, if the business has “actual knowledge” the resident is under 16 years old. For children 13 to 15 years old, the opt-in consent can come directly from the child. The current version of the California Attorney General’s draft regulations requires that consent to come in two steps: first, the child must request to opt-in, then the child must separately confirm the opt-in choice. For children under 13 years old, opt-in consent must come from a parent or guardian using one of several methods that will be approved in the regulations. In both cases, the business must provide notice of the right and method to later opt-out.

When compared with current protections afforded by COPPA, Section 1798.120(c)’s biggest change is that it extends protections to children under 16 years old, whereas COPPA’s protections extend only to children under 13 years old. How material this difference turns out to be will depend largely on how the California Attorney General, and likely California courts, interpret the term “actual knowledge.” The statute says that if a business willfully disregards a child’s age, it will be deemed to have actual knowledge. What does that mean in an online world where most websites and apps don’t request or require a user’s age? How would those businesses have actual knowledge, if at all? Will they be expected to make assumptions based on the content of their websites and apps (i.e., something closer to constructive knowledge) or have a duty to monitor their user base to identify potential underage users (e.g., review user profiles)? It is far too early to know how these questions will ultimately get answered, but with July 1 almost here, that process is almost underway.

It is also noteworthy that the stakes are likely to be high. The current ballot initiative to pass the California Privacy Rights Act (CCPA 2.0) in November would triple the penalty for violations involving minors to $7,500 for each violation. CCPA 2.0 would also create a new agency to enforce the law and to pursue penalties.

• • •

Have more questions about CCPA compliance? Feel free to reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.

The post California Goes Beyond COPPA to Protect Children’s Privacy appeared first on ESRB Ratings.