Privacy Evaluation Questions - Fair Information Practice Principles

The questions we use in our privacy evaluations draw heavily on the Fair Information Practice Principles, or FIPPs. These principles form the basis for national and international privacy regulations, guidelines, and best practice. This page describes how we use the FIPPs to structure our questions. We have included links to relevant background documents within the description of each section.

To read the full question set, use either of these two options:

1: Transparency

Description:

Companies should clearly provide descriptions of their privacy practices regarding the collection, use, disclosure, and maintenance of individuals’ Personally Identifiable Information (PII) on the application or service.

Background:

  • Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. Companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and for what purposes they may share personal data with third-parties. These notifications should be placed in locations in the application or service that are most useful to enabling consumers to gain a meaningful understanding of privacy implications and the ability to exercise Individual Control. If an online website, service, or application does not have a Privacy Policy, Terms of Service (TOS), and/or End User License Agreement (EULA) publicly available, then this evaluation tool should not be used, because there is no reliable or legally binding guarantees about how a user's data will be treated. Additionally, in many cases, the terms should contain specifics about how cookies and other trackers are used, a data breach notification policy, and other legal notices as applicable. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 14.
  • Transparency is one of the Fair Information Practice Principles (FIPPs) that underlie privacy laws and regulations around the world. The Organization for Economic Cooperation and Development (OECD) calls for transparency about developments, practices and policies with respect to personal data, as one of the guidelines intended to help harmonize national privacy legislation while supporting the data flow essential to international commerce. See CA DOJ, Making Your Privacy Practices Public, p. 3; See also The Organisation for Economic Co-operation and Development (OECD) Privacy Framework (2013).
  • The California Online Privacy Protection Act (CalOPPA), requires operators of commercial websites or online services that collect personal information on California consumers through a website to conspicuously post a privacy policy on the site and to comply with its policy. The privacy policy must, among other things, identify the categories of personally identifiable information (PII) collected about site visitors and the categories of third-parties with whom the operator may share the information. The privacy policy must also provide information on the operator's online tracking practices. An operator is in violation for failure to post a policy within 30 days of being notified of noncompliance, or if the operator either knowingly, willfully, or negligently fails to materially comply with the provisions of its policy. See California Business and Professions Code (B.P.C.) §§ 22575-22579; See CA DOJ, How to Read a Privacy Policy.
  • The FTC recommends the implementation of substantive privacy protections – such as data security, limitations on data collection and retention, and data accuracy – as well as procedural safeguards aimed at integrating the substantive principles into a company's everyday business operations. By shifting burdens away from consumers and placing obligations on businesses to treat consumer data in a responsible manner, these principles should afford consumers basic privacy protections without forcing them to read long, incomprehensible privacy notices to learn and make choices about a company's privacy practices. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 23.
  • Most privacy policies are generally ineffective for informing consumers about a company's data practices because they are too long, are difficult to comprehend, and lack uniformity. However, the policies still have value – they provide an important accountability function by educating consumer advocates, regulators, the media, and other interested parties about the company's data practices. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 61.
  • The FTC believes that privacy policy statements should contain some standardized elements, such as format and terminology, to allow consumers to compare the privacy practices of different companies and to encourage companies to compete on privacy. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 62.

2: Focused Collection

Description:

Companies should only collect individual's’ PII that is directly relevant and necessary to accomplish the specified purposes for which it was collected.

Background:

  • Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish the purposes in which the data is collected. Companies should also securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise. If a company provides a clear understanding of all the data collected, a user can make an informed choice about the potential privacy implications of how their data are used. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 21.
  • The FTC recommends privacy best practices which include the principle that Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy. It is a best practice for companies to inform customers about what information they are collecting in a clear and concise manner and to only collect the information that the company needs to complete their business purpose. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 23, 26.
  • As part of privacy by design, first-party companies and third-party data brokers should strive to assess their collection practices and, to the extent practical, collect only the data they need and properly dispose of the data as it becomes less useful. This is particularly important in light of companies' increased ability to collect, aggregate, and match consumer data and to develop secondary uses for the data in ways that consumers could never have contemplated when they provided the information. Sound data collection and disposal practices also reinforce data security, as collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused. For example, identity thieves and other unscrupulous actors may be attracted to detailed consumer profiles maintained by data brokers that do not dispose of obsolete data, as this data could give them a clear picture of consumers' habits over time, thereby enabling them to predict passwords, answers to challenge questions, or other authentication credentials. See FTC, Data Brokers: A Call For Transparency and Accountability (May 2014), p. 55.
  • The federal government recommends that data collected in schools is used for educational purposes and continue to support investment and innovation that raises the level of performance across our schools. To promote this innovation, it should explore how to modernize the privacy regulatory framework under the Family Educational Rights and Privacy Act (FERPA) and Children's Online Privacy Protection Act (COPPA) to ensure two complementary goals: 1) protecting students against their data being shared or used inappropriately, especially when that data is gathered in an educational context, and 2) ensuring that innovation in educational technology, including new approaches and business models, have ample opportunity to flourish. See Exec. Office of the President, Big Data: Seizing Opportunities, Preserving Values (2014), p. 64.

3: Data Sharing

Description:

Companies should address in their privacy policies whether collected PII is shared or sold to third-parties, and whether PII is shared in an aggregate or de-identified format. In addition, companies should disclose the roles of third-parties and their functions, and whether third-parties are contractually required to provide the same level of privacy protection, as well as the use of social plugins or federated logins.

Background:

  • Data Sharing: Companies should address in their privacy policies whether data collected are shared or sold to third-parties, and whether data are shared in an aggregate or de-identified format. In addition, companies should disclose the roles of third-parties and their functions, and whether third-parties are contractually required to provide the same level of privacy protection, as well as the use of social plugins or federated logins.
  • The FTC recommends privacy principles apply to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third-parties. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 22.
  • The FTC calls for privacy policies to be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices. The FTC recommends companies provide consumer choice in situations where a company shares data with a third-party that it collects from a consumer, thereby giving consumers the ability to control the flow of their data to third-parties who might use or sell the data to others for enhancement. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), pp. 44, 61.
  • The Children's Online Privacy Protection Act (COPPA) requires a privacy policy to list the kinds of personal information collected from children (for example, name, address, email address, hobbies, etc.), how the information is collected, and how the company uses the personal information. It also requires companies to indicate whether they disclose information collected from children to third-parties. If so, the company must also disclose the kinds of businesses in which the third-parties are engaged, the general purposes for which the information is used, and whether the third-parties have agreed to maintain the confidentiality and security of the information. See 15 U.S.C. § 6502; <a target="_blank" href="http://www.ecfr.gov/cgi-bin/text-idx?SID=4939e77c77a1a1a08c1cbf905fc4b409&node=16:1.0.1.3.36&rgn=div5">16 C.F.R. Part 312.
  • Under the Family Educational Rights and Privacy Act (FERPA), student data can be shared with a third-party if the vendor has been designated as a "school official," as defined, and that official can only use data that is part of an "educational record" for the specific purpose under which it was disclosed. However, student information that has been properly de-identified or that is shared under the "directory information" exception, is not protected by FERPA, and thus is not subject to FERPA's use and redisclosure limitations. Additionally, if a vendor has not been declared a "school official," any rights claimed by a vendor to sell or disclose student data should be identified and defined in the vendor's policies. See PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, pp. 3-4.

4: Respect for Context

Description:

Companies should disclose that their data collection and privacy practices are consistent with the context in which PII is collected, and provide notification and seek consent if the context in which PII is collected changes in any way.

Background:

  • Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Choice by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection. If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice to consumers. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers that may require greater protections for personal data obtained from children and teenagers than for adults. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 15.
  • The FTC recommends as a best practice that companies give their users clear and prominent notice and obtain affirmative express consent prior to making certain material retroactive changes to their privacy practices. For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data. Companies should obtain affirmative express consent before (1) using consumer data in a materially different manner than claimed when the data was collected; or (2) collecting sensitive data for certain purposes. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), pp. 57-60.
  • Companies should present choices to consumers in a prominent, relevant, and easily accessible place at a time and in a context when it matters to them, and make privacy statements clearer, shorter, and more standardized. In addition, companies should provide consumers with reasonable access to their data, and undertake consumer education efforts to improve consumers' understanding of how companies collect, use, and share their data. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 60.
  • The Children's Online Privacy Protection Act (COPPA) requires verifiable parental consent to share data, but companies should also send a notice and request for express opt-in consent from parents if there are material changes in the collection, use or disclosure practices of the company, to which the parent had previously agreed. Although this requirement is not expressly required by law it is generally considered a best practice and encouraged by the FTC. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 57-58.
  • Identifying and defining specific classes of data can be paired with more precise definitions of what data are collected, and can allow for protecting that data in ways that go beyond the bare minimum required protections required by privacy laws. Different classes of data can also make privacy policies more comprehensible by explicitly defining that the data of students, parents, and teachers could be classified differently with appropriate levels of protection.

5: Individual Control

Description:

Companies should provide individuals with choices about the collection, use, disclosure, and maintenance of their PII. In addition, companies should enable individual control by providing consumers with easy and accessible mechanisms.

Background:

  • Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose. Moreover, companies should remain cognizant of the sensitivity of the uses they make of personal data based on the context in which it was collected. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 11.
  • Companies that collect and use consumer data should provide easy-to-use choice mechanisms that allow consumers to control whether their data is collected and how it is used. To ensure that choice is most effective, the FTC recommends that a company should provide the choice mechanism at a time and in a context that is relevant to consumers – generally at the point the company collects the consumer's information. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 35.
  • A school or district should maintain ownership of a students's data. If a school shares personal information with an outside third-party performing institutional functions or services, then the outside party must remain under the direct control of the agency or institution with respect to the use and maintenance of education records. See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service; <a target="_blank" href="http://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.33">34 C.F.R. § 99.31(a)(1)(i)(B)(2).

6: Access and Accuracy

Description:

Companies should provide easy and accessible mechanisms regarding access, review, correction, retention, and deletion of individuals’ PII.

Background:

  • Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation. Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 19.
  • Providing a student with the ability to access and export data from a website or service has the potential to allow a student to interact directly with and derive more benefit from the data collected within an application. Additionally, a robust data export feature would support content audits over time. For organizations that are concerned about parents and students losing the ability to move their data when they need to, and use it as they wish, data portability addresses many of these issues by empowering student with direct access to their data. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), pp. 67-71.
  • FERPA does not provide any specific requirements for educational agencies and institutions regarding disposition or destruction of the data they collect or maintain themselves, other than requiring them to safeguard FERPA-protected data from unauthorized disclosure, and not to destroy any education records if there is an outstanding request to inspect or review them. When educational agencies and institutions disclose (or "share") PII from education records with third parties under an applicable exception to FERPA's written consent requirement, however, additional legal requirements regarding destruction of that PII may apply. See PTAC, Best Practices for Data Destruction, p. 2.
  • The Family Educational Rights and Privacy Act of 1974 (FERPA), provides parents of students the right to access their children's Student Data or education records, and Students 18 years of age and older the right to access their own education records. In addition, FERPA provides the right to have the records amended, and the right to have some control over the disclosure of personally identifiable information (PII) in the education records. Furthermore, strict storage guidelines surround Student Data which require organizations to maintain accurate, and up-to-date records. See 20 U.S.C. § 1232g; <a target="_blank" href="http://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.33">34 C.F.R. Part 99.1.
  • United States Constitutional law has long recognized that privacy interests co-exist alongside fundamental First Amendment rights to freedom of speech, freedom of the press, and freedom of association. Individuals and members of the press exercising their free speech rights may well speak about other individuals and include personal information in their speech. A companies' privacy policy should be balanced and interpreted with full respect for First Amendment values, especially for non-commercial speakers and individuals exercising freedom of the press, against the privacy interests of the individual seeking to restrict access to that speech. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 20.

7: Data Transfer

Description:

Companies that provide PII as an asset in the event of a merger, acquisition, or bankruptcy should provide notification to individuals, seek opt-in consent, and require onward contractual privacy protections of that PII.

Background:

  • Data Transfer: Companies should disclose their privacy practices of data ownership, notice, and choice to a user before onward transfer of personal information assets to a third-party occurs. Transfer of a user's personal information should only be permitted where the third-party recipient provides the same level of privacy protection for the data. A company transferring user data should clearly indicate in their policies how they handle data tranfer during a potential bankruptcy, merger, or acquisition.
  • When a company goes out of business, a user's data can often be sold as an asset to another company. Policies that allow a user to delete their data in the event of a bankruptcy, or that clearly indicate a user's data will not be sold as part of any bankruptcy proceedings provide a higher level of privacy protection. Additionally, the method by which a user would be notified if their data will be transferred should be clearly identified in a company's policies. See The Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 (BAPCPA), 11 U.S.C. §363.
  • When two companies merge, a user's data that was collected and protected under one company's privacy policy can become subject to a different set of privacy policies and legal terms. If this happens, it is important a user be informed either before, during, or after the transfer occurs. A user should be notified of any data transfer, regardless of whether or not the notification occurs before their data is transferred, or whether a user can delete their data, or whether a user can opt-out of the data transfer process.
  • While FERPA does not specify that education records shared under some of its exceptions must be returned or destroyed at the end of the contract, it is a best practice to require this. Data return or destruction helps limit the amount of personal information available to third-parties and prevents improper disclosure. This provision also helps schools and districts maintain control over the appropriate use and maintenance of FERPA protected student information. See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, p. 6.

8: Security

Description:

Companies should protect PII through reasonable security safeguards that include access controls and encryption against risks such as loss, unauthorized access or use, destruction, modification, or unintended disclosure from a data breach.

Background:

9: Responsible Use

Description:

Companies should address appropriate levels of communication, sharing, and visibility between students and adults, and describe how they handle issues related to cyberbullying and reporting inappropriate content.

Background:

  • Responsible Use: Companies should address appropriate levels of communication, sharing, and visibility between students and adults, and describe how they handle issues related to cyberbullying and reporting inappropriate content. In addition, companies should address the rights of various stakeholders to audit and review the social interactions between users.
  • In order to ensure students, citizens, and consumers of all ages have the ability to adequately protect themselves from data use and abuse, it is important that they develop fluency in understanding the ways in which data can be collected and shared, how algorithms are employed and for what purposes, and what tools and techniques they can use to protect themselves. Although such skills will never replace regulatory protections, increased digital literacy will better prepare individuals to live in a world saturated by data. Digital literacy—understanding how personal data is collected, shared, and used— should be recognized as an essential skill in K-12 education and be integrated into the standard curriculum. See Exec. Office of the President, Big Data: Seizing Opportunities, Preserving Values (2014), p. 64.
  • The Children's Internet Protection Act (CIPA) requires that schools who receive federal funding have in place an Internet safety policy that addresses the safety and security of minors when using forms of direct electronic communication such as e-mail and chat rooms. Schools are also required to have in place measures designed to restrict access to materials that are age-restricted and potentially harmful to minors. In addition, any communication of personal data in a public forum or chat room by a child under 13 falls within the definition of a "disclosure" under COPPA. Therefore, such a disclosure could constitute an unauthorized disclosure if parental consent was not obtained beforehand. See CA DOJ, Staying Private in Public: How to Limit Your Exposure on Social Network Sites.
  • COPPA prohibits an operator from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more personal information than is reasonably necessary to participate in the activity. See 15 U.S.C. §§ 6501-6506; <a target="_blank" href="http://www.ecfr.gov/cgi-bin/text-idx?SID=4939e77c77a1a1a08c1cbf905fc4b409&node=16:1.0.1.3.36&rgn=div5">16 C.F.R. Part 312.

10: Advertising

Description:

Companies should clearly disclose whether they use collected data for traditional, contextual, or behavioral advertising and seek opt-in and opt-out consent where appropriate. In addition, companies that track individuals for data profiling or use third-party advertising or tracking services to track individuals across websites should clearly disclose those practices and seek opt-in consent.

Background:

  • Advertising: Companies should address when and where they provide advertising and whether they engage in traditional or targeted advertising practices. In addition, a company should define the role of third-parties in serving advertisements to different audiences that include students, parents, teachers, or the school and the compliance issues implicated as a result. Companies should also address how they collect advertising data, display advertising content, and how they market thier products and services based on demographic information.
  • The FTC maintains the view that affiliates are third-parties, and a consumer choice mechanism is necessary unless the affiliate relationship is clear to consumers. However, where an affiliate relationship is hidden – such as between an online publisher that provides content to consumers through its website and an ad network that invisibly tracks consumers' activities on the site – marketing from the affiliate would not be consistent with a transaction on, or the consumer's relationship with, that website. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 42.
  • While data mining or scanning may sometimes be a necessary component of online services (e.g., for malware/spam detection or personalization tools), schools and districts should prohibit any mining or scanning for targeted advertising directed to students or their parents. Such provisions could lead to a violation of COPPA, FERPA, or the PPRA. See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, p. 5.
  • The Protection of Pupil Rights Amendment (PPRA) provides parents with certain rights with regard to marketing activities in schools. Specifically, the PPRA requires that a school district must, with exceptions, directly notify parents of students who are scheduled to participate in activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes, or to sell or otherwise provide that information to others for marketing purposes, and to give parents the opportunity to opt-out of these activities. See 20 U.S.C. § 1232h(c)(2)(C)(i); See also PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, p. 6.
  • The PPRA also requires districts to develop and adopt policies, in consultation with parents, about marketing activities. PPRA has an important exception, however, as neither parental notice, the opportunity to opt-out, or the development and adoption of policies are required for school districts to use a student's personal information for the exclusive purpose of developing, evaluating, or providing educational products or services for students or schools. See 20 U.S.C. § 1232h(c)(1)(E) and (c)(4)(A); See also PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, p. 6.
  • It is important to remember that even though PPRA only applies to K-12 institutions, there is no time-limit on the limitations governing the use of personal information collected from students for marketing purposes. So, for example, while PPRA would not limit the use of information collected from college students for marketing, it would restrict the use of information collected from students while they were still in high school (if no notice or opportunity to opt-out was provided) even after those students graduate. See PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, p. 6.

11: Compliance

Description:

Companies should be accountable for demonstrating compliance with applicable State and Federal statutes and regulations that also include students and children, for the collection, use, and disclosure of PII while following industry best privacy practices.

Background:

  • Compliance: Consumers have a right to have personal data handled by companies with appropriate measures that follow Fair Information Privacy Principles (FIPPs) and are in compliance with FERPA, COPPA, and the PPRA. Companies should be accountable to enforcement authorities and consumers for adhering to these principles and federal laws. Companies also should hold employees responsible for adhering to these principles and should train their employees as appropriate to handle personal data consistently and regularly evaluate their performance in this regard. Where appropriate, companies should conduct both full internal audits and external audits of third-party affiliates. Companies that disclose personal data to third-parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 21.
  • Companies that discover they are not in compliance with the rules under COPPA should take immediate remedial actions. First, until a company's website or online service comes into compliance, they must stop collecting, disclosing, or using personal information from children under age 13. Second, companies should carefully review their information practices and online privacy policy. In conducting internal and external audits, companies should look closely at what information they collect, how they collect it, how they use it, whether the information is necessary for the activities on the site or online service, whether they have adequate mechanisms for providing parents with notice and obtaining verifiable consent, whether they have adequate methods for parents to review and delete their children's information, and whether they employ adequate data security, retention, and deletion practices. A court can hold companies who violate the rules under COPPA liable for civil penalties of up to $16,000 per violation. The amount of civil penalties a court assesses may turn on a number of factors, including the egregiousness of the violations, whether the operator has previously violated the COPPA, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company. See FTC, Complying with COPPA: Frequently Asked Questions.
  • Companies that discover they are not in compliance with the rules under FERPA should take immediate remedial actions. A parent of a student under the age of 18 at an elementary or secondary school or a student who is at least 18 years of age or attending a postsecondary institution at any age ("eligible student") may file a written complaint with the Family Policy Compliance Office (FPCO) regarding an alleged violation of a school's failure to comply with his or her rights under FERPA. A parent of an eligible student generally may not file a complaint under FERPA, as the rights afforded to parents are transferred to the student when he or she becomes an eligible student. The FERPA complaint resolution process is designed to identify problems with FERPA implementation in educational agencies and institutions, to ensure compliance with FERPA requirements, and act to prevent future violations of FERPA. If a violation is substantiated, the FPCO may require specific corrective action (e.g., revise policy or procedures, or conduct training) to bring the educational agency or institution into compliance with FERPA requirements. When the educational agency or institution has completed the required corrective action, FPCO closes the complaint. See Department of Education (DOE), Family Policy Compliance Office, Filing a Complaint Under the Family Educational Rights and Privacy Act (FERPA).

Licensing and Attribution

The Privacy Evaluation Questions are released under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License. If you use these questions in your non-commercial project, please credit Common Sense Media as the author, and link back to the announcement post.

This is an example of proper attribution for the Questions: The Privacy Evaluation Questions were authored by Common Sense Media, and are reusable under the terms of a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License.