Florida has issued draft regs for its new privacy law, but this is important far beyond the Sunshine state. U.S. State regulators are looking to each other for guidance on similar provisions.

What do you need to know?

Who is a child?

• Most state laws impose a “known child” standard, but do not provide a definition.
• Per Florida, a “known child” is if you “actually know” or “willfully disregard” that this is a child.
• Per new regs, “willfully disregard” is if ” based on facts or circumstances readily available you should reasonably have been aroused to question whether a consumer was a child and thereafter failed to perform reasonable age verification.”
• It is not “willfully disregarding” if you utilize a reasonable age verification method with respect to all consumers and determined that the consumer was not a child (unless you later gain actual knowledge & fail to act).
• Reasonable age verification is “any commercially reasonable method regularly used by the government or businesses for the purpose of age and identity verification.”
• Who is the parent (for getting parental consent)? You need to conduct a reasonable parental verification before allowing the exercise of any right. That is “any method that is reasonably calculated at determining that a person is a parent of a child that also verifies the age and identity of that parent by commercially reasonable means including: (1) requesting from a child the child’s parent’s name, address, phone number, and e-mail address; (2) contacting the name provided by the child and confirming that the parent is the child’s parent by obtaining documents or information; and (3) utilizing any commercially reasonable method regularly used by the government or business to verify that parent’s identity and age [similar to one of the FTC approved COPPA methods]”

Authentication:

• Needs to be done by a commercially reasonable method, which you determine by considering: (1) The rights the requestor is seeking to exercise; (2) The type, sensitivity, value and volume of personal data at issue; (3) The degree of possible harm that could be suffered by the consumer in the event of improper access, use or deletion of their personal data; and (4) The cost to the controller for completing the authentication method.
• Don’t ask for more information than you already have for authentication unless you must and then only use the new information to authenticate and immediately delete it [similar to the new CA guidance on data minimization in DSARs)
• You SHALL use a password protected account for verification if you have them, (CA is “may”) but you can’t require the creation of an account for this.

Information security

• Additional detailed requirements include compliance with NIST CSF.

For more information, click here.

[View source.]