Children’s Online Privacy Protection Act (“COPPA”) Notice
Effective Date: June 4, 2020
Carnegie Mellon University (“CMU,” “we,” “us,” or “our”) is committed to privacy and data protection. The Children’s Online Privacy Protection Act of 1998 and its rules (collectively, “COPPA”) require us to inform parents and legal guardians (as used in this policy, “parents” or “you”) about our practices for collecting, using, and disclosing personal data from children under the age of 13 (“children” or “child”). This notice (“COPPA Notice”) provides additional details regarding the practices described in the Children’s Privacy section of our Privacy Notice.
This COPPA Notice only applies to the data collection practices of CMU websites and services directed to children under the age of 13 (“Services”) and supplements the Privacy Notice. Capitalized terms not defined in this COPPA Notice are otherwise defined in the Privacy Notice.
How Do We Protect Children’s Privacy?
We take special precautions to protect the privacy of children using our Services. If you have a question about whether a particular Service is directed to children, please contact us by sending an email at email@example.com.
What Data Do We Collect from Children?
CMU only collects the minimal amount of personal data necessary for children to use our Services. Specifically CMU collects, first name, last name (optional), mailing address, email address, phone number, and date of birth. We may ask for certain information that is not personally identifiable like, school name, school address, school city/district, or school grade, in connection with your child’s use of the Services and to help us improve our Services. We store a child’s user name and password on our system when the child registers for the Services. We may also store the IP address from which the child access the Services in connection with the child’s use of the Services.
How Do We Use Children’s Personal Data?
We use children’s personal data to provide the Services in which your child is participating. This may include communicating with the child multiple times through email or other forms of communication such as video conferencing technology.
We may use the non-personally identifiable data we collect to improve the Services and to deliver a better and more personalized experience.
CMU retains personal data in a form which permits identification of a child for as long as necessary to provide the Services in which the child is participating, or for other business purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. We are required by law to keep some types of information for certain periods of time (e.g., statute of limitations).
When Do We Disclose Children’s Personal Data?
We do not sell or rent children’s personal data.
Some Services allow children to make information, including personal data, available for other children participating in the same Services, CMU staff, and volunteers to view online. In certain limited circumstances, the Services may include features that allow children to publically post their information, including personal data. In these circumstances, CMU requires parental consent prior to posting the child’s information publically.
We may disclose aggregated data about many of our users, and data that does not identify any individual or device. In addition, we may disclose children’s personal data: (i) to third parties we use to provide or support our Services, such as Zoom (for video conferencing) and Canvas (for eLearning); (ii) if we are required to do so by law or legal process, such as to comply with any court order or subpoena or to respond to any government or regulatory request; (iii) if we believe disclosure is necessary or appropriate to protect the rights, property, or safety our company, our customers or others, including to protect the safety of a child, protect the safety and security of the Services; or enable us to take precautions against liability; or (iv) to law enforcement agencies or for an investigation related to public safety.
In addition, if the CMU is involved in a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the CMU’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding or event, we may transfer the personal data we have collected or maintain to the buyer or other successor.
How Can You Access, Review, and Update Your Child’s Personal Data?
At any time and upon providing proper identification, you may access and review your child’s personal data maintained by us, request that we update or delete such personal data, and/or refuse to allow us from further collecting or using your child’s personal data.
You can review, change, or delete your child’s personal data by sending us an email at firstname.lastname@example.org or calling us at 412-268-3291. To protect your and your child’s privacy and security, we may require you to take certain steps or provide additional information to verify your identity before we provide any personal data or make corrections.
We understand that you may have questions or concerns about this COPPA Notice or our privacy practices or may wish to file a complaint. In such case, please contact us in one of the following ways:
Carnegie Mellon University
Attention: Child Protection Operations / Office of Human Resources
5004 Forbes Avenue
Pittsburgh, PA 15213