LAST UPDATED: January 7, 2021
Common Sense Media, Inc. ("we" or "us") is concerned about children's privacy. The websites ("Sites") that we operate provide a forum for all family members, including children, to express their views about movies, books, TV, games, websites, apps and music. While we encourage children to participate appropriately in our Sites, their privacy is extremely important to us.
The Sites are controlled and operated by us from the United States.
We support the Children's Online Privacy Protection Act (“COPPA”) and other frameworks like the General Data Protection Regulation and the so-called UK GDPR (together, the "GDPR"). Our goal is to minimize the information gathered from and disseminated about Children while permitting them active participation in the trustworthy information, education and independent voice for which we are known.
A. How We Collect and Use Information from Children
Children can explore the Sites, and can view and print reviews, comments, ratings and other content while providing only the limited personal information set out below:
Account set-up and Maintenance. If a Child wants to register to become a member of our Sites, we require the Child to submit the following information:
- Username (the Child is advised not to use his or her real name);
- Birth month and year; and
We may use information collected from Children during the registration process and in account configuration in the following manner:
- To create and maintain the Child's account;
- To determine the Child's current age and post it next to any reviews or comments posted by the Child. We do not post the username of any Child who is under 13 or any personal information in or alongside their reviews or comments.
Using the Site. We also automatically collect "persistent identifiers" about devices from visitors. We do not collect this analytics information for logged in Children.
Use of anonymous information. If the information collected from a Child does not identify or allow contact with him or her or his or her device (including, for example, aggregated information), we may use and disclose it for any purpose, to the extent permitted by applicable law.
No advertisements! We do not display advertising based on information collected from Children.
No newsletters! Our email newsletters are for adults only – they are not designed for, or targeted at, Children. Children should not attempt to sign up for our email newsletters. We encourage parents to discuss with their Children the importance of not signing up to receive our email newsletters.
- Ensure that the Sites function properly;
- Enable us to conduct research and analysis to understand, address and improve the use and performance of the Sites; and
- Diagnose and respond to problems.
B. What Information Submitted By Children Is Viewable On the Site?
We strictly limit the personal information that is publicly viewable about a member who is known by us to be a Child. When a Child posts a review or comment on the Sites, only the Child's age is posted, along with the content of the Child's posting. Usernames of Children who are under 13 are not posted with this submitted content on our Sites. Although the Child may create a Profile for his or her account (which includes only a username, password, birth month and year, and parent's email address), no portion of the Child's Profile other than the Child's age is publicly viewable.
C. What Information About Children Is Shared?
D. How do we get parental consent when we are required to do so?
If parental consent is required in respect of our use of a Child’s personal information, when setting up an account, the Child must provide their parent’s email address. We use that email address to contact the Child’s parent to ask for their consent as required – we also explain to the parent:
- what personal information we collect about their Child;
- how we use it and why; and
- how the parent can revoke their consent and/or ask that we delete their Child’s account and personal information.
If at this stage, the parent gives us their consent, we will carry out the activity for which that consent was required. If not, we won’t.
E. How May Parents Access, Change or Delete Information About Their Children?
Deleting your Children’s information and their account.
If you are a parent, and we need your consent to certain processing of your Children’s personal information, if you:
- wish us to cease further collection of personal information from your Children;
- believe your Children are participating in an activity on the Site that uses their personal information without the parental consent required by law;
- wish us to make no further use of, or delete, the personal information we have collected online from your Children; and/or
- no longer wish for your Children to participate as members of the Site,
we will delete your Child’s Profile, and any parental contact information we may hold, on request.
Parents of EEA+ Children can exercise these rights through our Privacy Requests Portal.
Parents of non-EEA+ Children can exercise these rights by contacting us at [email protected].
Accessing or changing your Children’s account and any personal information we have collected online.
Parents may at any time:
- access or make changes to their Children’s account; or
- make changes to the personal information that we have collected online from their children,
by clicking on their Child's "My Account" link, by contacting us at [email protected], or by writing to us at the address provided below.
For your Child's protection, we may need to verify your identity before implementing any request described in this Section E. We will try to comply with your request as soon as reasonably practicable.
F. How May Parents Raise Other Questions or Concerns?
If a parent has any questions or concerns about his or her Child's use of the Sites, we encourage the parent to contact us at [email protected] or:
Common Sense Media
699 8th Street, Suite C150
San Francisco, CA 94103
G. EEA+ Privacy Matters
Who does this Section G apply to? It applies to Children based in the EEA+. All references to "Child or "Children" in this Section G are references to such EEA+ Children only. References to such EEA+ Children’s "parents" should be understood in the same light.
- Our EU representative appointed under the EU GDPR is Verasafe. You can contact them as shown below:
- By using our EU representative web form, available here.
- By mail: VeraSafe Ireland Ltd., North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland
- Our UK representative appointed under the UK GDPR is Common Sense Media, a registered charity and company in England and Wales ("Common Sense Media UK”).
- By using our UK representative web form, available here.
- By mail: 1 Paternoster Square, London, EC4M 7DX, UK, with mail sent “FAO Common Sense Media: UK Representative”
EU-specific rights. Under certain circumstances, Children may have certain rights – including those set out below:
- Access. Request access to their Personal Data.
- Correction. Request correction of inaccurate or incomplete Personal Data that we hold about them.
- Erasure. Request erasure of their Personal Data.
- Objection. Object to our reliance on our Legitimate Interests (see below) as the legal basis of processing of their Personal Data
- Restriction. Request the restriction of processing of their Personal Data until we address their request establish its accuracy or our reasons for processing it.
- Portability. Request the transfer of their Personal Data in a portable format.
- Withdraw consent. Withdraw their consent to any Processing that relies on it as a legal basis (see below). Their parent’s have the same right to withdraw any parental consents that we have been given.
How to exercise these rights? These rights can be exercised by using our Privacy Requests Portal. Typically, there is no fee for this. However, we may charge a reasonable fee if the request is clearly unfounded, repetitive or excessive – or, in these circumstances, we may refuse to comply with the request. We may need to ask for information in relation to any request to help us confirm the identity of the person making it and to speed up our response.
The right to complain. We would love to be able to resolve all questions, requests and complaints about Personal Data directly. However, if a Child or their parent feels we have not been able to satisfactorily resolve an issue, they may contact their local data protection supervisory authority.
- For the contact information of the Data Protection Authorities for each Member State of the European Economic Area, please visit: https://edpb.europa.eu/about-edpb/board/members_en
- The UK's Data Protection Authority's details are below:
The Information Commissioner's Office
Water Lane, Wycliffe House
Wilmslow - Cheshire SK9 5AF
Tel. +44 303 123 1113
Our “Legal Bases” for using Personal Data. The GDPR requires us to have a “legal basis” for each way that we use Personal Data. Most commonly, we will rely on one of the following legal bases:
- Where we need to perform a contract we are about to enter into or have entered into with a Child (“Contractual Necessity”).
- Where it is necessary for our legitimate interests and the Child’s interests and fundamental rights do not override those interests (“Legitimate Interests”).
- Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
- Where we have specific consent to carry out the processing for the Purpose in question (“Consent”), in these cases we would need to get a Child’s parent’s consent.
Purposes for Processing. We have set out below, in a table format, the legal bases we rely on in respect of the relevant Purposes for which we use Children’s Personal Data:
Examples of how we use relevant Personal Data for a Purpose
Our legal basis for this use of data
Account set-up and Maintenance
To register a Child’s account on the Sites, and to populate their profile. To provide the core elements of the Sites.
We might use the Personal Data we collect to keep our Sites and associated systems operational and secure.
Compliance with Law.
Troubleshooting and Service improvement
We might use the information associated with the Persistent Identifiers above to track issues that might be occurring on our Sites and systems, or to test and improve them.
It is in our legitimate interests that we are able to monitor and ensure the proper operation of our Sites and associated systems and services.
Anonymised Data creation
We may create ‘Anonymous Data’ – this might include aggregated data such as statistical or demographic data. Anonymous Data may be created or derived from any of the Personal Data we collect, but once in anonymous / aggregated form it will not directly or indirectly reveal a Child’s identity (i.e., it’s no longer Personal Data).
We may use or disclose Anonymous Data for any purpose permitted by law, and do not require a legal basis to do so.
It is in our legitimate interests that we are able to ensure that our Sites and how we use information about our users is as un-privacy intrusive as possible.
User submitted content
As part of the Sites, we post the reviews, comments and other content submitted to the Sites by Children – although we recommend that it is not included, these may contain certain Personal Data.
We encourage parents to discuss with their Children why they should NEVER include Personal Data in reviews or comments posted to the Site.
For all Children who are under 13:
Contractual Necessity in respect of posting reviews, comments and other submitted content.
Legitimate Interests in respect monitoring the content of Children who are under 13 to remove any Personal Data – we consider this practice to be in the interests of the Children themselves, their parents, and ourselves.
What happens when you do not provide necessary Personal Data or you withdraw consent? Where we need to process a Child’s Personal Data either to comply with law, or to perform the terms of a contract we have with them and they fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into. Similarly, if we rely on Consent to process Children’s Personal Data, they or their parent may withdraw that Consent, but if this happens, we may not be able to provide certain services or features.
International transfers. We are headquartered in the United States. The Personal Data that we collect from and about Children will be stored and processed in the United States and may be stored and processed in other countries outside of the EEA+. However, it is our policy to ensure that adequate contractual or other safeguards are applied to Personal Data transferred outside of the EEA+ where required by the GDPR. If you have questions about the safeguards applied to Children’s Personal Data, you may contact us at [email protected].
- Data Security – VI. Important Disclosures, Practices and Contact Information
- Retention – V. How Long We Keep Your Personal Information
Personal Data from Third Party Sources. We do not collect any Personal Data about Children from any third parties or publicly-available sources, other than from their parents (where they choose to give it to us).