Our general approach to online privacy and data protection is to follow the regulations, provisions and guidelines in SOC 2 and SOPIPA.
SOC 2
SOC 2 stands for System and Organization Controls 2, a security framework developed by the American Institute of Certified Public Accountants (AICPA). It provides guidance on how organizations should protect customer data, focusing on security, availability, processing integrity, confidentiality, and privacy. A SOC 2 report is a type of attestation, not a certification, that indicates an organization has implemented and maintained appropriate controls. These are the guidelines that are followed by most financial institutions, including your bank.
SOPIPA
SOPIPA is a California law governing student-data-privacy. The law puts responsibility for protecting student data directly on industry by expressly prohibiting education technology service providers from selling student data, using that information to advertise to students or their families, or "amassing a profile" on students to be used for noneducational purposes. In addition, the law requires online service providers to ensure that any data they collect is secure and to delete student information at the request of a school or school district.
The success of this legislation in California is the inspiration for similar legislation across the USA. SOPIPA-like legislation has been introduced in many other states.
In the USA, children's online privacy is determined by the Children's Online Privacy Protection Act (COPPA.) Under COPPA, an online platform may not obtain the name, phone number, email address, or other identifying information of any child under the age of 13 without verified parental permission. Children 13 and older may elect on their own to provide such information.
There is no such law in Canada. The Canadian Privacy Commissioner has issued guidelines that are similar to COPPA, but they are not enforceable by Canadian law. In the interest of child safety, Warning Technologies has elected to include Canadian children under the USA COPPA protection.
The General Data Protection Requirements (GDPR) are a set of European regulations and guidelines covering all EU-member countries, and are suggested to those countries that are part of the EEA but not EU members. In general, the EU regulations say that in order to collect identifying information from a child, parental consent must be obtained for a child under the age of 16. HOWEVER, the EU also allows each country to determine their own child data protection age requirements, and the "age of consent" in each country ranges from 13 years old to 18 years old. This means that Warning Technologies may be faced with 30+ different privacy standards in order to operate in Europe. We are researching ways to comply with this very complicated combination of requirements, and as of the Spring of 2025 we have not yet implemented a comprehensive plan and policy.
Warning Technologies is committed to child data protection. We are working with individual European countries to determine their specific requirements, and we intend to take the conservative approach in the interest of child safety.
The GDPR states:
"The processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years."