Protecting children's privacy in a digital world
Sofie Geurts
Legal Consultant
Published on 15 October, 2024
Sofie Geurts – Legal consultant
Published on : 15 October, 2024
Protecting children’s privacy in a digital world
In a technology-driven world, children are continually engaging with digital platforms at younger ages. Studies show that a significant portion of children under the age of eight now have access to digital devices such as tablets and smartphones, with access rates still rising over the past few years. This trend is largely driven by the integration of technology into everyday life and the growing availability of child-friendly content and apps. Although having shown benefits in improving the cognitive and communication skills of the next generation, questions around the privacy rights of minors are (in our opinion) not adequately addressed. A recent training session with a hypothetical scenario constructed by the International Association of Privacy Professionals provides a more tangible overview of the challenges of protecting children’s privacy. In this blog, we’ll explore the key findings of the study and outline actionable steps to safeguard children’s privacy.
The IAPP conducted a case study centered around a hypothetical app, “PerfectPetPal” (PPP), a pet simulator aimed at attracting a broad audience, including children. This app was created to test the application of various privacy laws. Participants used the app’s scenarios to understand how different privacy regulations impact its operations. For the gamers and privacy-interested amongst us, here is some background information on the fictional app.
About PerfectPetPal
PerfectPetPal is a pet simulator app with over 100 million monthly active users globally, where users can create, customize, and interact with virtual pets. The app offers various engaging features, including the “Look Alike” tool, which allows users to upload selfies to customize their pets to resemble them, and “PetPoll” a quiz that helps tailor pets to users’ preferences. Users can also take their pets on virtual and real-life walks, known as “prambles,” which suggest pet-related locations and shopping deals. Social interaction is encouraged through “pleagues” interest-based groups where users can share pet photos and tips, and “PetTales” a storytelling feature that creates personalized stories using information shared by users. The app uses a virtual currency called “petcoin” for purchasing items and experiences for pets. Important to mention PPP mentions it’s “data law compliant” status, there are concerns about its extensive data collection, especially from children, and the clarity of its privacy notices and consent processes.
Here are the things that we find noteworthy:
The study shows the importance of determining whether your platform is directed at or likely to be accessed by children. This understanding is vital for implementing appropriate privacy measures, including age verification and parental consent mechanisms, to comply with laws like COPPA and GDPR. Properly identifying your audience helps protect young users and make sure that your platform meets legal requirements.
Conducting Data Protection Impact Assessments (DPIAs) is essential when dealing with children’s data, as it is often considered high-risk due to its sensitivity. A DPIA helps organizations assess potential privacy risks associated with the collection, use, or disclosure of children’s data and develop strategies to mitigate these risks. This is especially important in regions like the EU, Canada, and various U.S. states where conducting DPIAs or Privacy Impact Assessments (PIAs) is mandated by law. The DPIA process should consider the perspectives and experiences of young users and include an intersectional analysis to address the privacy risks for vulnerable children.
For more detailed guidance on performing a DPIA, refer to our blog on DPIAs.
The case study underlines the importance of obtaining verifiable parental consent when collecting children’s data, as required by regulations like GDPR and COPPA. For children under the age of digital consent- typically 13 to 16 depending on the jurisdiction – consent must be obtained from a parent or guardian, and reasonable efforts must be made to verify this consent. Additionally, the data collected should be minimized to only what is necessary for the intended purpose. For instance, collecting extensive personal details such as home addresses and phone numbers without justifiable necessity may violate data minimization principles under GDPR Article 5(1)(c) and similar provisions in U.S. law. Organizations are responsible for making sure that the amount and type of data collected are proportionate to their specific use case, adhering to strict data protection standards.
For more detailed guidance on parental consent, refer to our blog on consent.
The case study reveals the importance of creating privacy notices that are clear, concise, and easily understandable by children and their parents. A 39-page privacy notice, as seen in PPP’s example, is not user-friendly and may violate transparency requirements under regulations like the GDPR and COPPA. These laws mandate that privacy information be provided in plain, non-technical language and be easily accessible, particularly when services are used by children. The GDPR’s Article 12 and guidelines from the ICO and other authorities stress that all information must be presented in a way that resonates with children, potentially using visual aids or simplified formats to enhance understanding.
The user interface plays a vital role in obtaining valid consent and avoiding dark patterns – deceptive design practices that manipulate users, particularly children, into making privacy-compromising decisions. For example, pop-ups with options like “Yes,” “Ask me later,” or “I’m not sure” can confuse children into sharing more data than necessary. Regulatory bodies, including the DPC and FTC, emphasize that such tactics do not meet the standards for valid consent. Instead, interfaces should present choices equally, making privacy-friendly options as straightforward to select as any other. The ICO Children’s Code encourages designs that promote privacy-preserving behaviors.
The case study underscores the need for heightened protection when handling sensitive data, such as biometric and location information, especially concerning children. PPP’s features like “Look Alike,” which uses biometric data, and “pramble,” which utilizes precise geolocation, require strict adherence to privacy laws. Under GDPR Article 9 and various U.S. state laws, biometric data is considered highly sensitive, and its processing is heavily restricted without explicit consent or a clear legal basis. Similarly, geolocation data, particularly when tracking children’s movements, demands privacy measures, including obtaining consent from parents or guardians and keeping in mind data minimization. Organizations have to make sure that such sensitive data is only collected and processed when necessary, with clear and informed consent, to protect children’s privacy and comply with regulatory requirements.
The digital landscape and privacy regulations are continually evolving. Regular reviews and updates to privacy practices are essential to remain compliant and address new risks. Organizations should conduct periodic audits and revise policies as needed to protect children’s privacy effectively and reduce potential legal exposure.
How to tackle children’s privacy
In a technology-driven world, children are continually engaging with digital platforms at younger ages. Studies show that a significant portion of children under the age of eight now have access to digital devices such as tablets and smartphones, with access rates still rising over the past few years. This trend is largely driven by the integration of technology into everyday life and the growing availability of child-friendly content and apps. Although having shown benefits in improving the cognitive and communication skills of the next generation, questions around the privacy rights of minors are (in our opinion) not adequately addressed. A recent training session with a hypothetical scenario constructed by the International Association of Privacy Professionals provides a more tangible overview of the challenges of protecting children’s privacy. In this blog, we’ll explore the key findings of the study and outline actionable steps to
- Implement an ISMS or PMS: Establish an Information Security Management System (ISMS) or Privacy Information Management System (PIMS) following ISO 27001 or ISO 27701 standards to for data protection within your organization.
- Conduct DPIAs: Regularly perform DPIAs to identify and mitigate privacy risks associated with processing children’s data.
- Map relevant laws and practices. Stay informed about applicable laws, regulations, and best practices concerning children’s privacy, such as GDPR, COPPA, and the Age Appropriate Design Code.
- Develop clear privacy notices. Craft concise and accessible privacy notices that clearly explain data collection and usage practices, tailored to children and their parents.
- Obtain parental consent. Implement effective mechanisms to obtain verifiable parental consent in compliance with global privacy laws.
- Review and update practices regularly. Continuously review and update privacy practices to align with evolving regulations and best practices.
NAALA’s help and expertise
- Privacy and Data Protection. We offer expert guidance on adhering to global privacy laws, including GDPR, COPPA, and other relevant regulations, to help you align your data practices with legal standards. –
- Information and Cyber Security: Our team specializes in implementing and maintaining an ISMS aligned with ISO 27001 and NEN 7510 standards. We assist organizations in developing security policies, and preparing for compliance audits. –
- DIY Toolkits for Compliance: For organizations that prefer to manage compliance independently, NAALA offers DIY toolkits. These toolkits provide straightforward templates and guidelines to help achieve and maintain compliance with ISO 27001 and NEN 7510 standards, making privacy management a seamless part of their workflow. –
- Ongoing Compliance Support: Through our Officer-as-a-Service service, NAALA offers continuous support by providing a Data Protection Officers (DPOs), Privacy Officers, and Security Officers to oversee your compliance needs, conduct audits, and monitor privacy and security practices by the latest regulations.
Questions? We are happy to discuss your specific case.
Related
What exactly constitutes anonymous data under the GDPR, and when can data be considered truly anonymous?
Following your phase 1 audit, which we discussed in-depth last week, it’s time to focus on ISO 27001 Phase 2 Audit Preparation—the real deal in your certification journey. This blog post will walk you through what to expect and how to ensure you’re ready for the most important step in your certification journey.
Curious to learn more? Visit our Knowledge Center for further insights, or reach out to us directly for a tailored discussion on how we can support your journey toward compliance and data protection excellence.
*Your commitment to protecting children’s privacy starts here.*