22 December 2020
While most jurisdictions have passed general laws concerning online privacy protection, there are still relatively few worldwide laws that deal exclusively with online privacy protection for children.
In fact, only the US has a law specific to children's privacy as of now.
However, if you maintain a website or app that's directed towards children under the age of 13, you still need to be cautious with your information practices. Even general laws place requirements on you, and the trend started by US law looks to be spreading.
Here is what you need to know about children's online privacy throughout the world.
The US was the first to pass a law that deals strictly with children's online privacy. Called the Children's Online Privacy Protection Act (COPPA), it applies to any entity that directs websites or apps to children.
COPPA passed in the year 2000 and was updated in 2013. Its requirements apply to any business that creates children's online products and targets them to those under 13 years of age.
Under COPPA, personal information includes first and last names, email addresses, telephone numbers, shipping address, and online identifiers, like usernames.
Geolocation data is also subject to special protection from COPPA.
This law requires special data protection for children's information and makes transparency in your information practices vital. You must not only describe the information you collect and how you use it but also offer detailed instructions for parents who no longer want you to store their children's information.
It's wise to review COPPA even if your business does not create children's products. Since it is impossible to police who enters your website at all times, it is a good idea to assume that children may access your products or services.
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
While this has not been tested in a court of law, it offers the potential to protect you from liability and is better than not including the clause.
An example of this provision is offered by Instagram:
One requirement of COPPA is that you list all agents who collect personal information on your behalf. This would include any third party advertisers. Since most sites do not allow advertisement targeting towards children, this usually does not apply. However, if you are an exception to the rule, consider naming the third parties or linking to a list containing their names.
You also need to describe the type of information you collect.
Another element of COPPA that's unique from general Privacy Policies is the parents' rights section.
This set of provisions explains that you never collect or disclose more information than necessary and allows parents to review and restrict access to the information.
You also need to provide contact information so parents can make that inquiry.
Family Education Network (FEN) offers a comprehensive parents' rights section that explains all of these elements:
Another good precaution is to place dialogue boxes or notifications on your website that confirm age or request parental consent.
You can do this with a verification process similar to this:
COPPA contains the strictest requirements when it comes to children's privacy. If you follow these guidelines, it's likely your practices will conform with the expectations of other jurisdictions.
Canada passed a comprehensive privacy bill, the Personal Information Protection and Electronic Documents Act (PIPEDA). It does not have a law specific to children's online privacy.
Canadian law does not differentiate between kids and adults when it comes to online privacy. The general law does not seek to serve as a COPPA equivalent, and privacy is addressed equally for all individuals.
Even then, the Office of the Privacy Commissioner of Canada recognizes there are unique considerations when it comes to children being online.
The office posted guidelines on its website regarding companies that collect information from children. Some of these are the same as with general privacy concerns, but it also addresses the unique challenges that arise with children's personal data.
First, the office encourages businesses to never collect more information than necessary for a website or app to function. It advises those that handle children's information to be especially aware of this since children are more vulnerable and may share more than you request.
That concern goes into the second guideline, which addresses inadvertent collection.
Just because you do not mean a field to contain a full name does not mean a user will avoid submitting one. The office recommends limiting fields and rejecting user names that are too close to full names. Otherwise you may unintentionally collect information you do not need.
PIPEDA generally requires that information should never be stored for longer than necessary. This is emphasized when it comes to children's information. If you don't have an audit process for data storage, now is a good time to develop one.
Like with most Privacy Policies, use plain language and a clear structure. If you adopt a FAQ-like structure, your policy may even be comprehensible to your target audience--children.
Australia does not have a specific law regarding children's online privacy.
However, the Australian Law Reform Commission recognizes that the law may need to change to address specific concerns with children and the Internet.
Australia addresses online privacy in its Privacy Act 1988. The 13 principles are assumed to apply to children and adults equally.
Protection is strict within these principles. A large burden is placed on private companies to take precautions with data they collect online, whether from adults or children.
The main shortcoming is the law does not set a minimum age at which individuals can consent to providing personal information. Even COPPA establishes that by allowing children to consent to that exchange at age 13.
There's also no process for allowing adults to make decisions on behalf of children when it comes to information privacy.
The assumption in the Office of the Australian Privacy Commissioner is that parents are available to children to help with these decisions. It does not offer guidance beyond that.
The Australian Law Reform Commission started recognizing children's vulnerability when they are online. Besides being too willing to disclose personal information, there's also the fact that children are more likely to take marketing messages literally and perhaps make purchases online that are not authorized by their parents.
The reform commission indicated that the current Privacy Act is inadequate for addressing these concerns. While reform is discussed, private organizations look to make recommendations when it comes to children and their online privacy.
This code is not immense but contains basic principles from other legal discussions. For one, it recommends making parental consent mandatory before a child under 13 provides personal information. The code heavily emphasizes education for parents and teachers too so they can help keep children's information safe online.
Right now, publications from law reform and the privacy commissioner encourage private companies to take precautions. Primarily, it's recommended that they adopt practices aligning with COPPA.
This seems to suggest that the government considers COPPA a good model for protecting children's online privacy. However, time will tell if that results in any legal changes.
Protection for children's online privacy is present in the Data Protection Act and mirrors the same protections required for adult Internet users.
Like other privacy laws mentioned here, the Data Protection Act is not specific to children. There is no COPPA-equivalent in the UK.
Protecting children's data remains theoretical and a subject of education efforts. The Council for Child Internet Safety, a volunteer organization supported by the Department for Education, encourages children to keep information safe, especially social media.
It also offers ways to help parents as children navigate the online world. Like Australia, most efforts concerning children's privacy are based on education rather than legislation.
For the time being, if you cater to children living in the UK, complying with the Data Protection Directive is sufficient. But this is unlikely to work in the long term.
For now, the UK is a member of the EU. It will be subject to the revised General Data Protection Regulation which goes into effect May 2018. That law contains provisions specific to children's online privacy.
There is already active online discussion in the British legal community about this regulation and the effect on UK companies. So, if you transact business in the UK, you want to follow recommendations for complying with the May 2018 version of the General Data Protection Regulation.
Starting in May 2018, the EU will have a new law specifically regarding children's online privacy. This is included in the new General Data Protection Regulation (GDPR).
When the GDPR was revised, the EU considered COPPA a model. Provisions regarding children's privacy are present in Recitals 38 and 71, and Article 12.
Recital 38 recognizes that children require extra protection regarding their personal data. Being younger, they are less aware of risks and safeguards. For that reason, the regulation seeks to extend extra protection for children when they are online.
Recital 71 is a bit less direct, as it addresses online profiling. While focused primarily on adult pursuits, like seeking health services or applying for loans, this also addresses profiling children. This is due to the fact that profiling is often based on the collection of personal data, including addresses, birthdates, and even religion and ethnicity.
Article 12 addresses transparency in information practices but specifically to those affecting children. Services directed at children should contain privacy policies that can be understood if read by children. Companies offering products and services to children must also be transparent in their information practices.
The major difference between COPPA and the GDPR is age. While COPPA allows children as young as 13 to approve of the disclosure of their personal information, the GDPR raises the minimum age to 16.
Changing the minimum age causes concern because young teenagers are active on social media. There is discussion on how to comply with this adjustment without reducing online participation by young people.
Compliance practices will be similar to those needed for COPPA. However, there are subtle differences.
While special data protection applies to children under 13 if you follow COPPA, the GDPR raises that minimum age to 16.
If your service or product is marketed to children in the EU, you must adjust your privacy practices to consider that minimum age.
However, the GDPR does not require verification of parental consent as it's encouraged by COPPA. So, even if you have to raise the minimum age through your site, you can technically take a child's word for on age without getting a parent involved.
There is a desire to make this easier to enforce. EU member states are looking into better age verification and there is a chance that eventually, the GDPR will reflect these preferences too.
Generally, no matter where in the world you target your services, complying with COPPA will exceed most expectations regarding children's privacy information. Right now, that is the law with the most stringent requirements when it comes to children and their personal data.
Since other jurisdictions recognize the need to treat children's privacy with special handling, you can expect more regulation in the future. Start by meeting COPPA standards and adapt as new laws go into effect.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.