Where is childs data safe

Much of our personal data is online or held within electronic systems, and protecting this data has never been more important. When it comes to our children’s data, the stakes are even higher.

Which countries ensure the safety of our children’s data by restricting its collection? Where in the world is parental consent required before a company can collect a child’s data? And which countries fail to protect children’s data by leaving it undefined and, thus, treated the same as adults?

Our researchers explored legislation in 50 countries to find out. We also explore the importance of having extra safeguards in place for children’s data, whether governments are bound to the same data protection principles as companies, and the privacy-encroaching age restrictions many countries are introducing under the guise of “protecting” children’s data.

Key findings:

  • 17 of 50 countries have no specific legislation to address the collection and processing of children’s data online, while 33 have specific legislation or clear sections within their data protection laws
  • Every country with specific legislation has loopholes for government treatment of children’s data (e.g. for national security and public safety). Seven countries exempt governments from these data protection principles entirely
  • No country bans online government surveillance of children
  • Only four countries have strict rules in place that require security assessments of third parties when sharing children’s data. Others only have general laws and possible data impact assessments. Only one country (China) has strict rules on who should access children’s data internally
  • 18 of 33 countries restrict the profiling of minors. Only one, Ireland, prohibits it entirely
  • Most countries have restrictions on adverts that target children. Only Brazil and Sweden prohibit it entirely
  • France and Vietnam ensure that children are included in the consent process alongside their parent/guardian

Which countries offer the best protection for children’s online data?

Out of the 33 countries that have specific legislation regarding children’s data online, the following countries come out on top. It is worth noting, however, that no country is perfect. Every country puts children’s data at risk. This could be through the loopholes in place for governments or a lack of clear procedures/policies about how to safeguard children’s data. The highest-scoring country (France) scored 34.5 out of 44–although high, it has room for improvement.

France

Score: 34.5 out of 44

France comes out on top in this study, beating its EU neighbors by two points with its additional requirement that children are, in some cases, involved in the consent process alongside their parent/guardian. According to the French data protection agency, la Commission nationale de l’informatique et des libertés (CNIL):

“Article 45 of the French Data Protection Act states that, in the context of online services and for data processing based on the non-contractual consent of the user, the holder(s) of parental rights must give their consent jointly with that of their child if the latter is under 15 years of age. This means that consent for additional features such as setting the public/private status of a social network profile, or activating optional geolocation in an app, should in theory be based on joint agreement between the child and the holder(s) of the parental rights. In other words, parents cannot go against their child’s wishes for these types of processing and the child cannot override the parents’ objection.”

Giving children authority over their data while enforcing parental oversight is, in this digital age, a huge benefit. Not only does it ensure children are aware of data protection and their choices from the offset, it also gives them autonomy in their data privacy.

Sweden 

Score: 33.5 out of 44

Sweden does fall under countries covered by the GDPR. It gained an extra point for banning targeted adverts for children. Since 1991, Sweden has banned targeted ads for children on both TV and radio. The only other country that prohibits child-specific advertising is Brazil.

EU countries and the UK

Score: 32.5 out of 44

All of the EU countries covered (bar Switzerland, which we discuss below) enjoy the benefits of GDPR’s data protection. As children’s data is clearly defined, it ensures parental consent is required and that various different protections are in place, including the right to access, delete, and alter data, restrictions on profiling and targeted adverts, clear and comprehensible privacy policies, and that parental consent is verified. These protections also apply to all types of entities, including data brokers, educational institutions, and nonprofits. Government entities are given the usual exemptions, however.

The GDPR doesn’t strictly prohibit profiling minors. Although some protections are required, there are no specific requirements for the encryption of children’s data (or data in general), and no precise data retention periods for children’s data. The GDPR states children’s data should only be retained “for as long as necessary.”

Even though children’s data and its collection and processing are clearly defined within GDPR, many of the areas we covered in this study (e.g. sharing data with third parties, opting out of data collection, and deleting data) are covered by general laws for all ages so lack clear, precise procedures.

Switzerland is an exception to the rule here because, while governed by GDPR (which provides protection for children’s data), it states children are capable of judgment and thus gives children power over their data. Even though this is commendable to some extent, it does leave children vulnerable to having their data exploited, especially in cases where they may not understand what is being asked of them. That’s why Switzerland has been scored as though it hasn’t got any specific legislation surrounding children’s data protection.

In this update, the UK implemented its Online Safety Bill that provides strict guidelines for online services to follow. Companies covered by the code (including apps, games, connected toys and devices, and news services) must now note exactly what data they collect from children and tighten their collection and storage methods, among other things. This bill will also see age-verification systems being implemented on adult websites–something we’ll explore in more detail below.

Saudi Arabia

Score: 31.5 out of 44

In September 2023, Saudi Arabia’s data protection law came into power. Clear and precise procedures are something that helps boost Saudi Arabia’s score. While this isn’t often a country that stands out for its data protection (it is one of the worst-scoring countries in our biometric study, for example), Saudi Arabia’s Children and Incompetents’ Privacy Protection Policy (PDF) offers children’s data great protections with clear and precise requirements for all data collectors and processors.

This policy falls short of the GDPR by not offering any restrictions for the profiling of minors and only has general restrictions on targeted advertising toward children (e.g. on age-restricted products). However, it does exceed the GDPR in one area: Saudi Arabia’s policy clearly mandates that third parties must be assessed and contracted based on the same high level of security as the data collector. This is only a general requirement (for all data) in the GDPR.

What updates/changes have been made to child privacy laws this year?

India and Nigeria introduced data protection laws that provide some specific protection for children’s data for the very first time. Vietnam introduced a new data protection law that improved its score. However, it did already have some provisions for children’s data through its Law on Children and Cybersecurity Law.

India – 31 points out of 44

India’s Digital Personal Data Protection Act received presidential assent in August of this year. The law will come into force over the next ten months. It scored just half a point lower than Saudi Arabia. The 0.5 point difference is due to India providing an exemption to government agencies from the privacy law. India also doesn’t restrict the profiling of its minors, unlike countries covered by GDPR legislation.

Nigeria – 29 points out of 44

Nigeria introduced a new data protection law in June of this year. Much like India, Nigeria also allows for government exemptions and doesn’t prevent the profiling of minors. It lost points for not restricting adverts targeted at children.

Vietnam – 26 points out of 44

Vietnam improved its score by 10.5 points this time around (from 15.5 points in our previous study to 26 points). In July 2023, Vietnam implemented a new data protection policy regulating the collection of personal data. Children over the age of 7 are required to provide their consent alongside their parent or guardian. Parental consent is required to opt out, modify, and delete a child’s data.

Every country has room for improvement when it comes to children’s data protection

As we have already mentioned, every country can improve on its policies when it comes to protecting children’s data. Even though the aforementioned countries are “best in class,” they do fall short in a number of areas. That said, all of the other countries we’ve covered could look toward the GDPR as a good place to start when improving upon their existing policies. For example:

The United States – Children’s Online Privacy Protection Act (COPPA)

Score: 29.5 out of 44

The lack of comprehensive data protection in the US is a cause for concern, but the introduction of COPPA in 1998 has helped pave the way for children’s online privacy and does ensure some general protections for children.

COPPA stipulates that parental consent is required when processing the data of children under the age of 13. It applies to commercial websites and general websites that may appeal to children, while also offering some protections across educational facilities, too. It doesn’t, however, apply to nonprofits, the government, or data brokers. This is where the US’ score falls short of its EU counterparts. It also has fewer restrictions on targeted adverts than the GDPR.

Where COPPA does go one step further than GDPR is in its requirement for security assessments on third-party providers.

Nevertheless, our recent study across 500 children’s apps on Google Play found that over 1 in 4 are in breach of COPPA’s rules.

China – Regulations on the Protection of Children’s Personal Information Online

Score: 28.5 out of 44

China severely encroaches on the privacy of its citizens but stands out with its clear policy for children’s data. Regulations introduced in 2019 set up some strong data protection standards for children’s data.

Areas for improvement would include extending the regulations beyond commercial and general websites, prohibiting the profiling of minors, greater restrictions on targeted adverts, and verifying parents/guardians when obtaining consent.

But where China does excel is in its clear procedures for data collectors and processors. For example, it states, “When staff access children’s personal information, they shall be approved by the person in charge of the protection of children’s personal information or their authorized managers, record the access, and take technical measures to avoid illegal copying and downloading of children’s personal information.” It also requires measures such as encryption to ensure the safety of children’s data.

Countries need clear and comprehensive regulations surrounding the use of children’s online data

Clear and comprehensive policies are essential when it comes to protecting children’s data, leaving no room for interpretation or abuse. Although the likes of China’s regulations, COPPA, and even GDPR require further improvements, they offer a lot of clarity about how a child’s data should be collected and processed.

Countries that fail to define children’s data, like Australia, Canada, India, Mexico, and Argentina, treat children’s data the same as adults. While including children within the consent process is an integral part of ensuring their data privacy is respected at all times, having parental oversight is crucial to keeping them from harmful data processing practices and content.

Are age-verification systems the way forward?

No–they’re not.

Age-verification systems are a threat to privacy

A worrying number of countries are looking to impose (or have already imposed) age-verification systems that encroach on users’ data privacy under the guise of protecting children.

For example, the UK has enforced an Online Safety Bill, which became legally binding in October of this year. Among other things, it requires users of websites aimed at people over age 18 to verify their identity. Similar proposals are underway in France and several US states have introduced similar systems (see our Internet Censorship study for more information). 

In Germany, pornography websites must check visitors’ ages. A recent court ruling suggested that requesting a photo ID was inadequate because children could often get hold of false pictures. The ruling suggested one-time, in-person verifications (e.g. PostIdent) or identification via webcams/biometric features. In France, social media sites are now required to verify that children are at least 15 years old using a “technical solution.”

There are a number of problems with requiring this level of age verification, including the increased collection of personal data. This data is put at risk of breaches, and when linked to “adult” websites, it is of an increasingly sensitive nature–something users of CAM4 know all too well. These concerns are reflected in a number of recent surveys as well. One study found 80 percent of people want age-verification controls for online porn, but 78 percent of people wouldn’t be willing to upload their ID to access this type of content.

Implementing such measures will only lead to users being pushed toward the dark web, illegal content, and sharing platforms that don’t have the same content moderation principles as many high-profile adult websites.

What’s the solution?

At present, there is no silver bullet and there certainly isn’t one that ensures the protection of children and the privacy of all internet users. However, education (of both children and parents) is critical, as is ensuring parents are aware of the parental safety controls they can implement on their children’s devices and internet connections.

Scoring

  • Has a specific law (or a specific section within standard data protection laws) that addresses children’s online data privacy?
    • Yes = 5
    • Some guidelines (which are enforceable, e.g. resolutions) issued but the law lacks clarity = 2
    • No = 0
  • Requirements for privacy policies (e.g. clear, comprehensible, and easily accessible)?
    • Specific requirements for children’s data privacy policies to be easy to read, easy to access, and include all of the necessary information regarding data collection, processing, and storage = 3
    • General data protection laws apply the above requirements (for all data users) = 2
    • No = 0
  • Who does the legislation apply to?
    • Commercial websites
    • General websites
    • Data brokers
    • Non-profits
    • Government
    • Schools
      • Yes (1)
      • Some exceptions (0.5)
      • No (0)
  • Parental consent and authority
    • Parental consent required to collect children’s data = 3 (in some cases = 1)
      • This consent must be verified = 2
      • General law provides some provision (e.g. “explicit” or “informed” consent but nothing specific about verifying parents’ identities) = 1
    • Parental consent must be given jointly with the child/children have some authority over their data = 2
    • Parental authority is required to share data with third parties = 1 (in some cases = 0.5)
    • Parents have authority to opt-out of data collection = 1 (in some cases = 0.5)
    • Parents have authority to modify/correct existing data = 1 (in some cases = 0.5)
    • Parents have authority to request deletion of their children’s data = 1 (in some cases = 0.5)
  • Restrictions on who has access to the data internally
    • Approval from the data controller is required before accessing = 2
    • In some cases, approval/oversight is required = 1
    • No restrictions = 0
  • Extra steps for data security
    • Children’s data must be encrypted at all times = 3
    • Some protections but based on impact assessments/sensitive data and no specific requirements for children’s data = 2
    • Some recommendations but not fully regulated and/or mandatory = 1
    • No = 0
  • Responsibility to conduct security assessments on third-party providers
    • Yes (and specific to children’s data) = 2
    • General requirement in data protection legislation = 1
    • No = 0
  • Responsibility to notify children/parents of data breaches
    • Yes – including general requirements which apply to all breaches = 2
    • Some requirements (some types of breaches, e.g. sensitive data) or general recommendations = 1
    • No = 0
  • Restrictions on targeted adverts
    • Targeted adverts are essentially prohibited = 3
    • Yes = 2
    • Some restrictions (e.g. regarding junk food and alcoholic beverages but not as a whole/not severely regulated or prohibited) = 1
    • No = 0
  • Is the profiling of minors prohibited?
    • Yes = 2
    • Some provisions = 1
    • No = 0
  • Data retention periods
    • Specific, clear periods mentioned regarding children’s data = 2
    • General requirements, e.g. “only for as long as necessary” = 1
    • None = 0
  • Do privacy protections extend to online government surveillance?
    • Yes = 3
    • No = 0

Methodology

Our researchers looked at the top 50 countries by GDP to see whether or not specific legislation was in place for children’s online data.

In this update, New Zealand is in and Peru is out. Many of the countries covered may have data protection laws, but without a specific section or separate legislation for children’s data, children are treated like adults when it comes to their data. In these cases, the countries haven’t been included in our overall analysis of children’s online data policies. While they may allow users to request access to, delete, and amend their data, for example, this isn’t aimed specifically at children and/or their parents/guardians.

We explored 23 different aspects of these policies, detailed above, and allocated a score to each. The higher the score, the better the protections. Countries were then ranked based on their scores.

For a full list of sources, please request access here.

Data researchers: Charlotte Bond, Rebecca Moody