We recently published an article detailing the five core principles of fair information practices. In that post, we mentioned that these have to be adapted when it comes to collecting information from children. This guide will examine those adaptations.
The principles we outlined hinge heavily upon the provider of the data having apt judgment to decide whether or not to hand over their details. Of course, there’s a strong chance that a child will lack this type of judgement.
There are plenty of laws and regulations that recognize the inherent vulnerability of children, and fair information practices are no different. We’re accustomed to parents or guardians taking responsibility for completing medical, financial, or legal forms, and the online environment should mirror that. It comes down to the fact that it’s the job of parents to ensure that their children’s information is protected. As such, when entities collect data from children, they should ensure that parents are adequately equipped to offer that protection.
Aside from the resources mentioned in the previous article, there are also certain child-specific regulations, including the Children’s Online Privacy Protection Rule (COPPA) in the US and the Student Online Personal Information Protection Act (SOPIPA) in California.
In the preceding article, there were five core principles of fair information practices centering around notice, consent, access, accuracy and security, and enforcement and redress. Since enforcement and redress pertain to entities and governing bodies rather than consumers, that principle remains consistent when it comes to children. In this post, we’ll cover the four remaining principles of information practices as they pertain to children and their parents.
Notice and awareness
We talked about entities giving sufficient notice to consumers before collecting information. In the case of children, it is the parents who should be given notice. Firstly, they must be made aware that the entity is collecting details in the first place. Other important details that need to be provided include how the information will be used and who will have access to it.
For example, it should be clear if information will be used for a purpose other than the primary one. It must also be absolutely clear if the data provided will be given or sold to third parties. For example, the Wildlife Conservation Society (WCS) privacy policy explains in detail what information is collected from children and how it used.
Under COPPA, entities can’t collect personally identifiable information from users under 13. Accordingly, WCS site registrants under the age of 13 are instructed not to use their real first or last name when creating a username.
Giving parents sufficient notice becomes trickier in today’s evolving technological world. Many parents of today didn’t grow up with social media platforms, messaging apps, group gaming, and similar online communication systems. Even if they did, it likely wasn’t to the extent that children are immersed in it today.
As such, it’s also the responsibility of entities to describe in detail the types of activities that are undertaken on their sites. After all, if a child is handing over details to sign up, the nature of the activity undertaken on the site constitutes part of how the information will be used.
This is particularly important in some of the applications we just mentioned where communication is possible. Ultimately, when parents have full knowledge of a site’s activities, they are far better equipped to monitor their children’s activities and protect them from potential harm.
Choice and consent
As with collecting information from adults, choice and consent go hand in hand with notice and awareness. Along with providing parents with notice as detailed above, entities have to give them adequate opportunity to decide whether or not the information is given and how it is used (if there are options).
This is especially important when information is being offered to third parties. Parents should be given the opportunity to say no to this. If there are steps that a parent can take to control the use of the data provided, then these should be clearly laid out and easily accessible within the site.
Of course, entities can only do so much and their job is to provide clarity for parents. It’s then on the parents to adequately monitor their child’s online activity, view the information that’s provided, and make their own judgement.
Sites like GeckoLife reiterate this in their privacy policy.
GeckoLife recognises that some younger children may not understand some of the information contained on our Site or the way our Site operates. Please discuss this Privacy and Confidentiality Policy with your children so that they will better understand the way to use our Site and the information they may be asked to provide.
Later in the policy, the company emphasizes the importance of not revealing any personal details in chat boards and other forums. After all, as a social media network, it really has no control over who might be collecting data that is made public by its users.
Access and participation
In our previous post, we talked about how entities must ensure that the information consumers have provided is easily accessible and can be changed or contested if necessary.
This becomes especially important in the case of children. Of course, the nature of children’s general behavior means that parents could be learning about them handing over information after the fact. As such, if and when they do find out, they won’t know exactly what details have been disclosed.
Sites like Kidoz bypass this issue by stating that parents themselves must create accounts for their children. This company partners with PRIVO, a third-party organization that provides a full suite of privacy services. These include helping ensure companies comply with regulations like COPPA, and giving them the parental verification tools to do so.
However, if an entity does accept information from children themselves, they have to make it easy for parents to access this data and be explicit about the steps they can take to contest or alter it.
Integrity and security
As with adults, the integrity of children’s information is strongly linked to access and participation. This is particularly important as a child is more likely to – knowingly or not – hand over incorrect data. Additionally, they may not understand the consequences of doing so.
Submitting false or incorrect information could have implications for the child or the family now or in the future. Depending on the nature of the data, it could impact anything from personal safety to education to health.
For example, under the HIPPA regulation, one of the most important points regarding children is that parents and/or representative guardians should have access to the child’s medical records. Of course, depending on the nature of the incorrect information, it might be difficult in some instances for this access to be granted.
To ensure integrity, we come back to accessibility and making it easy for parents to access and make adjustments to their children’s data. Entities can also go a step further and verify details that are being submitted. This is especially prevalent in cases where parents are the ones creating or verifying accounts. We mentioned PRIVO earlier and indeed their software is used to verify the identity of parents by various means, including through a credit card or social security number.
We also talked about data security in our previous post. As mentioned, children are considered a vulnerable group. Therefore, their information is even more sensitive than that of adults. For example, a child receiving a scam email as a result of their details being leaked may be more prone to fall for it.
Sites like G Suite for Education have come under scrutiny for how they collect and use the data of children. As a result, they have plenty of answers to questions regarding security in their privacy and security page.
As you can see, while the core principles of fair information practices for children remain similar to those for adults, there are some additional facets to be aware of. Entities dealing with children’s information should take extra care to ensure that parents are given sufficient opportunity to protect their child’s information.
Parents should educate themselves about what is expected from entities. Thankfully, there are an increasing number of resources to help parents do this including sites like Common Sense Media and Parent Zone. In an evolving technological world, it’s also crucial for parents to work together with their children and educate them about the importance of security and privacy online.
COPPA Compliance 101
The Children’s Online Privacy Protection Act has been widely criticized as ineffective and burdensome, but nonetheless it remains the premiere federal law when it comes to children’s privacy.
Who must comply?
Any website or online service directed at children under age 13 that collects personal information from children must comply with COPPA by law. Additionally, if you operate a website for a general audience but are aware that you are collecting personal information from children, you must also comply.
Whether a website targets children is determined by subject matter, content, age of models on the site, language, advertising content, and use of child-oriented features.
What is personal information?
COPPA defines personal information as any individually identifiable information that is collected online. This includes:
- Name
- Address
- Email address
- Phone number
- Information collected through tracking mechanisms like cookies
- Any other information that would allow someone to contact or identify a child
Privacy notice placement
Website operators must place a link to a notice of information practices on their home page and each area where personal details are collected from children. If it’s a general audience website, the links must be posted on the home page of the children’s area.
Links must be clear and prominent. If a link is indistinguishable from other links on the site, it doesn’t count.
Notice contents
The notice of information practices must include a few things:
- Name and contact information of all operators who collect or maintain children’s information through the site or service.
- What personal information is collected from children (see above for what constitutes personal information).
- How the personal information is used.
- Whether personal information is shared with third parties. If so, what kinds of businesses the third parties are engaged in, how they use the data, and whether they agree to maintain confidentiality and security.
- The parent must be able to agree to collection of their children’s’ information without having to also consent to it being shared with third parties.
- The operator may not require children to disclose more personal information than what is reasonably necessary.
- The parent can review the child’s personal information, ask to have it deleted, and refuse to allow any further collection or use of their children’s information. It must include procedures for parents to carry out these tasks.
Direct notice to parents and verifiable consent
Website operators must also give parents direct notice containing all the same information as the notice posted on the site. This can be delivered by email, postal mail, or some other means.
Operators must make reasonable effort to notify and obtain verifiable consent from the child’s parent before collecting personal information.
Public disclosure
If you want to disclose a child’s personal details to third parties or make it publicly available, a more reliable method of obtaining consent is required, such as:
- Having parents sign a physical form and sending it via mail or fax.
- Verifying a credit card number in connection with a transaction.
- Taking calls from parents by trained personnel on a toll-free number.
- An email accompanied by a digital signature.
Exceptions
Prior parental consent is not required when:
- The purpose of collecting a child’s email address is to send them a consent form.
- A child’s email address is collected to respond to a one-time request and is subsequently deleted.
- A child’s email address is collected to respond more than once to a single request. Newsletters are one such example. Operators must still notify parents and give them the option to stop communication after the initial communication.
- The operator collects a child’s name or information to protect their safety. Operator’s must still notify parents and give them the option to prevent further use of the information.
- The purpose of collecting a child’s name is to protect the security or liability of the site or to respond to law enforcement.
New notice for consent
If any material changes in the collection, use, or disclosure practices of children’s personal information, a new notice must be sent to parents.
Access verification
Website operators must verify parents’ identities before handing over their kids’ personal information upon request. This can be done using the same methods used for public disclosure (see above).
Revocation and deletion
If a parent revokes their consent or requests their child’s personal data be deleted, the operator must comply. But operators may terminate the service if the information at issue is required for the child’s participation in the activity.
“Browsing” by rawpixel licensed under CC BY 2.0