- Key issues
Children and personal data: what's different?
By Vida Adamczewski
Fri 4 December 2020
Children are spending more and more time online and on screens. Most of these interactions are providing data to the owners of the sites, devices and applications being used. Naturally, those children, and their parents, might worry about what’s happening to their data and ask: is this safe?
According to Ofcom’s Children’s Media Use and Attitude report 2019, more parents than ever feel concerned about the risks posed to their children by their children’s online activity. Concerns about childrens’ data breaches are at an all-time high. But at the same, parents are more likely to entrust younger children with greater digital independence - around 50% of 10 year olds now own a smartphone, compared to 30% in 2015.
What’s the legal definition of a child?
According to the UN Convention on the Rights of the Child, all persons under 18 are children. There is no legal distinction between a child and a teenager, but there are laws that affect children differently depending on how old they are.
What rights do children have under GDPR?
The short answer is all of the same rights as adults. Even young children own their own personal data, so they have rights under GDPR. This actually means that a parent does not necessarily have a legal right to make a subject access request in relation to their child’s data, because that data does not belong to the parent.
Children themselves can request to view the personal data a company holds on them, to find out how it’s been used, and to have it deleted. Data collectors rely on the same legal bases for processing personal data.
This actually means that a parent does not necessarily have a legal right to make a subject access request in relation to their child’s data, because that data does not belong to the parent.
For more information, read our quick guide to GDPR here.
The definition of children’s data
If children have the same rights as adults under GDPR, is children’s data a special category? The real difference is that for each of those legal bases, children’s data comes with additional protections and conditions. The data collector has to consider and demonstrate that the collection and processing of children’s data does not harm the child, or compromise the child’s best interests. Data collectors must make their privacy notices clear and accessible to children, or tailor notices specifically for them. The data collector also has to tailor their requests for consent to data collection and use (more detail on this later).
Internet services do not have to be offered directly to children to be bound by these rules. The ICO considers a service to be "made available to children” if the service is offered to users without age restrictions or where any age restriction allows users under the age of 18.
Getting 'digital consent' from children
Consent is one of the main legal bases that data collectors can use to support their processing of personal data.
GDPR stipulates that only children aged 16 years and over may lawfully provide their own consent for the processing of their personal data. In the UK only, this has been lowered to 13 years.
For children below the age of digital consent, an adult with parental responsibility must provide consent. Adults with parental responsibility are not necessarily the biological parents of the child, and there certainly may be more than one adult with this responsible status.
The data collector must also make reasonable efforts to verify that the person providing parental consent is, in fact, responsible for the child. Ideally, it should be hard for a 12 year old to tick the box in place of their parent. The ‘reasonable efforts’ should be proportional to the risks posed to the child’s data - so, collecting an email address to send a newsletter is lower risk and needs less thorough verification measures, while a social media site is higher risk and collects more personal data, so the verification measures should be more thorough. Of course, parental responsibility, and even age, is very hard to prove without asking for more sensitive personal data and documents like passport scans for example. As collecting so much sensitive data is best avoided, these verification systems are often imperfect.
Note: If the internet service offered to the child is an online preventive or counselling service, these parental consent requirements do not apply, as that would not be in the child’s best interests.
Another legal basis for data processing is the data collector having a legitimate reason, including commercial interests, for collecting users’ data, provided that this reason is not outweighed by harms to the user, such as impinging on their rights or freedoms. This second part is particularly important when it comes to children, and GDPR emphasises this. The data collector must prioritise the child’s interests over their own.
Some of the other legal bases for processing data are affected when the data subject is a child. You can read full outlines of the law here.
Some key issues
- Sharing children’s data
According to GDPR, sharing children’s data should be avoided. Ideally, children’s data should only be shared when it is overwhelmingly in their interest, such as for safeguarding purposes. If children’s data is shared with any third-parties, there should be due diligence checks to ensure that the children’s interests are protected.
2. Children’s data and marketing
Clearly a big concern is in the use of children’s data, in particular how it’s being commercialised for use in advertising. Ofcom’s report shows that parents are increasingly concerned about the pressure on their children to make in-game purchases, for example.
GDPR does not necessarily prevent children’s personal data from being used for marketing purposes. But data collectors should be particularly careful. Data collectors should produce a DPIA (data protection impact assessment) if they are going to process children’s data for marketing to assess the risks posed to the child.
At the very least, the data collector must make it clear to the child that their data is being collected and used for marketing, and that they can ask for this processing to be stopped at any time.
Targeted advertising, which is often based on automated profiling rather than direct collection of data, is equally warned against by GDPR. Data profiling is largely an automated process, based on identifying patterns across enormous data sets. Data profiling of children is not banned by GDPR, even when it is used to make decisions about the user, such as what adverts to show them, unless that decision will have a legal or otherwise significant effect on the child. It is not clear what is included as a significant effect.
The advice from the ICO to data collectors is that organisations should generally refrain from profiling children for marketing purposes, as children are particularly susceptible to behavioural marketing and so its use is exploitative.
Children are considered to have a double vulnerability because:
- they might not realise that their personal data (such as information on their hobbies, or their email address) will be used for marketing. So this purpose must be made clear and it must be made clear that the child can object to their data being used for marketing.
- they might not be able to critically assess the marketing content and may be more easily convinced to make unwise purchasing decisions. So the marketing content must not exploit this.There are also specific advertising standards for content directed at children, and online advertising must comply with these.
3. Social media
Social media platforms generally collect four main types of data; your registration details, your activity or interaction with the site, the content you upload, data from your devices including IP addresses, GPS, cookie data. They also purchase third party data.
Though most social media sites have minimum age limits, it’s clear that they have access to an immense amount of children’s data. Some is of course gathered from the older children that legally use the services. Some of this data is derived from adult (parent and family) users, by looking at the family photos they post, the behaviour on their devices that looks more like a child’s activity, the child-relevant apps, searches and purchases. Some of it is derived from younger children who have got around the minimum age limit. According to Ofcom, WhatsApp is growing in popularity with 12-15 year olds, even though it’s minimum age limit is 16.
This large pool of data means social media sites are easily capable of profiling children (see previous section).
There have been several cases of parents raising concerns about the handling and harvesting of children’s data by social media sites. Youtube and Instagram have both had complaints raised against them. Youtube is accused of collecting data on younger children without parental consent, and Instagram of allowing children to publicly post their contact details. Both of these complaints really hinge on whether the sites made reasonable efforts to protect children’s data, whether they encoded protecting children’s data into their designs.
Quite vague and confusing, right?
Right. The law regarding children’s data is full of case by case decision making. It’s littered with reasonable efforts, balancing, and best practise. It is by no means watertight.
There are still significant gaps in the regulation and we still do not understand the full consequences of the monitoring and profiling of children. This certainly needs to improve.
Protecting children’s data
While the regulation remains inadequate and ambiguous, the answer is not as simple as cutting children off from the virtual world entirely. We know that children, and the adults that look after them, appreciate the convenience and leisure afforded by being online. We know that even older children struggle to fully comprehend the extent of data collection. Evidence suggests that good support (from schools, from parents) can make a significant difference to children’s privacy online. But, fascinatingly, risk aversion from parents, which restricts children’s play, development and agency, might reduce privacy risks but it also curtails the benefits of internet use.
Parental mediation - discussion and monitoring without being overwhelmingly restrictive - can be more empowering for children. The best way to raise children as conscientious and careful digital citizens is to educate them, so that they learn to protect themselves while reaping the benefits of technology.
Teenagers particularly, who are above the age of digital consent, should be properly informed about how their data is collected and used, and their rights under GDPR. But younger children too need to know how their data is collected, used and their right to view, correct, object to and erase that data. They should know that data is collected in ways you might not expect or notice and that it is incredibly profitable for the companies collecting it.
And parents should get clued up too! Ofcom’s report shows that parents are already on it - they’re now almost twice as likely as they were in 2018 to go online themselves for support and information on keeping their children safe.
If you'd like to give your child a way of finding out what social media companies know about them, you can use ours for free here.
Resources to Help
- LSE has a very thorough guide to understanding and looking after your children’s data.
- The Information Commissioner’s Office has lots of information on children’s data and the law.
- The Child Data Citizen project has lots of insights into raising a child in the digital age.
- Rightly can help you and your child take control of your data
Now You Know
If you notice that a site doesn’t seem to be adequately protecting children (they don’t ask for age verification, their terms and conditions are very hard to read and understand, their marketing is inappropriate, or it looks like children’s data is being shared) then you can raise a complaint or get in touch with our team for advice - we'd love to hear from you.