Much of our personal data is online or held within electronic systems, and protecting this data has never been more important. When it comes to our children’s data, the stakes are even higher.
Which countries ensure the safety of our children’s data by restricting its collection? Where in the world is parental consent required before a company can collect a child’s data? And which countries fail to protect children’s data by leaving it undefined and, thus, treated the same as adults?
Our researchers explored legislation in 50 countries to find out. We also explore the importance of having extra safeguards in place for children’s data, whether governments are bound to the same data protection principles as companies, and the privacy-encroaching age restrictions many countries are introducing under the guise of “protecting” children’s data.
- 18 of 50 countries have no specific legislation to address the collection and processing of children’s data online, while 32 have specific legislation or clear sections within their data protection laws.
- Every country with specific legislation has loopholes for government treatment of children’s data (e.g. for national security and public safety). Five countries exempt governments from these data protection principles entirely
- None of the countries prevent online government surveillance of children
- Only three countries have strict rules in place that require security assessments of third parties when sharing children’s data (others only have general laws and possible data impact assessments) and only one country (China) has strict rules on who should access children’s data internally
- 19 of the 33 countries have restrictions when it comes to profiling minors–only one (Ireland) prohibits it entirely
- Most countries have restrictions on adverts that target children. Only one, Brazil, prohibits it entirely
- Only one country, France, ensures children are also included in the consent process alongside their parent/guardian
Which countries offer the best protection for children’s online data?
Based on the 32 countries that do have specific legislation surrounding the use of children’s data online, the following countries come out on top. It is worth noting, however, that no country is perfect. Every country puts children’s data at risk through the loopholes in place for governments and the lack of rigorous policies and clear procedures surrounding the safeguarding and processing of children’s data. This is indicated in the highest-scoring country’s (France) score of 34.5 out of 44–although high, it has room for improvement.
Score: 34.5 out of 44
France comes out on top in this study, beating its EU neighbors by two points with its additional requirement that children are, in some cases, involved in the consent process alongside their parent/guardian. According to the French data protection agency, la Commission nationale de l’informatique et des libertés (CNIL):
“Article 45 of the French Data Protection Act states that, in the context of online services and for data processing based on the non-contractual consent of the user, the holder(s) of parental rights must give their consent jointly with that of their child if the latter is under 15 years of age. This means that consent for additional features such as setting the public/private status of a social network profile, or activating optional geolocation in an app, should in theory be based on joint agreement between the child and the holder(s) of the parental rights. In other words, parents cannot go against their child’s wishes for these types of processing and the child cannot override the parents’ objection.”
Giving children authority over their data while enforcing parental oversight is, in this digital age, a huge benefit. Not only does it ensure children are aware of data protection and their choices from the offset, it also gives them autonomy in their data privacy.
EU countries and the UK
Score: 32.5 out of 44
All of the EU countries covered (bar Switzerland, which we explore below) enjoy the benefits of GDPR’s data protection. As children’s data is clearly defined, it ensures parental consent is required and that various different protections are in place, including the right to access, delete, and alter data, restrictions on profiling and targeted adverts, clear and comprehensible privacy policies, and that parental consent is verified. These protections also apply to all types of entities, including data brokers, educational institutions, and nonprofits. Government entities are given the usual exemptions, however.
Where the GDPR could be seen to fall somewhat short is in the fact that profiling minors isn’t strictly prohibited (even though some protections are offered), that there are no specific requirements for the encryption of children’s data (or data in general), and no precise data retention periods for children’s data (it should only be retained “for as long as necessary”).
Even though children’s data and its collection and processing are clearly defined within GDPR, many areas fall upon the general law and lack clear, precise procedures.
Switzerland is an exception to the rule here because, while governed by GDPR (which provides protection for children’s data), it believes children are capable of judgment and thus gives children power over their data. Even though this is commendable to some extent it does leave children vulnerable to having their data exploited, especially in cases where they may not understand what is being asked of their data. That’s why Switzerland has been scored as though it hasn’t got any specific legislation surrounding children’s data protection
Score: 31.5 out of 44
Clear and precise procedures are something that helps boost Saudi Arabia’s score. While this isn’t often a country that stands out for its data protection (it is one of the worst-scoring countries in our biometric study, for example), Saudi Arabia’s Children and Incompetents’ Privacy Protection Policy (PDF) offers children’s data great protections with clear and precise requirements for all data collectors and processors.
While this policy falls short of the GDPR by not offering any restrictions for the profiling of minors and only has general restrictions on targeted advertising toward children (e.g. on age-restricted products), it does exceed the GDPR in one area. Saudi Arabia’s policy clearly mandates that third parties must be assessed and contracted based on the same high level of security as the data collector. This is only a general requirement (for all data) in GDPR.
Every country has room for improvement when it comes to children’s data protection
As we have already mentioned, every country can improve on its policies when it comes to protecting children’s data. Even though the aforementioned countries are “best in class,” they do fall short in a number of areas. That said, all of the other countries we’ve covered could look toward the GDPR as a good place to start when improving upon their existing policies. For example:
The United States – Children’s Online Privacy Protection Act (COPPA)
Score: 29.5 out of 44
The lack of comprehensive data protection in the US is a cause for concern, but the introduction of COPPA in 1998 has helped pave the way for children’s online privacy and does ensure some general protections for children.
COPPA stipulates that parental consent is required when processing the data of children under the age of 13. It applies to commercial websites and general websites that may appeal to children, while also offering some protections across educational facilities, too. It doesn’t, however, apply to nonprofits, the government, or data brokers. This is where the US’ score falls short of its EU counterparts. It also has fewer restrictions on targeted adverts than the GDPR.
Where COPPA does go one step further than GDPR is in its requirement for security assessments on third-party providers.
Nevertheless, our recent study across 500 children’s apps on Google Play found that 1 in 5 are in breach of COPPA’s rules.
China – Regulations on the Protection of Children’s Personal Information Online
Score: 28.5 out of 44
Another country that often severely encroaches on the privacy of its citizens but stands out with its clear policy for children’s online data protection is China. Thanks to the aforementioned regulations, introduced in 2019, China has created some strong data protection principles for children’s data.
Areas for improvement within the regulations include extending the regulations beyond commercial and general websites, prohibiting the profiling of minors, greater restrictions on targeted adverts, and verifying parents/guardians when obtaining consent.
But where China does excel is in its clear procedures for data collectors and processors. For example, it states, “When staff access children’s personal information, they shall be approved by the person in charge of the protection of children’s personal information or their authorized managers, record the access, and take technical measures to avoid illegal copying and downloading of children’s personal information.” It also requires measures such as encryption to ensure the safety of children’s data.
Countries need clear and comprehensive regulations surrounding the use of children’s online data
What the above shows us is that clear and comprehensive policies are essential when it comes to protecting children’s data, leaving no room for interpretation or abuse. Although the likes of China’s regulations, COPPA, and even GDPR do require further improvements, they do offer a lot of clarity around how a child’s data should be collected and processed.
Countries that fail to define children’s data, like Australia, Canada, India, Mexico, and Argentina, treat children’s data the same as adults. While including children within the consent process is an integral part of ensuring their data privacy is respected at all times, having parental oversight is crucial to keeping them from harmful data processing practices and content.
Are age-verification systems the way forward?
The privacy concerns with age-verification systems
A worrying number of countries are looking to impose (or have already imposed) age-verification systems that encroach on users’ data privacy under the guise of protecting children’s data.
For example, the UK has proposed an Online Safety Bill which would, among other things, require users of websites directed to over 18s to verify their identity. Similar proposals are underway in the US with the Kids Online Safety Act (KOSA) and in Canada’s Bill S-210.
In some countries, these measures are already being introduced. For example, in Germany, pornography websites must check visitors’ ages. A recent court ruling suggested that requesting a photo ID was inadequate as children could often get hold of these, so suggested one-time, in-person verifications (e.g. PostIdent) or identification via webcams/biometric features. And in Japan, Tinder users are required to provide a document to prove their age.
There are a number of problems with requiring this level of age verification, including the increased collection of personal data. This data becomes at risk of breaches and when linked to using “adult” websites, it is of an increasingly sensitive nature–something users of CAM4 know all too well. These concerns are reflected in a number of recent surveys as well. One study found 80 percent of people want age-verification controls for online porn, but 78 percent of people wouldn’t be willing to upload their ID to access this type of content.
There are also worries that implementing such measures will only lead to users being pushed toward the dark web, illegal content, and sharing platforms that don’t have the same content moderation principles as many high-profile adult websites.
What’s the solution?
At present, there is no silver bullet and there certainly isn’t one that ensures the protection of children and the privacy of all internet users. However, education (of both children and parents) is critical, as is ensuring parents are aware of the parental safety controls they can implement on their children’s devices and internet connections.
- Has a specific law (or a specific section within standard data protection laws) that addresses children’s online data privacy?
- Yes = 5
- Some guidelines (which are enforceable, e.g. resolutions) issued but the law lacks clarity = 2
- No = 0
- Requirements for privacy policies (e.g. clear, comprehensible, and easily accessible)?
- Specific requirements for children’s data privacy policies to be easy to read, easy to access, and include all of the necessary information regarding data collection, processing, and storage = 3
- General data protection laws apply the above requirements (for all data users) = 2
- No = 0
- Who does the legislation apply to?
- Commercial websites
- General websites
- Data brokers
- Yes (1)
- Some exceptions (0.5)
- No (0)
- Parental consent and authority
- Parental consent required to collect children’s data = 3 (in some cases = 1)
- This consent must be verified = 2
- General law provides some provision (e.g. “explicit” or “informed” consent but nothing specific about verifying parents’ identities) = 1
- Parental consent must be given jointly with the child/children have some authority over their data = 2
- Parental authority is required to share data with third parties = 1 (in some cases = 0.5)
- Parents have authority to opt-out of data collection = 1 (in some cases = 0.5)
- Parents have authority to modify/correct existing data = 1 (in some cases = 0.5)
- Parents have authority to request deletion of their children’s data = 1 (in some cases = 0.5)
- Parental consent required to collect children’s data = 3 (in some cases = 1)
- Restrictions on who has access to the data internally
- Approval from the data controller is required before accessing = 2
- In some cases, approval/oversight is required = 1
- No restrictions = 0
- Extra steps for data security
- Children’s data must be encrypted at all times = 3
- Some protections but based on impact assessments/sensitive data and no specific requirements for children’s data = 2
- Some recommendations but not fully regulated and/or mandatory = 1
- No = 0
- Responsibility to conduct security assessments on third-party providers
- Yes (and specific to children’s data) = 2
- General requirement in data protection legislation = 1
- No = 0
- Responsibility to notify children/parents of data breaches
- Yes – including general requirements which apply to all breaches = 2
- Some requirements (some types of breaches, e.g. sensitive data) or general recommendations = 1
- No = 0
- Restrictions on targeted adverts
- Targeted adverts are essentially prohibited = 3
- Yes = 2
- Some restrictions (e.g. regarding junk food and alcoholic beverages but not as a whole/not severely regulated or prohibited) = 1
- No = 0
- Is the profiling of minors prohibited?
- Yes = 2
- Some provisions = 1
- No = 0
- Data retention periods
- Specific, clear periods mentioned regarding children’s data = 2
- General requirements, e.g. “only for as long as necessary” = 1
- None = 0
- Do privacy protections extend to online government surveillance?
- Yes = 3
- No = 0
Our researchers looked at the top 50 countries by GDP to see whether or not specific legislation was in place for children’s online data. Many of the countries covered may have data protection laws but without a specific section or separate legislation for children’s data, this means children are treated like adults when it comes to their data. In these cases, the countries haven’t been included in our overall analysis of children’s online data policies. While they may allow for data users to request access to, delete, and amend their data, for example, this isn’t aimed specifically at children and/or their parents/guardians.
We explored 23 different aspects of these policies (detailed in the scoring) and allocated a score to each. The higher the score, the better the protections. Countries were then ranked based on their scores.
For a full list of sources, please request access here.
Data researcher: Rebecca Moody