We recently published an article detailing the five core principles of fair information practices. In that post, we mentioned that these have to be adapted when it comes to collecting information from children. The principles we outlined hinge heavily upon the provider of the data having apt judgment to decide whether or not to hand over their details. Of course, there’s a strong chance that a child will lack this type of judgement.
There are plenty of laws and regulations that recognize the inherent vulnerability of children, and fair information practices are no different. We’re accustomed to parents or guardians taking responsibility for completing medical, financial, or legal forms, and the online environment should mirror that. It comes down to the fact that it’s the job of the parents to ensure that their children’s information is protected. As such, when entities collect data from children, they should ensure that parents are adequately equipped to offer that protection.
Aside from the resources mentioned in the previous article, there are also certain child-specific regulations, including the Children’s Online Privacy Protection Rule (COPPA) in the US and the Student Online Personal Information Protection Act (SOPIPA) in California.
In the preceding article, there were five core principles of fair information practices. Since enforcement and redress pertain to entities and governing bodies rather than consumers, that principle remains consistent when it comes to children. In this post, we’ll cover the four remaining principles of information practices as they pertain to children and their parents.
Notice and awareness
We talked about entities giving sufficient notice to consumers before collecting information. In the case of children, it is the parents who should be given notice. Firstly, they must be made aware that the entity is collecting details in the first place. Other important details that need to be provided include how the information will be used and who will have access to it.
For example, it should be clear if information will be used for a purpose other than the primary one. It should also be absolutely clear if the data provided will be given or sold to third parties. For example, tween social media site iTwixie speaks directly to parents when detailing what information it collects. It also explains how the information is used and when it is disposed of.
You might also notice here that no personally identifiable information is requested from the user, and a username is required versus a real name. This site is targeted at tweens, and under COPPA, entities can’t collect personally identifiable information from users under 13.
Giving parents sufficient notice becomes trickier in today’s evolving technological world. Many parents of today didn’t grow up with social media platforms, messaging apps, group gaming, and similar online communication systems. Even if they did, it likely wasn’t to the extent that children are immersed in it today.
As such, it’s also the responsibility of entities to describe in detail the types of activities that are undertaken on their sites. After all, if a child is handing over details to sign up, the nature of the activity undertaken on the site constitutes part of how the information will be used. This is especially important in some of the applications we just mentioned where communication is possible. Ultimately, when parents have full knowledge of a site’s activities, they are far better equipped to monitor their children’s activities and protect them from potential harm.
Choice and consent
As with collecting information from adults, choice and consent go hand in hand with notice and awareness. Along with providing parents with notice as detailed above, entities have to give them adequate opportunity to decide whether or not the information is given and how it is used (if there are options).
This is especially important when information is being offered to third parties. Parents should be given the opportunity to say no to this. If there are steps that a parent can take to control the use of the data provided, then these should be clearly laid out and easily accessible within the site.
Of course, entities can only really do so much and their job is to provide clarity for parents. It’s then on the parents to adequately monitor their child’s online activity, view the information that’s provided, and make their own judgement.
Access and participation
In our previous post, we talked about how entities must ensure that the information consumers have provided is easily accessible and can be changed or contested if necessary.
This becomes especially important in the case of children. Of course, the nature of children’s general behavior means that parents could be learning about them handing over information after the fact. As such, if and when they do find out, they won’t know exactly what details have been disclosed.
Sites like PLAYMessenger bypass this issue by not having kids enter any details at all. This company partners with PRIVO to verify adults. PRIVO offers companies a full suite of services including ensuring they comply with regulations like COPPA, and giving them the parental verification tools to do so.
However, if an entity does accept information from children themselves, they have to make it easy for parents to access this data and be explicit about the steps they can take to contest or alter it.
Integrity and security
As with adults, the integrity of children’s information is strongly linked to access and participation. This is particularly important as a child is more likely to – knowingly or not – hand over incorrect data. Additionally, they may not understand the consequences of doing so.
Submitting false or incorrect information could have implications for the child or the family now or in the future. Depending on the nature of the data, it could impact anything from personal safety to education to health. For example, under the HIPPA regulation, one of the most important points regarding children is that parents and/or representative guardians should have access to the child’s medical records. Of course, depending on the nature of the incorrect information, it might be difficult in some instances for this access to be granted.
In order to ensure integrity, we come back to accessibility and making it easy for parents to access and make adjustments to their children’s data. Entities can also go a step further and verify details that are being submitted. This is especially prevalent in the case when parents are the ones creating or verifying accounts. We mentioned PRIVO earlier and indeed their software is used to verify the identity of parents by various means, including through a credit card or social security number.
We also talked about data security in our previous post. As mentioned, children are considered a vulnerable group. Therefore, their information is even more sensitive than that of adults. For example, a child receiving a scam email as a result of their details being leaked may be more prone to fall for it.
Sites like G Suite for Education have come under scrutiny for how they collect and use the data of children. As a result, they have plenty of answers to security questions in their privacy and security page.
As you can see, while the core principles of fair information practices for children remain similar to those for adults, there are some additional facets to be aware of. Entities dealing with children’s information should take extra care to ensure that parents are given sufficient opportunity to protect their child’s information.
Parents should also educate themselves about what is expected from entities. Thankfully, there are an increasing number of resources to help parents do this including sites like Common Sense Media and Parent Zone. In an evolving technological world, it’s also crucial for parents to work together with their children and educate them about the importance of security and privacy online.