We recently published an article detailing the five core principles of fair information practices. In that post, we mentioned that these have to be adapted when it comes to collecting information from children. The principles we outlined hinge heavily upon the provider of the data having apt judgment to decide whether or not to hand over their details. Of course, there’s a strong chance that a child will lack this type of judgement.
There are plenty of laws and regulations that recognize the inherent vulnerability of children, and fair information practices are no different. We’re accustomed to parents or guardians taking responsibility for completing medical, financial, or legal forms, and the online environment should mirror that. It comes down to the fact that it’s the job of the parents to ensure that their children’s information is protected. As such, when entities collect data from children, they should ensure that parents are adequately equipped to offer that protection.
Aside from the resources mentioned in the previous article, there are also certain child-specific regulations, including the Children’s Online Privacy Protection Rule (COPPA) in the US and the Student Online Personal Information Protection Act (SOPIPA) in California.
In the preceding article, there were five core principles of fair information practices. Since enforcement and redress pertain to entities and governing bodies rather than consumers, that principle remains consistent when it comes to children. In this post, we’ll cover the four remaining principles of information practices as they pertain to children and their parents.
Notice and awareness
We talked about entities giving sufficient notice to consumers before collecting information. In the case of children, it is the parents who should be given notice. Firstly, they must be made aware that the entity is collecting details in the first place. Other important details that need to be provided include how the information will be used and who will have access to it.
For example, it should be clear if information will be used for a purpose other than the primary one. It should also be absolutely clear if the data provided will be given or sold to third parties. For example, tween social media site iTwixie speaks directly to parents when detailing what information it collects. It also explains how the information is used and when it is disposed of.
You might also notice here that no personally identifiable information is requested from the user, and a username is required versus a real name. This site is targeted at tweens, and under COPPA, entities can’t collect personally identifiable information from users under 13.
Giving parents sufficient notice becomes trickier in today’s evolving technological world. Many parents of today didn’t grow up with social media platforms, messaging apps, group gaming, and similar online communication systems. Even if they did, it likely wasn’t to the extent that children are immersed in it today.
As such, it’s also the responsibility of entities to describe in detail the types of activities that are undertaken on their sites. After all, if a child is handing over details to sign up, the nature of the activity undertaken on the site constitutes part of how the information will be used. This is especially important in some of the applications we just mentioned where communication is possible. Ultimately, when parents have full knowledge of a site’s activities, they are far better equipped to monitor their children’s activities and protect them from potential harm.
Choice and consent
As with collecting information from adults, choice and consent go hand in hand with notice and awareness. Along with providing parents with notice as detailed above, entities have to give them adequate opportunity to decide whether or not the information is given and how it is used (if there are options).
This is especially important when information is being offered to third parties. Parents should be given the opportunity to say no to this. If there are steps that a parent can take to control the use of the data provided, then these should be clearly laid out and easily accessible within the site.
Of course, entities can only really do so much and their job is to provide clarity for parents. It’s then on the parents to adequately monitor their child’s online activity, view the information that’s provided, and make their own judgement.
Access and participation
In our previous post, we talked about how entities must ensure that the information consumers have provided is easily accessible and can be changed or contested if necessary.
This becomes especially important in the case of children. Of course, the nature of children’s general behavior means that parents could be learning about them handing over information after the fact. As such, if and when they do find out, they won’t know exactly what details have been disclosed.
Sites like PLAYMessenger bypass this issue by not having kids enter any details at all. This company partners with PRIVO to verify adults. PRIVO offers companies a full suite of services including ensuring they comply with regulations like COPPA, and giving them the parental verification tools to do so.
However, if an entity does accept information from children themselves, they have to make it easy for parents to access this data and be explicit about the steps they can take to contest or alter it.
Integrity and security
As with adults, the integrity of children’s information is strongly linked to access and participation. This is particularly important as a child is more likely to – knowingly or not – hand over incorrect data. Additionally, they may not understand the consequences of doing so.
Submitting false or incorrect information could have implications for the child or the family now or in the future. Depending on the nature of the data, it could impact anything from personal safety to education to health. For example, under the HIPPA regulation, one of the most important points regarding children is that parents and/or representative guardians should have access to the child’s medical records. Of course, depending on the nature of the incorrect information, it might be difficult in some instances for this access to be granted.
In order to ensure integrity, we come back to accessibility and making it easy for parents to access and make adjustments to their children’s data. Entities can also go a step further and verify details that are being submitted. This is especially prevalent in the case when parents are the ones creating or verifying accounts. We mentioned PRIVO earlier and indeed their software is used to verify the identity of parents by various means, including through a credit card or social security number.
We also talked about data security in our previous post. As mentioned, children are considered a vulnerable group. Therefore, their information is even more sensitive than that of adults. For example, a child receiving a scam email as a result of their details being leaked may be more prone to fall for it.
Sites like G Suite for Education have come under scrutiny for how they collect and use the data of children. As a result, they have plenty of answers to security questions in their privacy and security page.
As you can see, while the core principles of fair information practices for children remain similar to those for adults, there are some additional facets to be aware of. Entities dealing with children’s information should take extra care to ensure that parents are given sufficient opportunity to protect their child’s information.
Parents should also educate themselves about what is expected from entities. Thankfully, there are an increasing number of resources to help parents do this including sites like Common Sense Media and Parent Zone. In an evolving technological world, it’s also crucial for parents to work together with their children and educate them about the importance of security and privacy online.
COPPA Compliance 101
The Children’s Online Privacy Protection Act has been widely criticized as ineffective and burdensome, but nonetheless it remains the premiere federal law when it comes to children’s privacy.
Who must comply?
Any website or online service directed at children under age 13 that collects personal info from children must comply with COPPA by law. Additionally, if you operate a website for a general audience but are aware that you are collecting personal info from kids, you must also comply.
Whether a website targets children is determined by subject matter, content, age of models on the site, language, advertising content, and use of child-oriented features.
What is personal information?
COPPA defines personal information as any individually identifiable information that is collected online. This includes:
- Email address
- Phone number
- Info collected through tracking mechanisms like cookies
- Any other info that would allow someone to contact or identify a child
Privacy notice placement
Website operators must place a link to a notice of information practices on their home page and each area where personal info is collected from children. If it’s a general audience website, the links must be posted on the home page of the children’s area.
Links must be clear and prominent. If it’s indistinguishable from other links on the site, it doesn’t count.
The notice of information practices must include a few things:
- Name and contact information of all operators who collect or maintain children’s information through the site or service.
- What personal information is collected from children (see above for what constitutes personal info)
- How the personal info is used
- Whether personal info is shared with third parties. If so, what kinds of businesses the third parties are engaged in, how they use the data, and whether they agree to maintain confidentiality and security.
- The parent must be able to agree to collection of their kids’ info without having to also consent to it being shared with third parties.
- The operator may not require kids to disclose more personal info than what is reasonably necessary.
- The parent can review the child’s personal information, ask to have it deleted, and refuse to allow any further collection or use of their child’s info. It must include procedures for parents to carry out these tasks.
Direct notice to parents and verifiable consent
Website operators must also give parents direct notice containing all the same information as the notice posted on the site. This can be delivered by email, postal mail, or some other means.
Operators must make reasonable effort to notify and obtain verifiable consent from the child’s parent before collecting personal info.
If you want to disclose a child’s personal info to third parties or make it publicly available, a more reliable method of obtaining consent is required, such as:
- Having parents sign a physical form and sending it via mail of fax
- Verifying a credit card number in connection with a transaction
- Taking calls from parents by trained personnel on a toll-free number
- An email accompanied by a digital signature
Prior parental consent is not required when:
- The purpose of collecting a child’s email address is to send them a consent form
- A child’s email address is collected to respond to a one-time request and is subsequently deleted
- A child’s email address is collected to respond more than once to a single request. Newsletters are one such example. Operators must still notify parents and give them the option to stop communication after the initial communication.
- The operator collects a child’s name or information to protect their safety. Operator’s must still notify parents and give them the option to prevent further use of the info.
- The purpose of collecting a child’s name is to protect the security or liability of the site or to respond to law enforcement
New notice for consent
If any material changes in the collection, use, or disclosure practices of children’s personal information, a new notice must be sent to parents.
Website operators must verify parents’ identities before handing over their kids’ personal information upon request. This can be done using the same methods used for public disclosure (see above).
Revocation and deletion
If a parent revokes their consent or requests their child’s personal data be deleted, the operator must comply. But operator’s may terminate the service if the information at issue is required for the child’s participation in the activity.
“Browsing” by rawpixel licensed under CC BY 2.0