While most jurisdictions have passed general laws concerning online privacy protection, there are still relatively few worldwide laws that deal exclusively with online privacy protection for children.
In fact, only the US has a law specific to children's privacy as of now.
However, if you maintain a website or app that's directed towards children under the age of 13, you still need to be cautious with your information practices. Even general laws place requirements on you, and the trend started by US law looks to be spreading.
Here is what you need to know about children's online privacy throughout the world.
- 1. US Child Privacy Laws
- 1.1. COPPA
- 1.2. Compliance with COPPA
- 2. Canada Child Privacy Laws
- 2.1. PIPEDA
- 2.1.1. PIPEDA Guidelines
- 3. Australia Child Privacy Laws
- 3.1. The Privacy Act 1988
- 3.2. Precautions
- 4. UK Child Privacy Laws
- 4.1. Data Protection Act
- 4.2. Precautions
- 5. EU Child Privacy Laws
- 5.1. GDPR
- 5.2. Compliance with GDPR
US Child Privacy Laws
The US was the first to pass a law that deals strictly with children's online privacy. Called the Children's Online Privacy Protection Act (COPPA), it applies to any entity that directs websites or apps to children.
COPPA
COPPA passed in the year 2000 and was updated in 2013. Its requirements apply to any business that creates children's online products and targets them to those under 13 years of age.
Under COPPA, personal information includes first and last names, email addresses, telephone numbers, shipping address, and online identifiers, like usernames.
Geolocation data is also subject to special protection from COPPA.
This law requires special data protection for children's information and makes transparency in your information practices vital. You must not only describe the information you collect and how you use it but also offer detailed instructions for parents who no longer want you to store their children's information.
Many of the requirements can be addressed in a Privacy Policy, although you need to review your information handling procedures, too.
Some businesses, like Disney Jr., maintain a separate Privacy Policy just to address COPPA issues.
However, if you offer products to both adults and children you can include the COPPA provisions in a general Privacy Policy.
Compliance with COPPA
It's wise to review COPPA even if your business does not create children's products. Since it is impossible to police who enters your website at all times, it is a good idea to assume that children may access your products or services.
Consider adding a precautionary provision in your Privacy Policy that covers children's privacy. This clause makes it clear that you do not intend to engage with children or collect their information.
While this has not been tested in a court of law, it offers the potential to protect you from liability and is better than not including the clause.
An example of this provision is offered by Instagram:
One requirement of COPPA is that you list all agents who collect personal information on your behalf. This would include any third party advertisers. Since most sites do not allow advertisement targeting towards children, this usually does not apply. However, if you are an exception to the rule, consider naming the third parties or linking to a list containing their names.
You also need to describe the type of information you collect.
Disney Jr. provides a comprehensive list in its COPPA Privacy Policy:
Another element of COPPA that's unique from general Privacy Policies is the parents' rights section.
This set of provisions explains that you never collect or disclose more information than necessary and allows parents to review and restrict access to the information.
You also need to provide contact information so parents can make that inquiry.
Family Education Network (FEN) offers a comprehensive parents' rights section that explains all of these elements:
Another good precaution is to place dialogue boxes or notifications on your website that confirm age or request parental consent.
You can do this with a verification process similar to this:
COPPA contains the strictest requirements when it comes to children's privacy. If you follow these guidelines, it's likely your practices will conform with the expectations of other jurisdictions.
Canada Child Privacy Laws
Canada passed a comprehensive privacy bill, the Personal Information Protection and Electronic Documents Act (PIPEDA). It does not have a law specific to children's online privacy.
PIPEDA
Canadian law does not differentiate between kids and adults when it comes to online privacy. The general law does not seek to serve as a COPPA equivalent, and privacy is addressed equally for all individuals.
Even then, the Office of the Privacy Commissioner of Canada recognizes there are unique considerations when it comes to children being online.
The office posted guidelines on its website regarding companies that collect information from children. Some of these are the same as with general privacy concerns, but it also addresses the unique challenges that arise with children's personal data.
PIPEDA Guidelines
First, the office encourages businesses to never collect more information than necessary for a website or app to function. It advises those that handle children's information to be especially aware of this since children are more vulnerable and may share more than you request.
That concern goes into the second guideline, which addresses inadvertent collection.
Just because you do not mean a field to contain a full name does not mean a user will avoid submitting one. The office recommends limiting fields and rejecting user names that are too close to full names. Otherwise you may unintentionally collect information you do not need.
PIPEDA generally requires that information should never be stored for longer than necessary. This is emphasized when it comes to children's information. If you don't have an audit process for data storage, now is a good time to develop one.
The next guideline addresses transparency. It is a good idea to be specific about which services are focused on youth. You can do this by listing them directly in your Privacy Policy or providing a link.
Nick Jr. placed this provision and a link to a list of websites directed towards children under 13 years old in its Privacy Policy. This complies with COPPA, and it works well under PIPEDA, as well.
You also want to engage parents in these discussions and encourage their involvement. This creates transparency. A parent's rights section in your Privacy Policy resembling the one required by COPPA is a good way to assure this.
Like with most Privacy Policies, use plain language and a clear structure. If you adopt a FAQ-like structure, your policy may even be comprehensible to your target audience--children.
When you make your agreements available, know who is accepting the terms of your Privacy Policy. Direct these requests to parents and consider requiring a parent's email address before a child signs up. Some sites use age verification techniques, like requesting credit card numbers, to assure parents are involved.
Finally, place your efforts into prevention. Look into ways to control access by children but also prevent the information breaches that could expose you to liability. Besides a good Privacy Policy, you also need a Privacy by Design approach.
Australia Child Privacy Laws
Australia does not have a specific law regarding children's online privacy.
However, the Australian Law Reform Commission recognizes that the law may need to change to address specific concerns with children and the Internet.
The Privacy Act 1988
Australia addresses online privacy in its Privacy Act 1988. The 13 principles are assumed to apply to children and adults equally.
Protection is strict within these principles. A large burden is placed on private companies to take precautions with data they collect online, whether from adults or children.
The main shortcoming is the law does not set a minimum age at which individuals can consent to providing personal information. Even COPPA establishes that by allowing children to consent to that exchange at age 13.
There's also no process for allowing adults to make decisions on behalf of children when it comes to information privacy.
The assumption in the Office of the Australian Privacy Commissioner is that parents are available to children to help with these decisions. It does not offer guidance beyond that.
Precautions
The Australian Law Reform Commission started recognizing children's vulnerability when they are online. Besides being too willing to disclose personal information, there's also the fact that children are more likely to take marketing messages literally and perhaps make purchases online that are not authorized by their parents.
The reform commission indicated that the current Privacy Act is inadequate for addressing these concerns. While reform is discussed, private organizations look to make recommendations when it comes to children and their online privacy.
One of these organizations is the Internet Industry Association (now Communications Alliance). Formed from a desire to avoid liability, it proposed a "Privacy Code of Practice guidelines document.
This code is not immense but contains basic principles from other legal discussions. For one, it recommends making parental consent mandatory before a child under 13 provides personal information. The code heavily emphasizes education for parents and teachers too so they can help keep children's information safe online.
Right now, publications from law reform and the privacy commissioner encourage private companies to take precautions. Primarily, it's recommended that they adopt practices aligning with COPPA.
This seems to suggest that the government considers COPPA a good model for protecting children's online privacy. However, time will tell if that results in any legal changes.
UK Child Privacy Laws
Protection for children's online privacy is present in the Data Protection Act and mirrors the same protections required for adult Internet users.
Data Protection Act
Like other privacy laws mentioned here, the Data Protection Act is not specific to children. There is no COPPA-equivalent in the UK.
Protecting children's data remains theoretical and a subject of education efforts. The Council for Child Internet Safety, a volunteer organization supported by the Department for Education, encourages children to keep information safe, especially social media.
It also offers ways to help parents as children navigate the online world. Like Australia, most efforts concerning children's privacy are based on education rather than legislation.
Precautions
For the time being, if you cater to children living in the UK, complying with the Data Protection Directive is sufficient. But this is unlikely to work in the long term.
For now, the UK is a member of the EU. It will be subject to the revised General Data Protection Regulation which goes into effect May 2018. That law contains provisions specific to children's online privacy.
There is already active online discussion in the British legal community about this regulation and the effect on UK companies. So, if you transact business in the UK, you want to follow recommendations for complying with the May 2018 version of the General Data Protection Regulation.
EU Child Privacy Laws
Starting in May 2018, the EU will have a new law specifically regarding children's online privacy. This is included in the new General Data Protection Regulation (GDPR).
GDPR
When the GDPR was revised, the EU considered COPPA a model. Provisions regarding children's privacy are present in Recitals 38 and 71, and Article 12.
Recital 38 recognizes that children require extra protection regarding their personal data. Being younger, they are less aware of risks and safeguards. For that reason, the regulation seeks to extend extra protection for children when they are online.
Recital 71 is a bit less direct, as it addresses online profiling. While focused primarily on adult pursuits, like seeking health services or applying for loans, this also addresses profiling children. This is due to the fact that profiling is often based on the collection of personal data, including addresses, birthdates, and even religion and ethnicity.
Article 12 addresses transparency in information practices but specifically to those affecting children. Services directed at children should contain privacy policies that can be understood if read by children. Companies offering products and services to children must also be transparent in their information practices.
The major difference between COPPA and the GDPR is age. While COPPA allows children as young as 13 to approve of the disclosure of their personal information, the GDPR raises the minimum age to 16.
Changing the minimum age causes concern because young teenagers are active on social media. There is discussion on how to comply with this adjustment without reducing online participation by young people.
Compliance with GDPR
Compliance practices will be similar to those needed for COPPA. However, there are subtle differences.
While special data protection applies to children under 13 if you follow COPPA, the GDPR raises that minimum age to 16.
If your service or product is marketed to children in the EU, you must adjust your privacy practices to consider that minimum age.
This will not only include changing your Privacy Policy but also any age verification steps on your site.
However, the GDPR does not require verification of parental consent as it's encouraged by COPPA. So, even if you have to raise the minimum age through your site, you can technically take a child's word for on age without getting a parent involved.
There is a desire to make this easier to enforce. EU member states are looking into better age verification and there is a chance that eventually, the GDPR will reflect these preferences too.
Generally, no matter where in the world you target your services, complying with COPPA will exceed most expectations regarding children's privacy information. Right now, that is the law with the most stringent requirements when it comes to children and their personal data.
Since other jurisdictions recognize the need to treat children's privacy with special handling, you can expect more regulation in the future. Start by meeting COPPA standards and adapt as new laws go into effect.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.