Kaveh Cope-Lahooti
The Irish Data Protection Commission (DPC) has launched a consultation on the processing of children’s personal data with a view to introducing guidance and a Code of Conduct for organisations. Although it will be some time before any steps are taken, it is important that businesses are aware of the key issues involved and to consider developing and investing in their own technology solutions to meet legal requirements under the Data Protection Act and General Data Protection Regulation (GDPR).
Background
On the 19th December 2018, the DPC opened a consultation and invited public comment on the processing of children’s personal data.
The GDPR’s regulation of children’s data is open-ended. There is no direct list of information that must be provided to children (or their parents) before children’s data is processed. The different EU member states may set the age at which children themselves may consent to the processing of their data for use online which means for children under that age parent’s consent would be required. This varies between 13 and 16 in member states, with Ireland taking 16 as the threshold – a marker of its commitment to protecting children.
The DPC intends to publish a Code of Conduct on processing children’s data. This has a basis in the Irish Data Protection Act, which encourages the formation of codes of conduct in specific sectoral areas, such as the protection of children’s rights, transparency of information and the manner in which parents’ consent is to be obtained. The Code will enable the DPC to carry out mandatory monitoring of compliance with the Codes of Conduct by the controllers or processors which undertake to apply it.
Key issues raised in the consultation and possible solutions are discussed in the following paragraphs.
Age of Consent
The GDPR’s specific regulation of children’s data is largely based on a similar standard and grounds as the US’ Children’s Online Privacy Protection Rule (COPPA), which, broadly speaking, applies to children’s information (for those under the age of 13) collected, used and disclosed by websites, mobile apps, games and advertising networks (among others) online. The GDPR’s requirement is slightly narrower, however, applying to information processed by ‘information society services’ offered to a child – which must ‘normally’ be paid or intended to be paid services. It also covers where these services are only ‘offered’ – i.e. at an early stage, such as where an account creation is initiated. In these circumstances, the online service provider must make “reasonable efforts” to verify that consent is given by the holder of parental responsibility “taking into consideration available technology”.
As discussed, the fledgling nature of the regulation of children’s data means there are no prescribed methods of collecting parents’ consent – and this is largely what the consultation asks for input on. Many of the attempts to introduce a means for collecting consent have been based on recommendations and practice under COPPA, including those recommended by the US Federal Trade Commission (FTC). In particular, this is the case for the proof of parent’s consent, where there is much discussion of what mechanisms organisations must put into place to collect the relevant consent. Clearly, there must be some information needed to verify this, i.e.:
- Some form of age selection process by the user, where possible, built in to the website, which must be before a registration or a payment is made.
- Where applicable, the identification of the parent may be required to be confirmed. This could be achieved by charging a nominal fee to a registered credit card in the parent’s name.
- Parents will also need to confirm GDPR-compliant consent via an affirmative action such as signing a consent form, replying to an email or calling a number to confirm, which should be evidenced and auditable by the organisation, if possible.
In particular, it should be remembered that there are various other methods to prove or collect the required information, but each have their advantages or disadvantages. For example, it has been discussed that collecting a photograph of the parent’s ID (such as via a passport copy or other ID) would violate data minimisation requirements, even if deleted immediately. Arguably, on top of the potential to violate data minimisation requirements, the collection of this ID for verification purposes would be a practical and administrative burden for organisations to comply with far greater than charging a nominal fee to a credit card would. In particular, the verification of the ID would require sophisticated software or human intervention.
Most notably, it should be remembered that organisations should also put into place a method for the parent’s consent to be withdrawn, or the personal data deleted, in accordance with the rights under the GDPR. This would either involve saving the parent’s details – such as their email address – along with the fact that they had previously been verified as a parent – to process the request in the future.
Notification and Transparency
As the DPC notes, transparency is particularly important in the context of children’s data – such as through notices needing to be directed at children. An age-appropriate notice would have a broader application and, under the GDPR, is required regardless of whether the requirement for parent’s consent for paid online services applies or not. In particular, the DPC asks whether two separate sets of transparency information should be provided that are each tailored according to the relevant audience i.e. one for the parent and one for the child (i.e. aged under 16). Other issues that have been discussed around this include the fact that a child aged 15 will have a different capacity for understanding than a child under 10 years old.
A solution to this would be for the organisation to consider what the primary age demographic they could expect their website to be accessed by or targeted at and draft an appropriate notice. An age-selection method on a website’s homepage (to generate an appropriate notice) may be another method, although collecting such information so early may violate data minimisation requirements and may be cumbersome to many viewers, as well as for website owners to implement.
In relation to notifying parents, as explained previously, parents’ consent must meet the GDPR’s requirements, including that consent to be ‘informed’. One solution, such as the FTC recommends in relation to COPPA, could involve providing parents with information on why they are being contacted, which information was collected from the child and that the parents’ consent is required, alongside a link to the organisation’s Privacy Notice.
Children’s Rights
The consultation also touches on the issue of children’s rights, including the new rights under the GDPR, and how these are to be exercised. For example, in Canada, the Office of the Privacy Commission has proposed that, where information about children is posted online (by themselves or others), the right to remove it should be ‘as close to absolute as possible’, a sentiment echoed in Article 17(1)(f) of the GDPR. Ireland has taken a similar approach, for example, whereby under the Irish Data Protection Act, there is a stronger ‘right to be forgotten’. This applies to children whose personal data has been processed for information society services, without the need to prove that the processing was no longer necessary or unlawful, or the legitimate interest is unjustified, etc. As such, where the right to erasure does not apply absolutely (i.e. where consent is not relied on) organisations should be prepared to make such an objective assessment, considering (for example) whether the child or the guardian would have been aware of the use of the child’s personal data, and whether it was used in particularly invasive instances of processing.
Profiling
Additionally, whilst there has been some discussion among European supervisory authorities that children’s data will be particularly protected under data protection legislation, Ireland has gone further than this to protect children’s rights. In particular, the Data Protection Act 2018 has made it an offence to process children’s data (children, for this specific section, meaning those aged under 18, not under 13) for direct marketing, profiling or micro-targeting, regardless of consent. This has very wide implications – where profiling could simply be carried out by marketing or retail companies to tailor products and services to their child customers. On the broadest reading, would also exclude using factors from marketing that are likely to specifically target children, such as an online user’s interest in toys or browsing, for example.[
The consultation considers the incidence of where profiling involves specifically targeting children, particularly as guidance from supervisory authorities in several jurisdictions has held that this sort of automated profiling that specifically targets vulnerable groups should be prohibited. The DPC invites comments on how this can be balanced with an organisation’s legitimate interests. In practice, many organisations are already attempting to err on the side of caution by excluding factors related to children from the profiling.
Next Steps
The consultation touches on several other issues – such as how online service providers should ensure they comply with different ages of digital consent in different EU states – for which there are various possible legal, policy or technological solutions. The consultation is open for submissions until 1 March 2019, although there is a long way to go after this before businesses have any certainty over their procedures. After publishing the consultation submissions, the DPC will publish guidance and work with industry towards a Code of Conduct for organisations on measures and methods to be taken to the comply with provisions in the Data Protection Act and GDPR relating to children’s data. However, these will invariably be open to interpretation, meaning there is scope for business to develop and invest in their own technology solutions to meet these legal demands.
The Law of the Horse - Privacy, Copyright & Internet Law 