Does your website attract or cater to a client-base of under-18 or under-13-year-olds? If so, what are you doing to protect their privacy?
Even though privacy law is only just getting started, governments around the world recognize that children deserve special recognition in the context of data privacy and the internet.
Because kids are less likely to read and understand Privacy Policies. They are also more likely to fall prey to marketing tactics that adults are savvy enough to see through. And as we are all beginning to understand, the personal data about you that exists online can potentially hurt you later.
The privacy of children shouldn't be at risk because they use the internet or because they're kids.
- 1. Privacy Laws that Protect Minors
- 1.1. The General Data Protection Regulation (GDPR)
- 1.2. The Children's Online Privacy Protection Act (COPPA)
- 1.3. State Codes: California's Privacy Rights for California Minors in the Digital World Act and Delaware's Online and Personal Privacy Protection Rule
- 2.1. How General Websites Address Minors and Privacy
- 2.2. How Adult Sites Meet Their Legal Obligations to Protect Minors
- 2.3. How Kid-Oriented Sites Deal with Consent and Privacy
- 3. Summary
Privacy Laws that Protect Minors
You already know that privacy laws require basic standards for data collection, processing, and erasure. However, they also differentiate data from children (minors) from that of adults.
Children are afforded greater protection under several of the major data privacy laws, including the GDPR and COPPA.
Let's break down what each major privacy law says about processing children's data and what you need to do to comply with the law.
The General Data Protection Regulation (GDPR)
The GDPR sets a general age of consent at 16, which means you can't legally process the data of a data subject 15 years-old or younger.
In cases where you work with the data of children under 16, you can only process the data with permission from their parent or guardian. Any processing without the consent of an adult with parental responsibility is illegal under EU law.
However, 16 is only the GDPR recommendation. According to Article 8(1), member states may enact laws that lower the age of consent to 13 (but not under 13).
The rules are different for minors in the United States. However, it's often safer to apply the EU rules to all data to ensure that something doesn't slip through the cracks. Because these rules are currently some of the strictest in the world and new laws are being modeled after them, you can pretty much ensure worldwide compliance in the present and likely the future by taking this route.
To ensure you comply, you should be using "reasonable efforts" (read: existing technology) to verify that the minor is of the age of consent and that if the parent gives consent, then it was really the parent who consented.
In addition to requiring advanced consent measures, the GDPR says you can't subject their data to automated processing or profiling. You also need to be particularly careful when using their data for marketing purposes (including creating user profiles or personality profiles).
"Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand."
In other words, it needs to be age-appropriate with simple words, accurate explanations and no legalese. You also need to cover children's data in a specific clause.
The Children's Online Privacy Protection Act (COPPA)
COPPA differs from the GDPR in two critical ways: It only impacts children in the U.S. and it only protects the privacy of children under 13 years old.
Why only children under 13? The FTC says it only protects those minors because it recognizes that "younger children are particularly vulnerable to overreaching by marketers and may not understand the safety and privacy issues created by the online collection of personal information."
The goal is to ensure that parents have control over younger children's data and can make decisions about data for them.
There are no legal provisions affecting teenagers, but the FTC does offer guidance for both adolescents and their parents. These are good practices for your organization to follow, but there are no legally enforceable provisions found within them.
The FTC's goal with the law is to protect young children by making sure that businesses that target them:
- Use clear, published Privacy Policies to describe their processing activities
- Ask for consent for parents directly (using verifiable means)
- Provide parents with choice in the use of information
- Allow parents access to the children's data
- Offer parents the option to stop data collection
- Demand the use of reasonable steps to protect children's data
- Require the deletion of data after data is no longer useful
You might already be familiar with the first version of COPPA, but a new amendment went live on July 1, 2013, that included protection for data such as:
- Screen names
- Persistent identifiers
- Photos, videos, and recordings featuring the child (after July 1, 2013)
COPPA doesn't just apply to websites. It also includes all online services including mobile apps, games, and location-based services.
What does COPPA mean for your site? It doesn't mandate the use of age verification systems; you don't even have to ask. COPPA only applies when you know your user or a group of users are under 13. The knowledge that you collect and process the data of minors triggers COPPA.
Rule 312.4 says you need to:
- Provide notice that you collect data (including that of children)
- State the requirement for verifiable parental consent
- Ensure that the notice makes it to the parent directly
- Provide the name and contact details for all operations that collect or maintain children's information
- Describe what information you collect
- Denote whether you allow children to make personal information publicly available
- Identify how you use the information
- State whether you disclose or share the information
- Provide parents with the right to review or request the deletion of their child's information
- Provide rights to prevent further collection of the information if requested
State Codes: California's Privacy Rights for California Minors in the Digital World Act and Delaware's Online and Personal Privacy Protection Rule
Finally, there are two state codes dedicated to the protection of minors on the internet.
The first is California's Privacy Rights for California Minors in the Digital World Act. It's also known simply as the "eraser bill."
The Act provides minors with the right to remove or request the removal of content online. It also bars companies with sites or services that minors cannot use (vape, alcohol, tobacco, etc.) from marketing to minors, and prevents marketing products based on the information you gleaned from a minor.
Delaware Code 1204C is Delaware's Online and Personal Privacy Protection rule. It says that websites, apps, and services cannot market to children inappropriately. For example, you cannot market firearms, alcohol, or adult content to children or minors.
It also goes much further in protecting children from inappropriate marketing. It says that you can't use personally identifiable information to advertise to children you know are minors.
Your obligation as a site owner or service provider is to protect children's privacy according to the law. It's a goal that most can agree on, but it's not necessarily deployed the same way every time.
In this section, you'll find some examples of how three types of companies have implemented the protection of minors into their Privacy Policies and beyond.
How General Websites Address Minors and Privacy
Privacy laws require you to protect the data of minors and children at all times - no matter what kind of website you run. But there are differences between the kinds of websites directed at children and general sites that attract broad audiences that happen to include children.
Target is a nationwide retailer with a huge ecommerce reach. It doesn't specifically market to children by any means, but it does sell children's products, including toys. And it has the potential to collect and process the data of minors without any real way to distinguish it from that of adults. It caters largely to an American audience given that Target is best-known and provides the bulk of its services within the United States.
Target's GDPR requirements exist given its site is open to European users, but it doesn't actively market itself to European children.
Delta differs from Target in that it must regularly process the data of minors even when their parents or guardians make the purchase or transaction on their behalf. (Delta needs the children's identifying information to issue a ticket and provide the relevant information to government agencies.) The processing must occur whenever the minor intends to fly with Delta.
However, most data is provided directly by the child's parent or guardian, which manages the issue of consent.
It uses a similar tactic as Target, given that it doesn't market itself as a service for children. Delta also provides a mechanism for removing the data in the event it does collect data from a child under 13 inadvertently.
However, it also notes that the company may ask for consent from parents or guardians before providing a service to them. This reflects the necessity of data processing when booking travel for children 18 and under and 13 and under.
Instagram differs from Target and Delta because although it doesn't explicitly market itself to children, its status as a popular social media platform makes it de facto attractive to kids and young teens.
Additionally, unlike Target and Delta, children don't need access to home addresses and credit cards to use the service. It's also more widely available to both U.S. and European children, who receive the most explicit and sweeping protections from the law.
In essence, Instagram doesn't seek out or market to children under 13, and if you find your child's data on Instagram, then the company will delete it quickly, as per the law.
Although all three sites need to comply with all aspects of the GDPR, for argument's sake, Instagram has a greater liability given its openness and attractiveness to children under 13 and between 13 and 16, who aren't covered by COPPA but who are covered by the GDPR.
For example, the expert wrote a paragraph that says:
"Officially you own any original pictures and videos you post, but we are allowed to use them, and we can let others use them as well, anywhere around the world. Other people might pay us to use them and we will not pay you for that."
The above paragraph is easy for a young person to read and comprehend. The difference is stark in comparison to Instagram's written policy, where the same information occurs over a series of paragraphs written largely in business terms.
How Adult Sites Meet Their Legal Obligations to Protect Minors
Both U.S. federal and state law require adult services to put in place interventions that prevent marketing to minors.
Unlike Target, Delta or Instagram, you can't get away with saying "we don't willingly collect the data of minors under 13." You need to be far more proactive.
Some of the sites and services include anything with an age regulation required by law, such as the following:
- Cannabis/medical marijuana
- Sexually-explicit adult content
We provide a few examples of how these businesses protect both minors and themselves by following the law.
JUUL is an e-cigarette and vape giant based in the United States and thus subject to federal and state law.
The site's age-check mechanism requires users to agree that they are over 21 and sends them to the correct site based on their state of residence. It also links directly to the company's youth smoking/vaping prevention efforts and notes that it is illegal to sell/resell to minors.
Although this mechanism seems insecure, JUUL uses a third-party company to perform independent age and identify verification checks. So even if you are under age and lie to get on the site, you won't be able to buy or sign up for marketing emails.
You may even be asked to use your government ID and use manual verification processes.
In addition to outlining its age verification processes, Juul also uses the same clause used by general sites like Target. It says that it won't collect information from children under 13 and that it will delete the information ASAP. The same is true if it realizes one of its users is under age 21:
However, rather than collecting parental information explicitly as the law sometimes recommends, JUUL only recommends "that anyone under the age obtain their parent's permission before submitting information over the internet."
Cannabis sites need to take the same approach as vape or tobacco sites by requiring proof of age and adhering to very strict marketing standards.
Some of the best examples come out of Colorado, the first state to legalize recreational marijuana.
Medicine Man, a CO-based dispensary chain, uses a simple age verification process upon arriving at the site:
But as we all know, it's easy enough to click enter - even when you aren't of legal age.
However, Medicine Man doesn't provide any details related to its processes for dealing with state or federal law and the protection of minors.
How Kid-Oriented Sites Deal with Consent and Privacy
To see how sites accommodate this, let's look at two sites well-traversed by children.
The policy is in no way written to cater to young readers. Instead, it relies on the idea of parents guiding their children's use of the site. However, this isn't necessarily a significant problem for National Geographic kids.
Children receive special mention in laws like the GDPR as well as in children's privacy laws like COPPA and state regulations. Regulators increasingly recognize that children should not suffer because they're too young to understand the consequences of giving out their data - and it's up to you to protect them.