Minors and Your Privacy Policy

Does your website attract or cater to a client-base of under-18 or under-13-year-olds? If so, what are you doing to protect their privacy?

Even though privacy law is only just getting started, governments around the world recognize that children deserve special recognition in the context of data privacy and the internet.

Why?

Because kids are less likely to read and understand Privacy Policies. They are also more likely to fall prey to marketing tactics that adults are savvy enough to see through. And as we are all beginning to understand, the personal data about you that exists online can potentially hurt you later.

The privacy of children shouldn't be at risk because they use the internet or because they're kids.

If you fall under the jurisdiction of the GDPR or California or your site attracts children (especially those under 13), then you have specific legal obligations under state, federal, and international law. Many of these obligations impact your Privacy Policy.

Here's what you need to know about processing data from minors and what it means for your Privacy Policy.

Privacy Laws that Protect Minors

You already know that privacy laws require basic standards for data collection, processing, and erasure. However, they also differentiate data from children (minors) from that of adults.

Children are afforded greater protection under several of the major data privacy laws, including the GDPR and COPPA.

Let's break down what each major privacy law says about processing children's data and what you need to do to comply with the law.

The General Data Protection Regulation (GDPR)

The GDPR protects the data of all Europeans by making demands that all sites that accept visitors/customers from European citizens/residents publish and follow a transparent Privacy Policy. We covered the full GDPR requirements in-depth elsewhere. What's important here is what the GDPR says about data subjects who are also minors (under 18).

The GDPR sets a general age of consent at 16, which means you can't legally process the data of a data subject 15 years-old or younger.

In cases where you work with the data of children under 16, you can only process the data with permission from their parent or guardian. Any processing without the consent of an adult with parental responsibility is illegal under EU law.

However, 16 is only the GDPR recommendation. According to Article 8(1), member states may enact laws that lower the age of consent to 13 (but not under 13).

The rules are different for minors in the United States. However, it's often safer to apply the EU rules to all data to ensure that something doesn't slip through the cracks. Because these rules are currently some of the strictest in the world and new laws are being modeled after them, you can pretty much ensure worldwide compliance in the present and likely the future by taking this route.

To ensure you comply, you should be using "reasonable efforts" (read: existing technology) to verify that the minor is of the age of consent and that if the parent gives consent, then it was really the parent who consented.

In addition to requiring advanced consent measures, the GDPR says you can't subject their data to automated processing or profiling. You also need to be particularly careful when using their data for marketing purposes (including creating user profiles or personality profiles).

There's one more thing you need to do to comply with the GDPR's rules for minors: Write a kid-friendly Privacy Policy.

What Does a GDPR Privacy Policy for Minors Look Like?

The GDPR requires that your Privacy Policy must be clear and easy-to-read for the youngest children on your site (usually 13 but 16 or 18 if you require users to be that age to access your site). Recital 58 of the GDPR specifically states:

"Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand."

In other words, it needs to be age-appropriate with simple words, accurate explanations and no legalese. You also need to cover children's data in a specific clause.

There are several examples of GDPR kid-friendly Privacy Policies in the next section. But first let's look at two other important laws that protects minors and will affect your Privacy Policy.

The Children's Online Privacy Protection Act (COPPA)

COPPA differs from the GDPR in two critical ways: It only impacts children in the U.S. and it only protects the privacy of children under 13 years old.

Why only children under 13? The FTC says it only protects those minors because it recognizes that "younger children are particularly vulnerable to overreaching by marketers and may not understand the safety and privacy issues created by the online collection of personal information."

The goal is to ensure that parents have control over younger children's data and can make decisions about data for them.

There are no legal provisions affecting teenagers, but the FTC does offer guidance for both adolescents and their parents. These are good practices for your organization to follow, but there are no legally enforceable provisions found within them.

The FTC's goal with the law is to protect young children by making sure that businesses that target them:

• Use clear, published Privacy Policies to describe their processing activities
• Ask for consent for parents directly (using verifiable means)
• Provide parents with choice in the use of information
• Allow parents access to the children's data
• Offer parents the option to stop data collection
• Demand the use of reasonable steps to protect children's data
• Require the deletion of data after data is no longer useful

You might already be familiar with the first version of COPPA, but a new amendment went live on July 1, 2013, that included protection for data such as:

• Geolocations
• Screen names
• Persistent identifiers
• Photos, videos, and recordings featuring the child (after July 1, 2013)

COPPA doesn't just apply to websites. It also includes all online services including mobile apps, games, and location-based services.

What does COPPA mean for your site? It doesn't mandate the use of age verification systems; you don't even have to ask. COPPA only applies when you know your user or a group of users are under 13. The knowledge that you collect and process the data of minors triggers COPPA.

You do, however, need to publish a COPPA-compliant Privacy Policy.

What Does a COPPA-Compliant Privacy Policy Look Like?

A COPPA-compliant Privacy Policy should cater to children's ability to read and comprehend, but more importantly, it needs to inform parents (who are the custodians of their children's data under COPPA) what data you collect, how you collect it, and what you do with the data.

Rule 312.4 says you need to:

• Provide notice that you collect data (including that of children)
• State the requirement for verifiable parental consent
• Ensure that the notice makes it to the parent directly
• Use a clearly labeled link to your Privacy Policy on the home or landing page and throughout the website (especially pages where data collection takes place)

Your Privacy Policy must:

• Provide the name and contact details for all operations that collect or maintain children's information
• Describe what information you collect
• Denote whether you allow children to make personal information publicly available
• Identify how you use the information
• State whether you disclose or share the information
• Provide parents with the right to review or request the deletion of their child's information
• Provide rights to prevent further collection of the information if requested

State Codes: California's Privacy Rights for California Minors in the Digital World Act and Delaware's Online and Personal Privacy Protection Rule

Finally, there are two state codes dedicated to the protection of minors on the internet.

The first is California's Privacy Rights for California Minors in the Digital World Act. It's also known simply as the "eraser bill."

The Act provides minors with the right to remove or request the removal of content online. It also bars companies with sites or services that minors cannot use (vape, alcohol, tobacco, etc.) from marketing to minors, and prevents marketing products based on the information you gleaned from a minor.

Delaware Code 1204C is Delaware's Online and Personal Privacy Protection rule. It says that websites, apps, and services cannot market to children inappropriately. For example, you cannot market firearms, alcohol, or adult content to children or minors.

It also goes much further in protecting children from inappropriate marketing. It says that you can't use personally identifiable information to advertise to children you know are minors.

While neither of these laws requires a Privacy Policy, it is helpful to include provisions that reflect these laws in your Privacy Policy anyway.

How Your Privacy Policy Needs to Reflect Privacy Law

Your obligation as a site owner or service provider is to protect children's privacy according to the law. It's a goal that most can agree on, but it's not necessarily deployed the same way every time.

In this section, you'll find some examples of how three types of companies have implemented the protection of minors into their Privacy Policies and beyond.

How General Websites Address Minors and Privacy

Privacy laws require you to protect the data of minors and children at all times - no matter what kind of website you run. But there are differences between the kinds of websites directed at children and general sites that attract broad audiences that happen to include children.

Target is a nationwide retailer with a huge ecommerce reach. It doesn't specifically market to children by any means, but it does sell children's products, including toys. And it has the potential to collect and process the data of minors without any real way to distinguish it from that of adults. It caters largely to an American audience given that Target is best-known and provides the bulk of its services within the United States.

As a result, Target can stick to a general COPPA-inspired Privacy Policy clause identifying the use of "children's personal information:"

Target's Privacy Policy only says that it recognizes the importance of protecting children and it does not knowingly engage in activities that process the data of minors under 13. Doing so satisfies both COPPA and the GDPR.

Target's GDPR requirements exist given its site is open to European users, but it doesn't actively market itself to European children.

Delta differs from Target in that it must regularly process the data of minors even when their parents or guardians make the purchase or transaction on their behalf. (Delta needs the children's identifying information to issue a ticket and provide the relevant information to government agencies.) The processing must occur whenever the minor intends to fly with Delta.

However, most data is provided directly by the child's parent or guardian, which manages the issue of consent.

Delta also addresses the use of the data belonging to minors in its Privacy Policy:

It uses a similar tactic as Target, given that it doesn't market itself as a service for children. Delta also provides a mechanism for removing the data in the event it does collect data from a child under 13 inadvertently.

However, it also notes that the company may ask for consent from parents or guardians before providing a service to them. This reflects the necessity of data processing when booking travel for children 18 and under and 13 and under.

Instagram differs from Target and Delta because although it doesn't explicitly market itself to children, its status as a popular social media platform makes it de facto attractive to kids and young teens.

Additionally, unlike Target and Delta, children don't need access to home addresses and credit cards to use the service. It's also more widely available to both U.S. and European children, who receive the most explicit and sweeping protections from the law.

The following excerpt from Instagram's U.S. Privacy Policy shows that the North American arm of the company still takes a similar approach to children's privacy as per its obligations from COPPA:

In essence, Instagram doesn't seek out or market to children under 13, and if you find your child's data on Instagram, then the company will delete it quickly, as per the law.

Although all three sites need to comply with all aspects of the GDPR, for argument's sake, Instagram has a greater liability given its openness and attractiveness to children under 13 and between 13 and 16, who aren't covered by COPPA but who are covered by the GDPR.

As a result, Instagram would need to at least attempt to update its Privacy Policy to acknowledge its inevitable under-age users.

In fact, Instagram has allegedly done such a poor job of writing its GDPR child-friendly Privacy Policy that a UK-based privacy law expert rewrote the document on the company's behalf.

For example, the expert wrote a paragraph that says:

"Officially you own any original pictures and videos you post, but we are allowed to use them, and we can let others use them as well, anywhere around the world. Other people might pay us to use them and we will not pay you for that."

The above paragraph is easy for a young person to read and comprehend. The difference is stark in comparison to Instagram's written policy, where the same information occurs over a series of paragraphs written largely in business terms.

How Adult Sites Meet Their Legal Obligations to Protect Minors

Both U.S. federal and state law require adult services to put in place interventions that prevent marketing to minors.

Unlike Target, Delta or Instagram, you can't get away with saying "we don't willingly collect the data of minors under 13." You need to be far more proactive.

Some of the sites and services include anything with an age regulation required by law, such as the following:

• Alcohol
• Tobacco
• Vaping
• Cannabis/medical marijuana
• Gambling
• Sexually-explicit adult content

We provide a few examples of how these businesses protect both minors and themselves by following the law.

JUUL is an e-cigarette and vape giant based in the United States and thus subject to federal and state law.

The site's age-check mechanism requires users to agree that they are over 21 and sends them to the correct site based on their state of residence. It also links directly to the company's youth smoking/vaping prevention efforts and notes that it is illegal to sell/resell to minors.

Although this mechanism seems insecure, JUUL uses a third-party company to perform independent age and identify verification checks. So even if you are under age and lie to get on the site, you won't be able to buy or sign up for marketing emails.

In JUUL's Privacy Policy, it notes that it markets age-restricted products and says it will only market to you if you confirm that you are of legal age and that you want to receive marketing materials from a tobacco-adjacent company. It also notes that users who provide false information violate the law:

You may even be asked to use your government ID and use manual verification processes.

In addition to outlining its age verification processes, Juul also uses the same clause used by general sites like Target. It says that it won't collect information from children under 13 and that it will delete the information ASAP. The same is true if it realizes one of its users is under age 21:

However, rather than collecting parental information explicitly as the law sometimes recommends, JUUL only recommends "that anyone under the age obtain their parent's permission before submitting information over the internet."

Cannabis sites need to take the same approach as vape or tobacco sites by requiring proof of age and adhering to very strict marketing standards.

Some of the best examples come out of Colorado, the first state to legalize recreational marijuana.

Medicine Man, a CO-based dispensary chain, uses a simple age verification process upon arriving at the site:

But as we all know, it's easy enough to click enter - even when you aren't of legal age.

However, Medicine Man doesn't provide any details related to its processes for dealing with state or federal law and the protection of minors.

The nature of marijuana sales in the United States means that Medicine Man can't ship marijuana across state lines. However, its Privacy Policy doesn't reflect this sentiment at all

Its site meets the minimum guidelines for a Privacy Policy, including noting what data it collects, its sharing habits, and social media plugins. But there's no distinction suggesting how it protects children. You can even sign up for the newsletters to learn about sales without any age verification, which makes it dangerously easy to market to children:

How Kid-Oriented Sites Deal with Consent and Privacy

Sites that directly cater to and target children are under unique regulations according to the GDPR. if your site willing and happily accepts children's data, then your Privacy Policy needs to cater to the age of your youngest users (usually 13 or whatever the minimum age of consent is in your country).

To see how sites accommodate this, let's look at two sites well-traversed by children.

The Walt Disney Company attracts children with games and videos. As a result, it offers both a Privacy Policy and a Children's Online Privacy Policy:

The Children's Online Privacy Policy directly addresses COPPA and the issue of collecting data from children under 13 by including its COPPA Safe Harbor Certification at the top of the page:

The Children's Privacy Policy includes three essential components geared for parents to read to control their children's data:

However, the Children's Privacy Policy only applies to the United States and Latin America. It is not designed to cover GDPR standards.

And then when Disney addresses the collection of data and GDPR standards, it falls short. It doesn't write the policy in a way in which children would understand it (as required by the GDPR). When it comes to children's personal information, it refers to U.S. practices in the children's Privacy Policy noted above, which may or may not comply with GDPR regulations for the processing of children's data:

National Geographic Kids is another site that targets kids directly - "kids" is in the name. Although Nat Geo Kids is a collaboration between Disney and National Geographic, the company doesn't apply a dedicated Children's Privacy Policy like Disney does. At the same time, it's Privacy Policy is very kid-focused, particularly in the context of arming parents with the knowledge of their rights:

The policy is in no way written to cater to young readers. Instead, it relies on the idea of parents guiding their children's use of the site. However, this isn't necessarily a significant problem for National Geographic kids.

According to its Privacy Policy, it collects cookies and mobile identifies, but it does not collect registration or personally identifiable information from children on the site. This is a key difference between the site and others: there's no way to identify whether a child or what individual child uses the site, so their privacy is not at risk:

A Privacy Policy is needed because of the use of cookies and beacons, even though there's no profile creation or identifiable tracking.

Summary

Children receive special mention in laws like the GDPR as well as in children's privacy laws like COPPA and state regulations. Regulators increasingly recognize that children should not suffer because they're too young to understand the consequences of giving out their data - and it's up to you to protect them.

If you market to children or you may process children's data, your Privacy Policy should reference the relevant laws that apply (usually the GDPR and COPPA). It's a good idea to do so unless you have a surefire way to prevent minors from adding their data to your site.

Remember that children under 13 tend to receive special protections under the law. And you should both note this in your Privacy Policy and have the mechanisms in place to delete their data if you discover it belongs to a child or when their parent or guardian requests it be removed. The above is true both for general sites (like retailers) and for specialist sites that require age-verification.

Conduct a privacy law self-audit so you know exactly what privacy practices your business engages in, potenitally with minors, and what information you need to disclose to your users to stay compliant.