By Milda Macenaite, fellow of the European Privacy Association
The sweep reaffirms the concerns around a growing number of websites and mobile apps targeted at ever-younger internet users and the lack of specific data protection rules that would take into account the unique needs of children as data subjects. Apart from providing an incentive to improve for the websites and apps, in the wake of the EU data protection reform, the results of the sweep can provide impetus to crystalize the final position on the protection of children’s personal data online among the policy makers, especially as regards the requirements on parental consent to children’s personal data processing online. “EPA fully supports initiatives that aim at coordinating data protection effort at the international level, given that online privacy is by definition a global matter” (Paolo Balboni, Scientific Director of the European Privacy Association).
On 11-15 May, 29 data protection authorities from around the world carry out a joint review of websites and apps directed to children – a Global Privacy Sweep 2015. The aim of the sweep is to verify whether internet websites and apps targeted at or frequently used by children, seek parental consent before collecting children’s personal data, provide a privacy notice tailored to children’s understanding and facilitate the erasure of personal data provided by children. Combined results of this joined effort are expected to be published in fall this year. The initiative is coordinated by the Global Privacy Enforcement Network (GPEN), which aims to promote cross-border information sharing and enforcement of privacy laws.
This year’s focus of the sweep reflects the concerns around a growing number of websites and mobile apps targeted at, or popular among, ever younger children and the lack of specific data protection rules that would take into account the unique needs of children as data subjects. In the wake of the EU data protection reform, the results of the sweep can be very informative and help to crystalize the final position on the protection of children’s personal data online among the policy makers. This could be especially true as regards the future requirements for privacy policies and even more in relation to parental consent to children’s personal data processing obtained online.
Although some websites, especially those designed for small children, have experimented with simplified information for users, in general privacy policies are known as being long, legalistic and barely understandable even for the adults of average intelligence. The results of the sweep, unfortunately, most probably will not surprise anyone much in this respect. In relation to this, at least, there seems to be a strong agreement among the EU institutions that in the future General Data Protection Regulation data controllers should be bound by an explicit obligation to use a clear and audience-appropriate language in their privacy policies, in particular applying this requirement to children.
The findings on parental consent could be much more ground-breaking. In the EU, the rules on legal capacity to consent to data processing operations are fragmented and unclear. Each Member State can set their age limits until which parental consent in data protection is required (varying from 14 to 18) and foresee how valid consent from minors should be obtained. Only a few Member States have an explicit age threshold for a valid consent of a minor established in laws, many rely only on recommendations or guidelines from the DPAs, which favor different degrees of protectiveness and apply different tests (e.g. require to evaluate the capacity of the child, evaluate specific data collection circumstances). This situation can hardly be expected to change with the General Data Protection Regulation. Although the European Commission in its draft devoted a dedicated article to children (following the example of COPPA in US) which requires parental or custodian consent for those below 13 years of age when an information society service is offered directly to them, the future of this provision is more than unclear due to the current disagreements in the Council on the text. According to the latest drafts published by the Latvian Presidency, more and more Member States would rather prefer to avoid making the rules on children’s consent instead of strengthening them. Many advocate to have the article on children’s consent deleted or watered down to a provision on child protection in some other form, for example child protection in relation to profiling. This would leave the current state-of-the-art unchanged: no clarity and harmonised age threshold in the European Digital Market on when children can consent to their data processing themselves and to which extent their consent is valid. Therefore, it would be very interesting to know not only how many websites and mobile apps used by children actually gain parental consent, but also to explore how their developers interpret and comply with the diverging national requirements on consent. Also, some light could be shed on how valid is parental consent in different online environments, how (effectively) it is verified and if consent remains verifiable through time, as well as if such verification leads to unnecessary additional personal data processing. These questions are particularly relevant given the academic research findings that demonstrate how easily parental restrictions are circumvented, how often under-age users provide a false age online in order to access restricted services and how parents assist their young children in circumventing age restrictions on adult websites.