A Guide to Privacy Policies for Minors

By Tanunnut Suebsang

September 8, 2021

Technological advances have brought about detailed privacy policies. Over the years, privacy policies have been used to ensure company transparency about their data collection. Data collection and data mining are prevalent issues, especially in the US. Around six out of ten Americans believe that it is not possible to go about life without their data being collected by companies or the government, resulting in the heavy scrutinization of data mining that most people deem inevitable.

Data mining is the harvesting of information, clustering that information into groups/demographics, and then using that data for personal profit. Most of the issues surrounding data mining include privacy concerns. Legally, there is no single law explicitly guaranteeing the right to online privacy. However, there are several existing laws and legal entities that attempt to protect people on the internet. Alongside, the US’s Fourth Amendment in The Bill of Rights alludes to privacy rights. Data mining also poses an ethical dilemma. Regardless of if people accepted the terms and conditions, the policies are overly complex and leave people confused and overwhelmed. As a consequence of large-scale and concentrated data collection and storage of people’s private information, data leaks lead to identity theft, impersonation, and the like

These problems are especially dangerous towards vulnerable groups, specifically children. Children are more likely to ignore and misunderstand the complex privacy policies. Aside from personal use, sometimes their student records are at risk of cyberattacks due to data management sites schools use. Parents and educators have pushed for increased regulations based on The Children’s Online Privacy Protection Act (COPPA) and further Big Tech regulation. Despite these efforts, loopholes allow for these regulations to be undermined. This is why there is an urgency to understand privacy policies, especially for minors.

An Overview of Privacy Policies

As mentioned earlier, privacy policies pertain primarily to data collection. Although, globally, the privacy policy that relates strictly to children is COPPA based in the US. Not to say that other countries do not put into consideration children, but they do so more implicitly. 

  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA): PIPEDA applies to both children and adults equivalently. Guiding companies to never collect more information or store it for longer than necessary. Advising companies to be especially cautious with information regarding minors. PIPEDA also has transparency guidelines for services targeted specifically towards youth, as well as engaging parents by requiring parental consent before a child’s sign-in is approved.
  • Australia’s Privacy Act 1988: The act contains 13 principles that are equivalently applied to children and adults. However, the act has been criticized due to several shortcomings–does not set a minimum age of consent, no parental consent, and the burden of data collection precautions are placed on companies. There has been work to reform the act and several organizations have come up with reform proposals.
  • UK’s Data Protection Act: Like others in this list, this act applies to both children and adults. Most protection of children’s data is not legal protection, rather educational protection. The Council for Child Internet Safety, supported by the Department of Education, encourages online safety for children and how they should navigate the internet.
  • EU’s General Data Protection Regulation (GDPR): Although applicable to both children and adults, the revised GDPR is most likely the policy closest to COPPA. This is seen in Reticals 38 and 71 and Article 12. Retical 38 recognizes children need extra protection online due to their online vulnerability. Retical 71 addresses how companies should not subject people to profiling, including children. Article 12 regards transparency, especially when directed for the youth to have language that is easy to understand. However, it differs from COPPA requiring a minimum age of 16 but not requiring parental consent.

Note that these examples primarily look at countries in the Global North, but this does not mean that other countries do not have any regulations. This article from Data Guidance includes other countries and their privacy policies as well. What can be deduced from the privacy policies above are these required features: 

  • Plain language and clear structure: Everyone should be able to understand what the policy entails.
  • Transparency: Policies should be transparent about what data is collected and how it is used. They should detail versions, notices, changes, contacts, principles and use, providing these details in multiple languages.
  • Data use: What reasons the data is being collected for and clarity on what is being collected. 
  • Data sharing: If the data is shared with third parties and what is done with that data.
  • Access and accuracy: Users can access and review their data and be notified about the duration of storage. The data will be deleted when no longer needed.
  • Security and autonomy: Users have consented to app guidelines, retain ownership of their data, and have control over their data disclosure. They will also be notified if there is a data breach, changes to the app, and of their data confidentiality.

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act distinguishes itself from the privacy policies mentioned above. Effective April 21, 2000, COPPA is a privacy policy strictly relating to children under the age of 13. In short, the Federal Trade Commission (FTC) enforces regulations about children’s online privacy. COPPA allows parents to monitor what personal information is collected about their children through all “online services.” Listed below is a shorthand guideline to COPPA:

  • COPPA is strictly about the collection of personal information for commercial products targeted at audiences in the US to those under 13
  • Those in violation of COPPA will face financial penalties.
  • Services need a clear and comprehensive privacy policy describing data collection.
  • Services need to obtain verifiable parental consent.
  • Services need to have third-party disclosure about what third parties do with personal information.
  • Parents can access, review and edit their child’s information, and may prevent further use or collection.
  • Services must maintain the security, privacy, and integrity of minors’ personal information.
  • Services must retain information for as long as necessary for the reasons it was collected and delete it.
  • Services cannot entice a child to give more personal information in order to participate in an activity.

While COPPA’s guidelines are easy to access, they may be overwhelming and are not void of criticism. This article on our blog elaborates on COPPA guidelines, why it has been criticized and offers solutions for increased security.

How to Implement Privacy Policies for Minors

Privacy policies are necessary for a safer online experience for children. Children are less likely to be aware about their privacy, willing to offer their personal information without fully understanding what that entails. This may result in profiling bias, data breaches, and severing autonomy. However, to rely only on COPPA or other policies is not sufficient. While COPPA does set the groundwork for children’s online privacy, it cannot prevent violations from happening. This can be seen in large companies, like Google and YouTube, which have been fined large sums of money. The FTC recommends parents educate their children on online safety and privacy. When people notice an app violating COPPA, they can send a complaint here. This is not to say privacy policies are without their shortcomings. People have critiqued COPPA for not including teens, the ease of age falsification, and increased costs for smaller businesses for starters. There have been recommendations of an “opt-in” policy where the default option would be to prevent companies from sharing their personal information with third parties. As well as the provision of a more comprehensive notice and consent procedure from companies and increasing the age range from 13 to 17.

Companies could also consider humanID as an increased security measure. At humanID, we create a unique identifier through an irreversible hash that will erase any personally identifiable information. This eliminates the risk of providing more than necessary information and creates an anonymous online experience. However, it is important to understand that using humanID does not mean you can avoid COPPA guidelines. humanID would serve as a security measure, not an alternative. 

Conclusion

Regardless of its shortcomings, COPPA still serves as a model for privacy policies for children. There is certainly room for improvement. However, seeing that other privacy policies do not refer strictly to children, it is the best policy we have so far in keeping children safe online. Therefore, it is necessary for parents to be involved in educating their children about online safety. Schools can also take part in teaching children more about their online safety as seen in the UK. Companies, whether or not they are targeted towards children, should adhere to COPPA guidelines by implementing security measures, such as humanID, to provide for the safest online experience.