Recent changes to parental consent rules in the USA’s infamous COPPA laws highlight the vagueness and inconsistency in the UK’s equivalent rules.
Topic: marketing to children
Who: US Federal Trade Commission, the UK DMA and Trust UK
Where: US and UK
When: Autumn 2001
Recent FTC action in respect of on-line marketing to children points up the present lack of clarity in the equivalent area in the UK.
First the FTC underlined the strict regime introduced by the US Federal Children’s On-line Privacy Protection Act (“COPPA”) when in October 2001 it fined girl’s toy and school supplies maker Lisa Frank, Inc $30,000 for allegedly violating COPPA. Lisa Frank had allegedly done this by requiring girls under 13 to register personal information to access its website without first seeking parent approval. Then, having levied on Lisa Frank one of the largest COPPA fines so far, the FTC proposed altering its position on the two types of parental consent required to process under 13s data and the length of time that this regime would operate.
Presently, for purely "internal" use of under 13s data, for example to market only the data collector’s products, all that is needed is an initial e-mail from the parent consenting followed by either a confirmatory e-mail, letter or telephone call.
If external use is to be made of the data, for instance by sharing it with third parties, then the process is tighter, requiring for example a "print and send" form that can be faxed or mailed back to the site operator by the parent, or a credit card transaction performed by the parent or having the parent call a toll-free number staffed by trained personnel.
This regime was to last until 21 April 2002. By this time it was hoped that more reliable methods of obtaining verifiable parental consent would have been developed. But the expected technological improvements have not materialised, so it is suggested that this date be put forward to 21 April 2004.
So the parental consent regime for children’s data in the US remains clear and highly restrictive, but what is the situation in the UK?
The starting point might have been the 1998 Data Protection Act, except that this says very little about children at all, except for one provision. This recognises that in Scotland a child is not deemed to have legal capacity until the age of 16. The Act goes on to say, however, that for the purposes of requesting access to data held by any party about a person, such a request may validly be made by a person under 16 in Scotland, England, Northern Ireland or Wales when it can be shown that he or she has a general understanding of what it means to exercise that right and that a person of 12 years or more may be presumed to be of sufficient age and maturity to have such understanding. So children of 12 or over can validly request a sight of data held about them by any company. But what is the situation when it comes to validly consenting to the collection and marketing use of children' data?
Can we assume the Information Commission ("IC") will approve 12 is old enough to consent? Perhaps, and at least this is borne out in an on-line context by the “Accreditation Criteria” of Trust UK. (Trust UK is a joint non profit making venture between the Alliance for Electronic Business and the Consumers’ Association and endorsed by the UK Government. It seeks to foster consumer trust and confidence in buying on-line through accrediting on-line codes of practice.) This echoes the DPA by indicating that unless a child is at least 12, "explicit and verifiable parental consent" will be needed before their data can be collected.
But there is a complication. The DMA takes a different view. Its Code of Practice for Commercial Communications to Children On-line states that verifiable explicit prior written consent from a parent will be needed before processing the data of any child under 14, not 12!
So, assuming you have correctly guessed the right age at which you need parental consent, what does this entail?
Again there is no clear authoritative/binding rule. All the indications are, however, that a simple e-mail from the parent will not be enough. The IC, for example, indicated in recent website guidance FAQs that the only satisfactory way of getting acceptable parental consent was by way of a signed communication by snail mail.
Why this matters:
If the UK and the rest of Europe are going to avoid draconian children's data legislation such as America’s COPPA, it would be helpful if there were EU wide clarity as to the default age of consent for children's data processing and as to the acceptable modes of providing parental consent.