78 international data protection authorities have adopted a resolution sponsored by ICO calling for greater recognition and protection of child privacy online, which may include curbs on behavioural advertising. Mark Smith and Phil Lee report on “youf” issues.
Who: 78 Data Protection Authorities
When: 17 October 2008
Where: 30th International Conference of Data Protection and Privacy
Law stated as at: 30 October 2008
Children's online privacy was high on the agenda at the recent International Conference of Data Protection and Privacy Commissioners in Strasbourg. So high, in fact, that the 78 data protection authorities in attendance agreed a "Resolution on Children's Online Privacy", co-sponsored by the UK Information Commissioner's Office. Among other aims, the resolution calls for limitations on the use of child data for behavioural advertising and encourages websites aimed at children to adopt clear, simple and understandable privacy policies.
Attendees noted that young people all over the world use the Internet for social interaction by writing blogs, social networking and playing online games. In doing so, they often disclose large amounts of personal data to others.
While many children have an awareness of the risks that can be involved in sharing their personal data online, they usually lack the tools, experience and technical knowledge to deal with those risks. They are often unaware of their legal rights and that their habits, information and behaviour may be being tracked by third parties.
The Privacy Commissioner of Canada proposed the resolution, which was co-sponsored by the data protection authorities of UK, Berlin, France, Ireland and New Zealand. The 78 data protection authorities present at the conference (which included representatives from every continent) consequently resolved:
- Education-based approaches: To support the development of education-based approaches to improving the state of online privacy, both locally and globally;
- Safe online environment: To strive to ensure children and young people around the world have access to a safe online environment respectful of their privacy;
- Collaboration: To collaborate with partners and stakeholders internationally as well as locally, recognising cooperation with professionals who influence the lives of children daily is crucial;
- Increase awareness: To work with each other to share best practices and implement educational activities towards the public meant to increase awareness among children and young people of the privacy risks inherent in their online activities and the smart choices available for controlling their personal information;
- Curricula: To encourage educators to recognise privacy education as fundamental to a child’s education and to include privacy education in their curricula;
- Data minimisation: To call for legislation in their respective jurisdictions limiting the collection, use and disclosure of children’s personal information, including appropriate provisions for violating those requirements;
- Behavioural advertising: To call for appropriate limitations on the collection, use and disclosure of personal information about children for the purposes of online micro-targeting or behavioural advertising; and
- Privacy policies: To urge operators of websites created for children to demonstrate social responsibility by adopting privacy policies and usage agreements that are clear, simple and understandable, and educating users about existing privacy and security risks and website choices available to the users.
Why this matters:
The Resolution on Children's Online Privacy indicates just how seriously data protection authorities all over the world take the issue of child online privacy, and places a clear emphasis on education, data minimisation and transparency. There are clear concerns that, at present, far too much information is collected about children far too often. Children are often unaware of how their data is being collected and used online and therefore have little ability to control that use – in part, say the authorities, because privacy policies are too specialised, legalistic and technical, making them off-putting and frequently ignored. If the authorities' call for legislation (and penalties) is heeded, this could have a considerable impact on the value of child data and its ability to be used for marketing purposes. Operators of websites created for children may find themselves having to carefully rethink the data they collect and how they use and disclose that data. Given its co-sponsorship of the resolution, this could be an area in which ICO intends to be particularly active in the forthcoming year (which would be well-timed in light of the ongoing Byron consultation on child online safety). Child website operators would be well advised to start behaving now, and avoid facing detention later!