Marketers are keen to unlock the enormous potential of kids’ familiarity with the net, but what are the pitfalls? Stephen Groom investigates.
Topic: Data privacy
Who: Burger King
When: August 2000
Burger King’s recent launch of a loyalty card scheme for 10-16 year olds called BKBuzz has raised healthy eating pressure groups’ hackles, but what’s the position regarding processing of young persons’ personal details? As we have recently reported in International Newsfeed, US legislators have clamped down hard on child data privacy, but are there any specific UK regulations affecting the process of collecting names and addresses and other personal details of minors? Perhaps surprisingly, the answer is "no." The Data Protection Act 1998, in force since March 2000, says very little about it. For instance it does not stipulate any minimum age below which express consent of a responsible adult should be obtained before childrens’ data can be lawfully collected and used for marketing and selling purposes. So this does mean that 5 year olds can validly consent to the collection and use of their data on-line? All the Data Protection Commission offers by way of guidance is that the marketer bear in mind that proper informed consent is needed and that advantage should not be taken of childrens’ naivete. It also recommends that if responsible adults are giving consent on behalf of minors, the adult should keep the child’s interests paramount, not those of the adult. And that is about it, apart from the law of contract, that is, which makes it clear that under 16’s cannot bindingly enter into a contract.
So what does a responsible marketer do when contemplating a promotion aimed at children that involves collecting their names and addresses, either on-line or off-line, and processing that data?
First of all, it should of course bear in mind the contract law principle just mentioned and make it clear that if any binding commitment to a loyalty scheme, prize promotion or product purchase is required, then the binding signature of responsible adult will be needed. The marketer will also, particularly in an on-line environment, want to consider measures reasonably necessary to minimise the risk of deception/fraud. Next, the marketer could do a lot worse than refer to the Direct Marketing Association’s Code of Practice for Commercial Communications to Children On-line. This is mirrored to a greater or lesser extent in the guidelines recently published as part of the Government’s umbrella "TrustUK" on-line consumer protection code certification scheme.
The DMA Code recommends for example that "Children ,must not be eligible to participate in a promotion in which prizes such as, for example, holidays, pet animals, goods or cash are offered which may be likely to cause problems between parent and child, unless the rules require the written consent of a parent." This is fine so far as it goes although some might regard the "likely to cause problems" qualification as seriously undermining the clause altogether, while we have already pointed out that contractually a minor cannot bindingly enter into any prize promotion in any event.
Separately there is "Unsolicited commercial email communications must not be addressed to children without the verifiable and explicit prior consent of the parent/teacher." The Code also requires that websites directed to children should require a child to give their age before any other personal information is requested. If the age is under 14, the child should be excluded from giving further personal information until the appropriate, verifiable and explicit consent has been given.
Personal information relating to other people, for example parents’ ages and occupations, should not be collected from children, whilst a child’s access to a website should not be made contingent on the collection of personal information or entice a child to divulge personal information with the prospect of a special prize or other offer. Notices requiring parental consent should be clear and written in language easily understood by children. They should be located at the point where the personal information is collected and include an explanation of the purposes for which the data is being collected
Clear and intelligibly worded privacy policies are also recommended and numerous other helpful guidelines are included.
Non compliance is not of course any guarantee against successful enforcement action by the Data Protection Commission. If one is able to show that the Code has been followed, however, it should certainly minimise the risk of enforcement action being taken first time round.
Why this matters:
If EU child data processors are going to avoid a fate similar to that of their counterparts in the US, they will clearly need to take care. Instead of taking advantage of the strange lack of European statutory regulation in the area, they should adhere as best they can to Codes of the kind published by the DMA. In particular they should familiarise themselves with the ages, such as 14, below which the DMA Code recommends extra precautions should be taken and with the basic rules as to the age at which a person can enter into a binding contract. This is not so much with a view to taking action to enforce purchase or prize promotion contracts, but in order to make an informed decision as to the crafting of any promotional rules bearing in mind the target age range of the promotion.