Children’s Privacy: Trends in Europe, the United States and Canada
As children increasingly participate online and at earlier ages, lawmakers around the world are passing legislation to bolster children’s privacy to varying degrees. This article contains a comparative analysis of some of these laws, highlighting trends in children’s privacy, which includes:
Children’s personal information is increasingly seen as particularly sensitive and deserving of heightened protections;
Lawmakers are concerned with ensuring organizations obtain valid consent for the collection, use and disclosure of children’s personal information;
Organizations collecting, using or disclosing children’s personal information should expect to face heightened reporting and administrative requirements (now and in the future);
Organizations must ensure automatically high default privacy settings for children; and
Violation of children’s privacy is likely to attract more regulator attention and significant penalties.
The European Union’s overarching General Data Protection Regulation (the “GDPR”) recognizes that children’s personal data should be afforded special protections because they may be less aware of the risks and consequences of data sharing. The GDPR particularly focuses on required consent from young data subjects for the processing of their personal data. Under the GDPR, the age of consent is at 16 years but allows individual member states to lower the age of consent to a minimum of 13 years old, a liberty that certain countries have taken. Article 8 states that a child’s consent is only valid if the holder of parental responsibility also gives consent, with Article 8(2) requiring reasonable effort on the part of the service provider to verify that the parent has given consent.
Regulators under the GDPR have shown that children’s privacy is taken seriously and that they will not shy away from issuing significant fines. The second largest-ever fine under the GDPR was issued in September 2022 for a violation of children’s privacy.
In addition to the GDPR, The Digital Services Act (the “DSA”) has been in force since November 2022. The DSA applies to “digital services”, meaning that it can be applied to a broad range of online services, from simple websites to internet infrastructure services and online platforms. The DSA bans platforms from delivering targeted advertisements to recipients when the platform is aware with reasonable certainty that the recipient of the service is a child. However, in adhering to this rule, the platform should abide by the principle of data minimization – meaning it should not incentivize providers of online platforms to collect the age of the recipient of the service prior to their use.
In the UK, the Age Appropriate Design Code (the “Code”) applies to a wide range of online services such as apps, games, connected toys and devices, and news services. Products and services within the scope of the Code must consider the privacy and protection of children, by design and default. If there is a conflict between the interests of the service and the child, the child’s best interest must be paramount.
Similarly to their European counterparts, regulators in the United States have also demonstrated a willingness to issue significant fines for violations of children’s privacy rules. In 2019, the Federal Trade Commission and the New York Attorney General issued a $170 million civil penalty for violations to COPPA. Specifically, it was alleged that the online service illegally collected personal information from children without their parents’ consent.
In 2023, Utah became the first state to enact laws limiting how children can use social media. While these two bills, collectively known as the Social Media Regulation Act (SMRA), are not directly aimed at protecting privacy they do have important privacy implications. The SMRA requires social media companies to obtain parental consent for any user under the age of 18. Enhanced privacy protections must then be put in place, for example, restricting the collection and sharing of personal information. However, the child’s privacy is also stripped away as social media companies must provide parents with access to the content and interactions of their child’s account. Infringements of the SMRA can result in injunctions and civil penalties against social media companies. In addition, the legislation authorizes individuals to sue social media companies for damages in the event that harm has been caused by SMRA violations.
The SMRA takes effect on March 1, 2024. Going forward, other states such as Arkansas, Texas, Ohio, Louisiana and New Jersey are also looking to pass legislation targeting social media companies, with similarly significant privacy implications for children.
Unlike its American and European counterparts, Canada does not currently have laws in force that are expressly dedicated to children’s privacy. While the Personal Information Protection and Electronic Documents Act (“PIPEDA”) does not differentiate between adults and youth, the Office of the Privacy Commissioner of Canada (the “OPC”) has consistently viewed personal information relating to youth and children as being particularly sensitive and must be handled accordingly. The OPC has also taken the position that in all but exceptional cases, parental consent must be obtained for the collection, use and disclosure of the personal information of children under the age of 13. In addition, Canada has signed and ratified the UN Convention on the Rights of the Child which protects children’s right to privacy.
There is, however, proposed legislation aimed at bolstering children’s privacy: Bill C-27’s Consumer Privacy Protection Act (the “Bill”). The Bill introduces new protections for children by requiring a higher standard of diligence and protection in respect to the collection and processing of their personal information. A child’s personal information would be the only prescribed category of “sensitive” information, meaning that it would always attract heightened protections, positive obligations for deletion, and a (likely) requirement for express consent for its collection, use or disclosure.
While no fines for violation of children’s privacy have been issued under PIPEDA, if the Bill is enacted, it will give the OPC the power to issue fines in this regard. There is an expectation that the OPC will be particularly interested in fines where children’s personal information is at issue given that it is the only prescribed category of sensitive information.