Consultation with Children on How Their Information Is Used Gives Helpful Insight for Companies under GDPR, CCPA and COPPA

July 31, 2019Alerts

"We would like the chance to think about it first"

Feedback from 1,200 Irish school children on key issues of data protection provides insight and some actionable steps for companies that process children's information and are subject to the EU GDPR, U.S. Children's Online Privacy Protection Act (COPPA) or California Consumer Privacy Act (CCPA).

Survey research from CyberSafeIreland found 68 percent of children aged 8-13 own their own smartphone, and 70 percent of children aged 8-13 and 85 percent of children aged 12-14 are actively using social media.

The Irish Data Protection Commission consulted with approximately 1,200 school children on data protection issues. The feedback will be used by the DPC to inform its approach to guidance on the topic of children's information and GDPR.

Key takeaways:

1. When explaining what you do with children's personal data, children would like for you to:

Keep It Simple

  • Use language children and teenagers can understand easily so that they are properly informed.
  • Break the information down into bullet points.
  • Make the font larger, more colorful.
  • Make a cool video or YouTube clip that’s fun.
  • Include a quiz at the end of the video that children and young people have to complete before they can access the service to prove that they understand how their data is being processed.
  • Put a timer on terms and conditions to ensure that the children read them.

Be Transparent

  • Big companies (e.g. Google) could come into schools and let students know how their data is used.
  • Highlight risks associated with giving your personal information.
  • Allow the possibility to ask questions about terms (through chat or IM).
  • Notify the users (by text or email) each time you pass on their data to another company.
  • Provide information immediately upon signing up for an app about how the data will be used, before sign up and agreement to the terms and conditions.
  • Send specific examples of how you've used personal data in the past.

Provide Choice

  • Provide easier options for turning cookies off.
  • Have a choice not to give access to photos or contacts.
  • Have an option to only sign up to some parts or conditions.
  • Ask for a username more than for an actual name.
  • Allow to opt out of geolocation.

2. Provide Access to Personal Data to Children of Any Age

3. Allow Parent Involvement/Control

"We should be in charge of our personal data but our parents should be allowed access it so we don’t get into trouble."

  • Approximately 45 percent of children believe that parents should have at least some role in helping children to manage their personal data until they reach adulthood.
  • Parents should be kept informed of their child’s activities so that they can better protect them or to be able to intervene rapidly in an emergency.

4. Carefully Consider Whether to Use Children's Information for Behavioral Advertising

"Online ads “are so scary because they are pointed at you directly and not at everyone like a TV ad”

  • 60 percent of children and young people did not think that companies should be allowed to use their personal data to offer them personalized ads.

In addition to the children's opinions, it's important here to consider the legal basis for processing children's data for online behavioral advertising, whether parental consent is needed and ePrivacy directive requirements.

5. Carefully Consider Whether and How to Display Ads on Children's Social Media Feeds

"There are also really inappropriate ads that pop up and you are not able to skip them"

  • Feedback from children regarding social media advertising, in general, was overwhelmingly negative (over 70 percent of comments). The word most frequently used to describe ads was “annoying." In fact, almost every class that participated in this consultation included the word “annoying” in their response. The next most popular negative words were “distracting," “repetitive," "irrelevant” and “useless."

  • Others understood that this is a way for companies to make money and that the ads can be helpful if they are relatable and help you find good deals.

Read the full text of the report.

Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.

Further Reading:

EDPB Opinion Provides Guidance on Controller-Processor Agreements Under GDPR

French Privacy Regulator Releases Long-Awaited Rules for Use of Cookies

How To Determine If Europe’s GDPR Law Applies to a U.S.-based Retail Business

European Regulator Provides Guidance on Conducting Clinical Trials Under the GDPR