As a mother of three children under the age of 12 years old and working in the data protection industry, I have the fortunate position of wearing ‘two-hats’ whilst navigating the digital landscape and that of my children’s.
Understanding what brands can and cannot do with their data and the ‘rights’ that my children have under GDPR is an interesting situation and I use my knowledge to my advantage, not only protecting my children as much as possible, but also working with government agencies to create a safer internet environment for children.
I am priviledged to be able to help other parents understand what rights their children have, ultimately giving control back to parents who feel left behind as their children become more and more digitally savvy.
In September this year, the Information Commissioner’s Office put out a ‘Call-to-Evidence’ for companies and experts to put their opinions forward on the need for an ‘Age-Appropriate Design Code’ to further protect children who are accessing online services. No time was wasted in putting my opinions forward around two main points that tie in to the four overarching core principles of the ‘Children Rights Convention’ (Non-Discrimination, Best Interests of the Child, Development and Protection and Participation);
The two points that were submitted as evidence to the ICO were;
- Robust age-verification processes (Consent) and;
- The presentation and language of terms and conditions, privacy notices and points of data collection
I feel these are two of the biggest issues facing parents today as children sign up for online services under the age of consent. T&Cs, privacy notices etc. are often not in a language a child can understand. Children have little awareness over what happens to their content once posted (who owns it etc.) or what marketing means in general, this to my mind is not in the ‘best interests of the child’ and some brands are flouting the provisions for children under GDPR, which are there as safeguarding measures.
Whilst it’s clear that many brands have worked incredibly hard towards GDPR compliance, there is still a long way to go but at each twist and turn, steps are being discussed at government level and will be implemented, making it a tougher landscape to expose and exploit our children online.
As the digital landscape continues to change at a rapid pace and our children become increasingly savvy, brands should be having a continuous conversation around their brand and company values.
GDPR Recital 38 recognises that, “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data”.
Furthermore, Recital 75, which provides further explanation on risks to the rights and freedoms of individuals, specifically mentions children as vulnerable natural persons.
What Brands Need to Know in the Age of GDPR
The Economist back in May 2017 stated that personal data, “is the world’s most valuable resource’ ahead of oil, because of how much it now informs the way companies communicate with their customers and how it positively impacts customer experience”. Ensuring you are compliant under GDPR (albeit an arduous process for many companies) can only benefit your company in the long run as you seek to build brand loyalty as your audience grows up and are faced with a swathe of competing brands to choose from. Here are some of my key thoughts on what brands need to consider:
Where you rely on Consent for your processing activities, reviewing how your company obtains consent at the point of data collection is critical. Are you taking steps to verify the child’s age and are those steps reasonable? The core theme of transparency under GDPR is ever more important when data is being collected for marketing purposes.
Article 8 of the GDPR, in relation to offering online service directly to a child, sets the age of consent at 16 (EU member states can provide by law for a lower age, but not below 13). This article stipulates, “The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology”. The fact that the age of consent differs between 13-16 across the EU adds an additional complication to those offering services to children across Europe.
Another thing to consider is ‘data minimisation’ i.e. what data are you collecting, are there any ‘nice to haves’ in there? If so, strip them out and keep data collection to a minimum to mitigate your risks, this is one of the key data protection principles.
Recital 38 specifically highlights how children may not understand how personal data is used for marketing or profiling purposes. They are less aware of the consequences, risks and safeguarding issues and I believe building an ethical relationship with the child comes through projecting transparency, by being upfront and honest about what your organisation is doing with the children’s data you collect.
Article 5(2) of the GDPR says: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the other data protection principles]”.
In layman’s terms, the ‘Accountability Principle’ calls for organisations to be accountable and responsible when processing personal data. Businesses should have evidence that they take compliance seriously, and when it comes to children’s data it is highly likely this evidence would be even more open to scrutiny, should things go wrong.
Right to Be Forgotten
Article 17, ‘the right to erasure’ requires companies to remove any personal data from any records which they no longer have a legitimate purpose for retaining. Recital 65 expands on this to say that the right to erasure, “is relevant, where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child….” See the ICO’s guidance on children’s privacy.
If requested by a child or parental guardian, your business will need to remove all data you hold on that specific individual, across the whole organisation. This will allow, for example, for the erasure of posts on social media made by children.
With companies still getting to grips with GDPR and in today’s connected world, it’s important that those who use customer data really understand how they should use it and give children special consideration. In the words of the Information Commissioner, Elizabeth Denham, “GDPR is an evolution, rather than revolution”. Is it time to re-assess where your brand and organisational culture sits on the evolutionary scale?
Gemma Johnson, October 2018
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.