With enforcement on children’s data privacy ramping up around the world, Ireland’s Data Protection Commission has issued a detailed report on the fundamental principles of such data privacy, as well as some helpful suggestions to controllers on how to improve.
The key principles:
FLOOR OF PROTECTION: Online service providers should provide a “floor” of protection for all users, unless they take a risk-based approach to verifying the age of their users. CLEAR-CUT CONSENT: When a child has given consent for their data to be processed, that consent must be freely given, specific, informed and unambiguous, and by a clear statement or affirmative action. ZERO INTERFERENCE: Ensure that the pursuit of legitimate interests do not interfere with, conflict with or negatively impact, at any level, the best interests of the child. KNOW YOUR AUDIENCE: Take steps to identify your users and ensure that services directed at/ intended for or likely to be accessed by children have child-specific data protection measures in place. INFORMATION IN EVERY INSTANCE: Children, not just their parents, are entitled to receive information about the processing of their own personal data. CHILD-ORIENTED TRANSPARENCY: Privacy information about how personal data is used must be provided in a concise, transparent, intelligible and accessible way, using clear and plain language that is comprehensible and suitable to the age of the child. LET CHILDREN HAVE THEIR SAY: Don’t forget that children are data subjects in their own right and have rights in relation to their personal data at any age. CONSENT DOESN’T CHANGE CHILDHOOD: Consent obtained from children or from guardians/parents should not be used as a justification to treat children of all ages as if they were adults. YOUR PLATFORM, YOUR RESPONSIBILITY: If a platform uses age verification and/or relies on parental consent for processing, it should go the extra mile in proving that its measures around age verification and verification of parental consent are effective. DON’T SHUT OUT CHILD USERS OR DOWNGRADE THEIR EXPERIENCE: If your service is directed at, intended for, or likely to be accessed by children, you can’t bypass your obligations simply by shutting them out