The European Data Protection Supervisor (“EDPS”) has issued an opinion on Europe’s strategy for protecting children on the Internet.  The European Commission consults with the EDPS on a variety of data protection issues.  However, the opinions of the EDPS are not legally binding. 

Among other things, the EDPS expressed support for: 

  • The implementation of technical tools, such as age-appropriate default privacy settings, to enhance the privacy of children online.     
  • Clear notice about the impact a change to a default setting would have on a child’s privacy and the potential harm it may cause. In particular, the EDPS suggested that in some circumstances a child might not be permitted to change the default settings, or might change the defaults only with parental consent, stating that the “extent to which a child may change the default privacy settings should also be linked to the age and level of maturity of the child.  It should be explored to what extent, and within which age group, parental consent would be required to validate a change of privacy settings.” 
  • A requirement that service providers inform children about the level of sensitivity of each piece of information they provide when creating an online profile and about the potential risks or harms they may encounter when such information is disclosed to a defined group of people or to the public. 
  • A restriction on industry’s ability to create online behavioral advertising segments that target children.
  • A legal mandate for industry to deploy an EU-wide reporting tool for content that is harmful to children.

 

Although the EDPS noted that the Commission added a “right to be forgotten” online in the proposed Data Protection Regulation because disclosure of children’s personal data on social networking sites might have long term consequences for children and others who are mentioned in the child’s comments or photos, the EDPS also recognized that, “in practice, deleting or rectifying information that has been posted online can be a challenge.”

And with respect to age verification, the EDPS stated that volunteered age information may not be reliable, but also recognized that age verification models that are designed to infer a user’s age or verify the user’s identity may involve a disproportionate amount of data collection and processing and could be unreliable as well. Without taking a firm position on age verification, the EDPS stated that age verification tools must take care to collect and maintain only “necessary data” and indicated that a future opinion will address the proposed Regulation on electronic identification and trust services.

As background, EU law currently does not include specific requirements for children. Instead, data protection authorities have interpreted existing data protection laws to require children’s privacy and data protection rights to be respected in a manner appropriate to the child’s level of maturity and comprehension.

The proposed EU Data Protection Regulation, however, would include requirements specific to children and harmonize children’s privacy laws across the member states. Article 4(18) of the proposed Regulation would define a child as a person under the age of 18 years. Among other things, data controllers would be required to provide information to children in a language that the child can easily understand, provide children with a “right to be forgotten” online, and provide children with certain default, age-appropriate privacy settings. In addition, the proposed Data Protection Regulation would require verifiable parental consent before personal data of children under the age of 13 could be processed in the context of information society services.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.