The Data Protection Commission (DPC) have given every school and Youthreach centre in Ireland the opportunity to take part in a consultation on children’s privacy rights.
The consultation, launched in 2018, was organised in two streams. In the first one, adults were able to submit their views on issues related to the processing of children’s personal data. The second stream – which is the focus of this article – was aimed at children and young people.
The DPC released the report in early August on the second stream. It provides interesting and valuable insight into:
- The thoughts, opinions and expectations of children and young people in relation to important data protection issues and their privacy
- Their level of awareness and engagement with the subject matter
- The laudable consultative approach taken by the DPC to involve children and young people directly in the debate, and give them a chance to voice their opinions, as promoted by the principles enshrined in the UN Convention on the Rights of the Child (UNCRC).
What are the key points to remember from this report?
Children have clear expectations of online services, apps and platforms in relation to their obligation to explain what they do with their personal data. To enhance explainability, they would want to see greater “simplicity”, “accessibility”, “transparency” and “flexibility” in their interactions with companies.
Simplicity in the digital world especially, as per their opinion, is about using language that children and teenagers can understand to improve transparency. This may include breaking down chunks of terms and conditions into simple bullet points or conveying the message via a cool, fun and colourful video or clip that would make them engage with the content. “Tiny writing” and complicated language to make it harder to find out more about the risks associated with using their personal data for services is seen as a deceitful approach designed to mislead them.
Children want to have more flexibility to take decisions around the use of their personal information, for instance, by giving the option to opt-out of certain parts of often long-winded terms and conditions, without affecting their ability to enjoy the services offered.
They expect companies to be more approachable and reachable if they have queries by implementing more accessible communication mechanisms (e.g. an Instant Messaging service) which would give them the chance to instantly ask questions and get answers where clarifications are required. Some even expressed the need for large companies, such as Google, to invest more in an awareness program such as having Television advertisements, and doing presentations in schools designed to explain to them how their data is used and what happens to their data once collected.
Feedback from children regarding targeted ads and social media advertising in general was quite negative (90% in most cases for targeted ads and above 70% for social media advertising). The most common adjectives used to describe ads were “annoying”, “distracting”, “repetitive”, “irrelevant”, “useless”, “creepy”, and “intrusive”. This shows that children and young people are as conscious about their online privacy as adults, if not more. Similar studies in the past have shown that targeted advertising was generally not well perceived by the internauts.
Clearly, children and young people have got to grips with the subject matter and there is the need for organisations to be more resourceful to meet these expectations. The challenge for organisations is that the General Data Protection Regulation is a principles-based regulation. On one hand, the provisions related to children do not prescribe and elaborate on actions that organisations need to take to implement the law in practice. On the other hand, they bear the responsibility to demonstrate compliance with the law under the accountability principle.
So, what should they be doing to be accountable when engaging with children and young people?
- They must design their processing with children and young people in mind from the outset, and embed a Privacy by Design by default approach.
- As a matter of good practice, they must take children’s views into account when designing a new processing activity.
- As a matter of good practice, and where processing is likely to result in high risks to the rights of children, they must carry out a Data Protection Impact Assessments (DPIAs) to help assess and mitigate the risks.
Therefore, organisations which engage with children and young people must undertake an independent review of their practices, to ensure they are aligned with the practical insights provided in this report and the requirements of the law.
To find out more about how Gemserv can help in this respect, please contact us at firstname.lastname@example.org for an overview of our professional services.