The perils of collecting children's data

Without a doubt, youth today are living more digitally enhanced and monitored lives than any generation before them.

Their births may have been announced on Facebook, while toddlers use tablets to learn their ABCs and teenage social lives critically depend on smartphone interactions.

"Their digital and personal lives are blurred," said Saurabh Ghelani, a digital trust and privacy expert with PA Consulting in London.

While that has meant plenty of business opportunities for corporations looking to tap into the enthusiasm and buying potential of the young, it also carries huge risks when it comes to how information about them is gathered, stored, and used.

Having a breach of minors' personal data could lead to monetary penalties from regulatory agencies, as the Hong Kong-based electronic toy company VTech found out when it was fined $650,000 earlier this year by the US Federal Trade Commission for not seeking parental consent when collecting children's personal data. More significant risks could come from public relations fiascos, which can mar a company's public image.

Data privacy regulations around the globe are tightening as the public demands more guarantees that companies will safeguard sensitive information closely and disclose when others have access to it.

"As privacy becomes a much larger issue, people are going to be looking to companies to see how their information is collected," said Girard Kelly, the privacy director and counsel for Common Sense Media, a US-based advocacy group that pushes for limits on how companies track and market to young consumers.

Today's economy is infused with technology's increasing ability to analyse, influence, and predict consumer preferences, making data a commodity, said Kandi Parsons, a Washington-based lawyer with law firm ZwillGen.

Having the ability to examine the habits and buying trends of children is a huge opportunity, but is countered with regulatory restrictions and public expectations that youth won't be exploited for monetary gain.

"There's an absolute tension there," Parsons said.

The rules

The stakes are highest when it comes to how companies handle data pertaining to children, with specific rules in place designed to protect information about them and keep individualised marketing campaigns away.

The EU's recently enacted General Data Protection Regulation (GDPR) is considered one of the most significant changes to personal data privacy in a generation. Experts expect other jurisdictions to follow in the EU's footsteps in coming years and tighten their own data privacy laws as global businesses align their practices to the new European standards.

The far-reaching regulation gives EU residents, adults and children alike, the right to inquire about what information about them is gathered and how their information is being used, and to have it deleted or modified upon request, said Marine Brogli, a data privacy expert and CEO of DPO Consulting in Paris. The rules do not apply only to companies based in the 28 EU nations, but to any company that does business in the EU or that has EU consumers.

Most significant is the potential cost of running afoul of the EU rules, with regulators able to levy fines of up to 4% of a company's annual global turnover or €20 million, whichever is greater.

In addition, GDPR says that when collecting information from children under 16, companies need to obtain written consent, with parents and guardians having to sign digital forms approving their children's data being collected, Brogli said. Each country can define the age of digital consent differently, and some have dropped it below 16.

While the potential fines are tremendous, Ghelani said violating the public's trust could be even more costly. Customers will complain, and a widespread problem could lead to negative publicity, questions from investors, drops in share prices, shattered merger-and-acquisition opportunities, and a distrustful customer base. "The potential impact of those short- to midterm issues is much more than the long-term impact of the fine," he said.

In the US, the federal Children's Online Privacy Protection Act (COPPA) outlines the basic parameters companies must follow when collecting and using identifying information online about minors.

Under the 1998 law and its 2013 update, companies must obtain consent from parents or guardians when collecting information online from children under 13, and the law prohibits companies from disclosing or selling the data to third parties without notice. Other US health privacy and education laws also carry restrictions about how children's personally identifiable information is treated, by generally discouraging disclosure of a minor's information except in limited situations.

It is under that set of regulations that consumer and children's rights groups filed a complaint against YouTube in April with the US Federal Trade Commission, accusing the video-sharing service of illegally targeting children with advertisements using data gleaned from their devices and viewing habits.

Evaluate the risk

When children's information falls into the wrong hands, it can also be years before anyone knows anything is amiss, Parsons said. Often, a family won't find out their child was a victim of identity theft until he or she goes to obtain a credit card as an adult.

Brogli said that's why companies should look closely at the information they collect and ensure that steps are taken to keep the most sensitive information from being jeopardised. GDPR's goal is to limit how data exposure affects people's private lives, she said, and if companies jeopardise highly sensitive information such as health data, location, or photographs, it could have lasting effects on the minor.

"The more the impact, the more you will need to take care of that data," Brogli said.

Not only could the hefty fine of 4% of global turnover be levied, but top corporate officials could be subject to criminal charges, she said.

Leaning toward transparency

Kelly suggests that companies with a significant youth market take the time to examine existing practices and ensure they are in line with both the regulations and public expectations of privacy.

Having a security check focused on youth data will give top corporate leaders an idea of what the company could be doing better in terms of abiding by regulations and keeping customers informed.

The best things companies can do when it comes to collecting and using children's data is to be transparent, Ghelani said. Telling consumers why data is collected, how long it will be kept, and how it will be used will go a long way to reassure parents, he said.

"The more transparent, the higher the trust level between the company and the customer," Ghelani said.

That doesn't mean ticking the box by setting out privacy and data policies in a 30-page document with minuscule type, he said. Tell consumers clearly and succinctly what happens when they fill out forms with their children's information, Ghelani advised.

Doing without data

Brogli has found that many companies have simply stopped collecting children's data, for fear of the heavy penalties that a rules violation could carry.

When Disney began scanning the fingers of children as young as 3 at its Orlando, Florida, resort to stop visitors from passing along multiday passes to others, it developed a system to discard the biometric information almost immediately after translating the data into a numeric code and confirming the entry ticket was legitimate to avoid future problems.

"When they can, they simply stop collecting children's data," Brogli said.

Companies can also design online-based products with two versions, one application for younger users that doesn't ask for personal information and another geared toward older audiences that does.

The industry refers to this as "sandboxing", Parsons said, and it offers a way to collect valuable information from teenagers and young adults without running afoul of US regulations.

Kelly, the Common Sense Media counsel, said companies should view regulations as a bare minimum when it comes to protecting children's identifiable information, and not an end point.

"The law serves as a great guidepost for what vendors should be looking for in their own practices," he said. "We always look to go beyond the state of the law."

---

Different jurisdictions, different rules

While much of the attention surrounding children’s data privacy revolves around rules in the US and EU, plenty of other jurisdictions have their own laws on the books.

Australia, China, and Japan, for example, have regulations similar in reach to the EU’s General Data Protection Regulation (GDPR), with laws intended to give citizens the ability to control and limit how companies use data about them. But those nations have not historically enforced those laws in the stringent way GDPR is expected to be enforced, said Rich Vestuto, managing director in the discovery practice of Deloitte’s transactions and business analytics.

In coming months and years, data privacy experts expect more countries to adopt or tighten existing data privacy laws for both children and adults, said Saurabh Ghelani, a digital trust and privacy expert with London’s PA Consulting.

Countries that strike trade deals with the EU will likely have to show they have regulations that protect personal information and are diligent about enforcing them. Most nations have special language about how children should be treated as well, though the definition of what constitutes a minor differs from place to place, Ghelani said.

Here’s a glimpse of how different jurisdictions approach data privacy for young people. Note that the territorial scope of each regulation differs, so companies should familiarise themselves with the rules in areas in which they collect data:

• Under the Australian Privacy Act of 1988, a young person in Australia can give consent to how their data is collected and used, provided that the individual has the understanding and maturity to process what’s at stake, Ghelani said. That means that, in some cases, consent has to be given by a parent or guardian in situations where the child is very young or lacks maturity or cognitive abilities.
• In South Africa, the Protection of Personal Information (PoPI) Act largely prohibits companies from processing personal information of those under 18 except in situations where parental consent has been granted.
• Qatar became the first of the Gulf Cooperation Council nations to adopt a digital data privacy law in 2016 with rules that outline special protections for children. Companies need to obtain explicit consent from parents before processing a child’s personal data, Ghelani said.
• In India, the federal government is drafting legislation on digital privacy and data protection that tentatively is slated to have penalties of up to INR 10 million (about $145,000) or three-year prison sentences.

---

Sarah Ovaska-Few is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Chris Baysden, an FM magazine associate director, at Chris.Baysden@aicpa-cima.com.