Kids and Privacy Around the World

hiInternational Privacy + Security Forum 2019

Presented by:

Meredith HalamaPartner, Perkins Coie LLP

Mark WattsPartner, Bristows LLP

Presenters

Mark Watts Partner

Bristows LLP

Meredith Halama Partner

Perkins Coie LLP

Agenda

Kids Privacy in the US

Kids Privacy under the GDPR

Kids Privacy Around the Globe

Section 1

Kids Privacy in the US

In U.S. kids get special privacy protections:

Introduction to Kids Privacy in U.S.

Online(Children’s Online Privacy Protection Act (COPPA)) & its implementing regulations

In schools (federal and state laws)

Photo Source: https://commons.wikimedia.org/wiki/File:Circle-icons-computer.svg & https://peoplepng.com/school-png-photo-2/149933/free-vector

“Operators” of websites and other “online services”:

COPPA: Who is Covered

That are directed to children under 13

With actual knowledge that collecting

personal information from children under 13 (even if the website or online service is not directed to children)

With actual knowledge that collecting

personal information from a site or service that is directed to kids

(third party obligations)

“Personal information,” including:o First and last nameo A home or other physical address

including street name and name of a city or town

o Online contact informationo A screen or user name that functions

as online contact information;o A telephone numbero A social security numbero A photograph, video, or audio file,

where such file contains a child’s image or voice

o A photograph, video, or audio file, where such file contains a child’s image or voice

o Geolocation information sufficient to identify street name and name of a city or town

o Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above

o and….

COPPA: What information is covered

“Personal information,” including:

Photo Source: https://www.spotx.tv/resources/blog/product-pulse/us-companies-care-pii-non-pii-personal-data/

Under COPPA, persistent IDs that can be used to recognize a user across different websites or online services over time are personal information.

COPPA and Persistent IDs

Includes cookie number, an IP address, a processor or device serial number, or a unique device identifier.

But parental notice and consent requirements do not apply if the identifier is used solely to support the internal operations of the site or service and not to show targeted ads or profile a user.

COPPA Obligations

Post a clear and comprehensive online privacy policy describing information practices for personal

information collected online from children

Provide direct notice to parents

Obtain “verifiable parental consent,” with limited exceptions, before collecting personal information

online from children

1

2

3

COPPA Obligations (cont’d)

Provide parents access to their child's personal information to review and/or have the information

deleted

Give parents the opportunity to prevent further use or collection of their child's personal information

Maintain the confidentiality, security, and integrity of information collected from children

Don’t require kids to provide more personal information than needed to participate in the

service/offering.

4

5

6

7

“Verifiable parental consent” required prior to collecting any personal information from a child (unless just a persistent ID used for internal operations)

Verifiable Parental Consent Options

Must be “reasonably calculated” to ensure that the person providing consent is the child’s parent.

If the service discloses personal information, or allows children to share personal information, then available methods include verifying the parent’s government-issued ID against a reliable database, requiring the parent to complete a consent form, charging parent’s credit card, and other robust methods.If the operator will NOT disclose the child’s personal information to third parties (e.g., will use the information only for internal purposes), “email plus” is sufficient.

Regulatory Enforcement

FTCCan impose fines of $40K per violation Areas of enforcement activity:

• Not directed to children but actual knowledge of users under 13 (Yelp - $450K settlement)

• Directed to children and collecting personal information (Musil.ly - $5.7M settlement; TinyCo - $300K settlement) or allowing targeted ads (Retro Dreamer - $300K settlement)

• Third parties collecting personal information through child-directed (InMobi - $950K settlement)

State AGsNY AG’s office reached $4.95 million settlement with Oath, Inc. for targeting ads to kids New Mexico claims against developer and host of ad tech companies

No private right of action under COPPA

Class Action Claims

Nevertheless, claims against Disney and others alleging that violations of COPPA constitute other violations (e.g., a claim for intrusion upon seclusion, a violation of the right to privacy under the CA constitution)

Motions to dismiss on preemption grounds pending

Photo Source: https://www.freeiconspng.com/img/402

The Family Educational Rights and Privacy Act (FERPA) applies to educational agencies and institutions that receive funds under any program administered by Secretary of Education

Education Privacy: Federal

Protects “education records:” records containing information directly related to a student and which are maintained by an educational agency or institution or a party acting on their behalf

Protected PII includes student’s name, parent/family member names, address, and similar identifiers

Does NOT apply to providers of technologies that collect information from or about students, but education institutions push down obligations under “school official” exemption for sharing

Many binding directly on tech providers

Education Privacy: State

Some only apply to education-specific tech products

Others apply to any technology used in the classroom

Generally require:• Use of personal information only to provide the service• NO use of information for targeted ads/profiling• Secure data• Particular contractual commitments to schools

Section 2

Kids Privacy under the GDPR

Children are identified as “vulnerable individuals” and deserving of “specific protection”

Introduction to Kids Privacy under the GDPR

Where consent is the basis for processing personal data from an information society service offered to a child (i.e. online service), that consent must be from someone with parental responsibility rather than the child

• Default age for parental consent is 16, but member states can go as low as 13

• Offline vs online distinction can be significant (e.g. Uber 2017 case

GDPR leaves in place member state laws governing validity, formation or effect of a contract in relation to a child

Special care needed in conducting legitimate interests analysis for children’s data given sensitivity of that data and special protections for childrenNeed to build privacy of children into the product from the beginningTake age of children into account (younger need more protection and older less) – recent case lawSpecific protection should apply to the “use of personal data of children for the purposes of marketing or creating personality or user profiles” and when offering services directly to a child

Kids and Legitimate Interests

Consent must be given or authorised by the holder of personal responsibility over the child

GDPR requires consent to be: • Freely given (e.g., no detriment to refusing, can be withdrawn)

• Specific (e.g., given in relation to specific purposes)

• Informed (e.g., after being provided with certain information but before processing begins)

• An unambiguous indication of wishes (active motion or declaration required) When consent is from the parent for the child, must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology

Parental Consent under the GDPR

Varies depending upon the risks inherent in the processing and the technology that is availableCollecting email address only to send an email to the child • Declaration that the user is old enough to provide their own consent, or a

declaration of parental consent and responsibility, via a tick box or email confirmation = sufficient

Allowing to publicly post publicly • More is needed -- e.g. third party verification service to verify user’s age or

identity of the person claiming parental responsibilityNeed to keep in mind other data protection principles, such as data minimization, in verifying age or parental relationship

What are “reasonable efforts” to verify that parent?

What is (and is Not) Sufficient for Parental Consent

Source: blog.superawesome.com/2018

Age of Consent in Different Countries

Austria14

Belgium13

Bulgaria16 (14)*

Croatia16

Cyprus14

Czech Republic16(15)*

Denmark13

Estonia16(13)*

Finland13

France15

Germany16

Greece16(15)*

Hungary16

Ireland16

Italy14

Latvia13

Lithuania14

Luxembourg16

Malta13

Netherlands16

Poland16

Portugal16(13)*

Romania16

Slovakia16

Slovenia16(15)*

Spain14

Sweden13

UK13

*Exact age not yet finalized

Source: https://www.betterinternetforkids.eu/en_US/web/portal/practice/awareness/detail?articleId=3017751#EE

Any information presented specifically to a child must be provided in concise, transparent, intelligible and easily accessible form using clear and plain language.• Need to give information directly to kids, even when getting consent from parent

• Often see simple notice for child & fuller notice for parent or guardianAll rights ordinarily afforded to the data subject directly must be exercisable by the parent or guardian if the child is not competent to exercise them, e.g.:• Parent must be able to access child’s data

• Parent must be permitted to request deletion

• Parent must be able to restrict processing where applicablePlus right not to have decisions based solely on automated processing (including profiling) if these have a legal or similarly significant effect on them, unless an exception applies.

Data Subject Rights and Kids

How do you know if you’re offering an ISS to a child?

Per ICO GuidanceIf explicitly state that service is for children or has children of any age as its target audience If made available to all users without any age restrictions or when age restrictions allow users under the age of 18If only made available to users 18+ then no, but

• In the event of a complaint, may look for evidence that the limit is applied in practice.

• May also may consider evidence such as site content, marketing plans, systems or processes designed to limit access, and information provided to users, in this respect.

How do you know if you’re offering an ISS to a child? (cont’d)

Per ICO GuidanceNeed to carefully consider target audience and be clear about what age group intend to allow.

If decide not to offer service to children, need to consider how to mitigate the risk of them gaining access, using measures that are proportionate to the data protection risks inherent in the processing.

Need to do a DPIA?

Key Considerations for Kids in the EU

What is the age of consent where the service will launch?

What obligations do you incur if learn user’s age under 16 (or age for which parental consent is required in the relevant member state) after have collected personal information from the user?

What about third party technologies (e.g. trackers)?

Guidance on verifying parental consent?

Distinguish between child-safe pages (e.g. landing pages)?

Can a zero-data version be provided (e.g. for games)?

Does that mean you need to age-gate?

Is monetization possible?

Implications of offering content that may appeal to kids

ICO: consider whether children are able or likely to access the product or service, as if they are you may end up processing children’s personal data

Photo Source: https://giphy.com/gifs/baby-confused-idk-CPskAi4C6WLHa

Section 3

Kids Privacy Around the Globe

Identify and prioritize target jurisdictions• Outside of the U.S., children’s data is considered sensitive

by regulators, but there are generally no laws explicitly covering kids privacy like COPPA

Identify any regulatory guidance requiring parental consent or other protections for kids• E.g. Privacy Commissioner in Canada says that kids under 13 require parental

consent

• New Zealand Privacy Commissioner says that kids who are too young need to be represented by adult

Laws governing age to consent to contract are also important , particularly in absense of a privacy law directly governing kids privacy/parental consent

Key Steps for a Global Launch

Photo Source: https://dribbble.com/shots/3266597-Simple-Rocket-Ship

Determine overall approach for compliance• Global approach (e.g., COPPA compliance worldwide,

with tweaks)

• Regional approach (e.g., EU-wide policies and procedures)

• Country-by-country approach

Determine other requirements for launch • Age to enter into binding contract (varies by jurisdiction; parent’s consent may

be needed)

• Whether certain rights must be given to parents (e.g., rights of access/deletion)

• Security requirements

• Local laws on anti-sextortion, anti-grooming, anti-sexting, cyber-bullying/harassment, displaying obscene/inappropriate content, etc.

Key Steps for a Global Launch

Photo Source: https://giphy.com/explore/rotating-earth

Questions?

Meredith Halama | Washington, D.C.mhalama@perkinscoie.com(202) 654-6303

Mark Watts | Londonmark.watts@bristows.com+44 (0)20 7400 8343