As children become more connected and organisations like banks seek to engage them the matter of Child Privacy is very important. In much of the developed world child privacy is enforced through a series of laws through which organisations and individuals must abide. Whilst not complete , the following overview provides a place to start for those with responsibility for compliance and duty of care and reveals a number of common threads across the US and The Commonwealth.
In Australia The personal information of individuals under the age of 18 is regulated by a number of laws, including the Privacy Act. Many aspects of the privacy principles require or allow an individual to provide consent to the collection, use or disclosure of personal information about him or her. The Act also establishes a number of situations where an individual can make a request or exercise a right. These include:
- consenting to the collection of sensitive information;
- consenting to a particular use or disclosure of personal information, including consent to use such information for the purpose of direct marketing;
- requesting not to receive further direct marketing communications from an organisation;
- consenting to the transfer of personal information outside of Australia;
- requesting access to personal information held by an agency or organisation;
- opting for anonymity or pseudonymity in transacting with an agency or organisation; and
- making a complaint against an agency or organisation.
The Privacy Act sets no minimum age at which an individual can make decisions regarding his or her personal information. The Guidelines to the National Privacy Principles suggest that each case must be considered individually and give guidance as to when a young person may have the capacity to make a decision on his or her own behalf.
As a general principle, a young person is able to give consent when he or she has sufficient understanding and maturity to understand what is being proposed. In some circumstances, it may be appropriate for a parent or guardian to consent on behalf of a young person; for example if the child is very young or lacks the maturity of understanding to do so themselves
In the US, the protection of data of US residents is regulated by laws enacted on both the national and state level. There is no single data protection legislation. Federal statutes are generally aimed at specific sectors while state statutes are more focused on protecting the privacy rights of individual consumers. The right to privacy is a common law right that has been incorporated into the state constitutions of many states and into the laws at both state and federal level. Laws protecting data and consumer privacy are based on a principle that an individual has an expectation of privacy unless that expectation has been diminished or eliminated by agreement, statue or disclosure
Most states have adopted laws protecting the personally identifiable information (PII)of their residents. These laws apply to the information about a resident of the particular state and require businesses to comply with the state’s laws if the business collects , holds, transfers or processes information about a state resident, even if the business does not have a physical presence or business operation in the state
These state laws may include obligations to
- Protect PII
- Take reasonable steps to securely destroy records containing PII when it is to be discarded
- Protect Social Security Numbers against disclosure
- Restrict the collection and use of drivers license information for any other purpose other than age verification or identification
- Provide written notice to any data subject whose PII is accessed
- Encrypt personal information in transit or at rest
The Gramm Leach Bliley Act governs the protection of Personal Information ion the hands of the financial services industry. This statute addresses “Non-Public Personal Information (NPI) which includes any information that a FI collects form its customers and imposes requirements for securing NPI, restricting disclosure and use of NPI and notifying customers when NPI is improperly exposed to unauthorised persons
The Children’s Online Privacy Protection Act (COPPA) is a law created to protect the privacy of children under 13. The Act was passed by the U.S. Congress in 1998 and took effect in April 2000. COPPA is managed by the Federal Trade Commission (FTC).
The Act specifies:
- That sites must require parental consent for the collection or use of any personal information of young Web site users.
- When and how to seek verifiable consent from a parent or guardian.
- What responsibilities the operator of a Web site legally holds with regards to children’s privacy and safety online, including restrictions on the types and methods of marketing targeting those under 13.
Although COPPA does not specifically define how parental consent should be gained, the (FTC) has established guidelines to help Web site operators ensure compliance with the Act. These suggestions include:
- Clear display of downloadable consent forms that may be mailed or faxed to to the operator.
- Requiring that a parent use a credit card to authenticate age and identity.
- Requiring that a parent call a toll-free phone number.
- Accepting an email from a parent that includes a digital signature.
Any platform that collects information from children under the age of 13 has to abide by COPPA. The Act affects many popular sites like MySpace.com, Facebook.com, Friendster.com, Xanga.com and other social networking sites.
There are a number of points here
- Whilst our customers (banks) are responsible for ensuring their compliance against the statutes that govern their operation, they impart those on us.
- The deployment of ChoreScout, like all digital properties, comes with an obligation to protect customer data. We do this by adopting industry standard security mechanisms and welcome the discussion on how.
- End User Agreements must be reviewed for compliance with the specific requirements around children and the handling of consent by them or their guardians
- Moroku employs public cloud based infrastructure services to store data. Acknowledgement of this within End User Agreements may be deemed necessary.
- We have architected ChoreScout to restrict the personally identifiable data we hold. Today this is restricted to customer email for registration and data recovery purposes and gain approval for such with the terms and conditions of the app that customers agree to in the registration process
- We have discussions on terms , conditions and privacy with all of our customers during the on-boarding process , providing perspective but deferring to their own legal teams to assure their compliance