Digital Footprints and Little Steps: Why Privacy matters for Children

December 23, 2024
Digital Footprints and Little Steps: Why Privacy matters for Children

By Anuradha Gandhi and Rachita Thakur

Introduction

The Swedish Data Protection Authority investigated that Secondary Education Board in Skelleftea municipality used facial recognition (a controversial technology) over three weeks in order to monitor 22 secondary school students and the board was considering processing personal data through facial recognition which led to fine of SEK 200,000.[1]

Another incident highlighting the vulnerability of children’s privacy in the digital age, Aaradhya Bachchan, an 11 year old became the target of a privacy violation when certain media outlets circulated false image and reports claiming she was critically ill or dead. The Delhi High Court intervened, ordering Google LLC to take down such content, emphasizing the importance of safeguarding a child’s privacy-even in cases involving celebrity children.[2] This case underscores the need to have the privacy to grow, form opinions and develop identities free from pressure of surveillance or public scrutiny.

Understanding children’s data

Children’s data encompasses various types of information, website like Google collects 33% of data from children’s apps, followed by Facebook at 22% and also 85% of the surveyed apps had accessed at least one “dangerous permission” or permission for highly sensitive data, the misuse of which can cause harm to children.[3] The data of children can be categorized into various kinds-

  1. Personally Identifiable Information
    • Name
    • Date of birth
    • Address (home or school)
    • Contact details (phone number, email id)
  2. Sensitive Personal Data
    • Physical, physiological and mental health condition
    • Sexual orientation
    • Medical records and history
    • Biometric information
  3. Online Activity Data
    • Password
    • Browser history
    • IP address
    • App usage data
    • Social media activity (posts, like, comment
  4. Behavioral and Psychometric data
  5. Visual and audio data

Further data like voice, mannerism, product usage activities are also being tracked and collected by various industries.

Stages at which data collection can take place

After birth

As soon as a child is born, parents put monitor on them to check whether the child is sleeping safely in the cot while they do their other chores, being unaware of the facts that baby monitors is enabled by artificial intelligence (AI) and web-connected toys collect data from the cot.[4] Possibilities are that it may be listening the conversation happening at home as study reveals that many baby monitor lack in term of security making it vulnerable to be hacked.[5] An expert estimated that by a child’s 13th birthday, advertisers will have collected on average more than 72 million data points about them.[6]

Adolescent

By the time a child reaches the age of adolescence almost every other teen uses social media, a survey showed that 90% of teens aged between 13-17 have used social media, 75% report having at least one active social media profile, and 51% report visiting a social media site at least daily.  These sites collect your location, age, gender, ethnicity, any post or link they open, like, or share, what they look up, information they share on these platforms, what they buy, people and accounts they interact with and information stored in their device or in other apps.[7]

Children’s Privacy

Privacy has become an important concern in the digital world as data or information relating to children knowingly or unknowingly is being put online posing risk to their personal life. A breach of children’s privacy can have long term effect on their future.[8] Stoilova, Nandagiri and Livingstone (2019) explains three main contexts in which privacy breaches can occur, namely, interpersonal privacy, commercial privacy, and institutional privacy.[9] According to a report by Internet Watch Foundation (IWF), there has been a 1,000% rise in sexual abuse imagery of primary school children since 2019. The alarming statistics underscores the vulnerabilities children face in an increasingly digital world.[10]

Children further lacks the cognitive ability to understand the complexity of privacy policies or long term consequences of consenting to data collection or sharing. This makes them more vulnerable to exploitation.

Interpersonal Privacy

Individual privacy decisions and practices are influenced by the social environment, issues related to peer pressure, offline privacy practices and concerns and parental influences also form important connection to the social dimension of privacy. Use of digital media by parents and the increasing amount of data generated by them while sharing children’s post online or using tracking devices like smartwatches to communicate with them contribute to creating of web presence of child that children cannot control.

Commercial Privacy

Companies often design platforms and services that prioritize profit over privacy. They typically sell the data to advertisers. Advertising companies in turn use their information to target children with personalized ads. Commercial companies gathering more data on children than even governments do or can collect, some of the core ways that companies undermine children’s privacy include

  • Collection of data in exchange for access to games, goods or services, etc.-
  • Sale and analysis of children’s browsing data;
  • Collection of biometric for fingerprint or voice recording;
  • Age verification techniques that can profile children;
  • Government surveillance that requires companies to share intrusive data;
  • Parental controls that monitor children’s Internet use

Game like Pokémon Go collected vast personal information from devices, like email address, IP address, the web page you were using before logging into Pokémon Go, your username and location. Additionally, for those who opted to log in with a Google account on an iOS device, Niantic (or anyone who hacked them) has access to their Google accounts, including reading and sending emails.[11] Also, devices such as smartwatches, often marketed as safety tools for parents to monitor and communicate with their children, pose additional privacy risks like unauthorized actors can intercept confidential conversation between children and parents and also exchange between wearable devices and their servers can be monitored, allowing malicious entities to infer sensitive information about a child’s location, habits, routine, etc.[12]

Institutional Privacy

Institutional aspect of privacy include where data controller is an external agency like government institutions, education platforms, etc. Schools collect lots of personal information like progress reports, exam results, details of any financial aid, scholarship and any absences or exclusions. 80% of schools in the UK use a system provided by one organization, CAPITA SIMS, to log this data. Some information is also shared with the Department for Education and included in the National Pupil Database.[13]

(To read more on data collected by educational institution refer to our article: https://ssrana.in/articles/data-privacy-in-educational-institutions/)

Challenges in protecting children’s data

The protection of children’s data in the digital world has become a critical issue as technology advances and young users increasingly engage with online platforms. Extensive data collection practices, coupled with inadequate safeguards, expose children to various risks of harm online. These risks can be categorized into five Cs: content, contact, conduct, contract and cross-cutting, encompassing the full spectrum of threats to children’s rights in the digital environment.

Risks to Children’s Privacy and Safety

  1. Harmful Content
    Children often encounter harmful content such as pornography, racial discrimination, embedded marketing or misinformation. Exposure to such material can distort their understanding of the world, adversely affect their mental health and influence their behavior in harmful ways.

    In the era of technology, free and easily accessible sexually explicit content on the internet involving women and children is the current social reality.[14]

  2. Harmful Contact
    Online platforms can expose children to harmful contact such as harassment, stalking, sexual abuse and ideological persuasion. Predators and bad actors exploit personal data or communication channels to target children’s online.

    As per a study, Facebook collect personal data of young people and uses it for profiling, many profile being created using sensitive data that potentially leaves young people vulnerable to advertisers.[15] 26% of children reported attempted theft of their online accounts and 22% admitted experiencing cyberbullying[16].

  3. Harmful Conduct
    Children may become victims or participants in harmful conduct, including cyberbullying, sexual harassment or gambling. They are particularly vulnerable to user-generated content, which may glorify self-harm, substance abuse or other risky behavior.
  4. Harmful Contracts
    Risks in relation to contract arises when child uses digital services or is indirectly impacted by digital transactions of others.

    Research conducted by Ofcom in the UK revealed that platforms such as TikTok and Facebook, falsely indicate an older age when signing up. Since these platforms rely solely on users self-declaring their date of birth, young users can easily bypass age restrictions. This create exposure to unsafe content and also unlawful collection of data.[17]

  5. Cross cutting risk
    This kind of risk include one or more of the other risks, amplifying the threat to children’s safety, privacy and rights.[18]

    These risks are being tackled by various jurisdiction under different legislation.

Legal framework protecting Children Data

United Nation Convention on the Right of the Child (UNCRC)- UNCRC protects the right of children by recognizing that for development of child’s personality he/she shall grow up in a family environment, in a happy, loving and understanding surrounding. It further provides with Right to Privacy under article 16 that law must protect children’s privacy, family, home, communications and reputation from any attack and the right to get information from the Internet, radio, television, newspapers, books and other sources under article 17, but adults should make sure the information they are getting is not harmful. Governments ought to promote the media’s dissemination of information from a variety of sources, using languages that are accessible to all children.

General Data Protection Regulation (GDPR)- It provides with conditions applicable to child’s consent in relation to information society services, where a child is below 16 years, processing of data shall be done only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

Children’s Online Privacy Protection Rules (COPPA)– The Rules provide for substantive protections which includes restrictions on the online marketing that can be targeted toward children and requires the website operators to post a privacy policy whenever data is being collected. It also necessitates that websites obtain verifiable parental consent for the collection and use of any children data.

Digital Personal Data Protection Act, 2023 (DPDPA) – Before processing any personal data of a child under the age of 18 years, verifiable consent shall be obtained of the parent of such child or of the lawful guardian in such manner as may be prescribed by authority. Further, data fiduciary is responsible for ensuring that the processing of a child’s personal data does not harm their well-being. Additionally, tracking or behavioral monitoring of children is strictly prohibited.

Information Technology Act, 2000– The IT Act protects the sensitive personal information of an individual and also provides with penalties against cyberattacks.

Protection of Children from Sexual Offence Act (POCSO)-  The Act recognizes offences of sexual exploitation and sexual abuse, and that both girls and boys can be victims of sexual abuse and such abuse is a crime regardless of the gender of the victim. It further penalizes child pornography.

Conclusion

To protect young people from the harms of social media, Australia came up with the law to ban children under age of 16 years from using social media. This ban will take effect after 12 months and tech companies could be fined up to A$50m ($32.5m; £25.7m) on non-compliance.[19] Other countries can also take up similar initiative to protect the future generation of the country, so that they can have an opinion of their own in future, not influenced by social media or others and to further protect them from becoming victim of various cybercrimes.

https://ssrana.in/articles/safeguarding-childrens-data-under-dpdp-law/ (safeguarding children’s data under DPDP law)

https://ssrana.in/articles/safe-for-kids-act-law-protecting-young-users-harmful-social-media-feeds/ (safe for kids act: protecting young users from harmful social media feeds)

Abhishekta Sharma, Assessment Intern at S.S. Rana & Co. has assisted in the research of this article.

[1] https://www.commonsensemedia.org/articles/who-is-collecting-my-kids-data-and-what-are-they-doing-with-it

[2] https://humanrights.gov.au/about/news/opinions/protect-children-data-surveillance#:~:text=Once%20a%20child%20is%20born,million%20data%20points%20about%20them.

[3] https://vpnoverview.com/privavy/-risks-baby-monitor/

[4] ibid

[5] https://www.commonsensemedia.org/articles/who-is-collecting-my-kids-data-and-what-are-they-doing-with-it

[6] https://www.unicef.org/childrightsandbusiness/media/226/file/Brief-Children-and-Online-Privacy.pdf

[7] https://core-evidence.eu/posts/how-does-the-collection-of-children-s-data-affect-privacy

[8] https://www.weforum.org/stories/2023/03/why-data-is-key-to-safeguarding-children-online-and-ensuring-the-digital-future-we-deserve/

[9] https://www.ciab.com/resources/spotlight-data-pokemon-go-collecting-phone/

[10] https://link.springer.com/article/10.1007/s11276-022-03211-6

[11] https://www.childrenscommissioner.gov.uk/digital/who-knows-what-about-me/

[12] https://www.newindianexpress.com/opinions/2024/Nov/13/extending-net-of-protection-online-for-children

[13] https://au.reset.tech/news/profiling-children-for-advertising-facebooks-monetisation-of-young-peoples-personal-data/

[14] https://www.statista.com/statistics/1346243/india-children-s-experience-with-online-risk/

[15] https://link.springer.com/article/10.1007/s11276-022-03211-6

[16] https://www.ssoar.info/ssoar/bitstream/handle/document/71817/ssoar-2021-livingstone_et_al-The_4Cs_Classifying_Online_Risk.pdf?sequence=4&isAllowed=y&lnkname=ssoar-2021-livingstone_et_al-The_4Cs_Classifying_Online_Risk.pdf

[17] https://www.bbc.com/news/articles/c89vjj0lxx9o

[18] https://www.imy.se/globalassets/dokument/beslut/facial-recognition-used-to-monitor-the-attendance-of-students.pdf

[19] https://indianexpress.com/article/entertainment/bollywood/aaradhya-bachchan-case-court-forbids-circulation-of-false-youtube-videos-ill-health-8566505/

For more information please contact us at : info@ssrana.com