Home / Research Paper / Children Privacy Protection on the Internet, Research Paper Example

Children Privacy Protection on the Internet, Research Paper Example

Pages: 8

Words: 2181

Regarding online privacy protection for children, we see that not many countries have clear specific regulations addressing this subject matter. In this section we will compare and analyze the laws in the U.S. versus the European Union (UK in depth) and Latin America.

United States

Legislation findings

The United States is one of the few countries that has a specific law in place called the Children’s Online Privacy Protection Act (COPPA)

COPPA became law in October 1998 to address the privacy concerns of online websites that gathered information from operators under the age of thirteen. The law effectively states that all websites must adhere to restrictions even if a company’s website is not directed towards children. If it is a general audience website and the operator has actual knowledge that it is collecting personal information from children under thirteen, compliance with the Act is required.

The Act requires operators of commercial websites or online services to provide notice of the type of information collected from children and to state how this information is used. COPPA requires that parental consent is verified before collecting children’s information that would be used for anyone to contact the child off-line or share information with third parties. Furthermore, parents must also be provided with means to review the personal information that has been collected and to refuse to allow it to continue to be used. Finally, the Act requires that reasonable measures are taken to ensure that the information collected is properly secured to ensure privacy and integrity.

COPPA does not enforce only online sales organizations of web sites. It also includes legislating and monitoring home pages, pen pal services, e-mail services, message boards, blogs or chat rooms. The Act also defines personal information to “include a first and last name, a home or other physical address, an e-mail address, a telephone number, a Social Security number, any other identifier that the Commission determines will permit the online or physical contacting of a child and information concerning the child or parents of that child that the website collects.” [1] [2]

Strengths & Weaknesses

According to COPPA, an operator of a website directed at children must obtain verifiable parental consent before collecting or using any personal information from children using the website. The operator must also implement a reliable method for determining the age of the website’s users.

Some critics have claimed that the methods outlined by the FTC for verification – sending signed printed forms, supplement of credit card numbers, calling toll-free numbers, or forwarding digital signatures through email – are slow and inadequate. As new technology develops, it is important to create faster and more effective methods.

On the other hand, other critics have claimed that the age of 13 is not “sufficiently adult.” No study has determined that at the age of 13, kids are more capable of using computers without adult supervision. Some children above that age may still need parental control.

There is always the risk that kids may manipulate information of parent’s consent so legislation can only reach until certain point. Parents must be proactive in the education of their children and control their online activity.

European Union

Legislation findings

The European Union (EU) is known for leading the world in terms of privacy protection laws. However within the EU data protection directive there is no specific part addressing online privacy protection for children.

The European Union Data Protection Directive is designed to protect the privacy and protection of all personal data that is collected about EU citizens. The Directive enforces the processing, use and exchange of all data. Furthermore, all of the key elements from article 8 of the European Convention on Human Rights are covered that forces entities to respect the rights of privacy in personal and family life, as well as in the home and in personal correspondence.

The recommendations of the Data Protection Directive are based on seven principles which include notice, purpose, consent, security, disclosure, access, and accountability. Essentially, the Directive states that all persons should be given notice when and by whom their data is collected and that such collection must only be used for officially stated purposes. Personal data must not be shared with third parties without first receiving consent from the original subjects and the data must remain confidential and secure from abuse or thievery. Finally, all persons whose personal data is collected should be able to hold the collectors accountable for adhering to the seven principles of the Data Protection Directive.

The Directive defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Article 2a).” [3] [4]

Directives issued by the EU aren’t legally binding so member countries must create internal laws to implement these directives. For the EU data protection directive, all member states have passed data protection legislations.

UK Law

UK enacted the Data Protection Act of 1998 to bring UK Law in line with the European Directive of 1995. As with the directive, the law doesn’t directly address privacy protection for children.

The Data Protection Act in the United Kingdom offers all individuals the right to know what information has been collected about them and provides an organized framework to ensure that such information is properly used and maintained. The Act states that anyone who uses personal information must adhere to eight key principles that state that information is Fairly and lawfully processed; Processed for specific, limited purposes; Relevant and not excessive to its purpose; Accurate and up-to-date; Not kept for longer than necessary; Processed by adhering to individual rights; Maintains Security; and the information is not transferred to other countries without adequate protection.

Finally, the Act also offers individuals the right to find out what personal information is being held and the manner in which the information is maintained. For instance, the individual can be informed whether the information is held digitally or in paper format. [5] [6]

Strengths and Weaknesses

As the EU Data Protection directive and therefore the UK Data Protection Act apply to adults and children in the same way, they don’t deal explicitly in the law with the issue of obtaining consent from children.

However, the Information Commissioner has written that any online service that collects information from children should have stronger security measures. The Commissioner wrote that “children generally have a lower level of understanding than adults, and so notices explaining the way you will use their information should be appropriate to their level, and should not exploit any lack of understanding.” Furthermore, the language within the explanation must be clear and appropriate based on the child’s age group. The Commissioner also stated that personal information from children must be granted consent from the parent of guardian, unless it is clear that the child understands the process and maintenance of such information in order to make an informed decision.

According to the Information Commissioner, the Data Protection Act “does not state a precise age at which a child can act in their own right.” The standards developed by Trust UK (www.trustuk.org.uk) are both reasonable and approved for use of enforcement by the UK. Children must be treated separately from adults and marketing efforts must not exploit children to take advantage of their lack of information without gaining verifiable parental consent. Furthermore, data should not be gathered about adults from children. They will not collect personal data about adults from children. [7]

Comparing the UK Data protection act with the COPPA act in the U.S., we see that in the UK the law is not as detailed and specific as in the U.S. with respect to children. For example the age ranges are not in the law but in the comment from the commissioner and it is more open to the “capacity of the child”. Also, the verification processes are more open to the decision of the service providers.

Latin America

Legislation findings

Our research across the region revealed that there are overall legal protections in regards to privacy but not specific to child online privacy protection.

Data protection legislation emerged in Latin America with Chile’s law protecting private life and personal data[8], followed by Argentina’s Personal data protection law enacted in 2000[9]. The rest of the region has been distant and at this time only Colombia, Uruguay and Brazil are in the process of analyzing Data Protection laws. Other Countries in Latin America lack specific legislation on the subject matter and rely on provisions set on the constitution and other laws[10] .

Montevideo Memorandum

The clear need for legislation directed to protect online children privacy led a group of policy makers, experts and academics from the region to meet in Uruguay. The final document, called Memorandum about the protection of personal data and the private life in internet’s social networks, especially of children and teens “is a set of ideas and recommendations aimed for governments and industry to adopt and implement. [11]

Argentina

Argentina is a very active country in regards to data protection and has been the only Latin American country approved by the EU to meet the requirements of the EU Data Protection Directive.

Argentina has provided that the Personal Data protection law provides several rights to individuals based on the collection, processing and security of personal data that should be awarded without financial charge. First, the individual has the right to ask the agency for monitoring and reporting on the personal data that has been collected. This right may also be exercised when a third party collects personal data so that individuals are informed the purpose and use of the data. Secondly the individual also has access rights that provides the owner of the data access to the personal data that is contained in data banks and public sectors. As the individual has right to access their data, he or she also can update, delete or modify the data when it is determined to be inaccurate or incomplete.

In addition to creating these rights to individuals, the law also enforces registration of personal databases in the National Register. Databases should also be adapted to ensure legality and that security measures are taken to comply with technical and organizational law. The government can also engage in a statutory audit of web pages that includes preparing terms of agreement and policies that must be utilized for handling personal information. The law finally requires organization and individuals to comply with rules for international data transfer where information may be exchanged with foreign countries. [12]

Local Issues

Even though Argentina and Chile have enacted Data protection laws and other countries in the region are analyzing laws, there is still a great concern of the effectiveness of the enforcement of those laws.

“It is common to see in the Internet new pirate databases of email or electoral roll data being offered. Due in part to weak online security or lack of employee confidentiality it is very easy to obtain personal information from companies or the government, as demonstrated by the ChoicePoint case [13] (involving public records from Argentina, Brazil, Colombia, Mexico, Costa Rica and Nicaragua).”[14]

Country agencies must be also adequately funded and led to fight the region’s sectors that do not comply with privacy protection legislation focusing on the issues of traffic of stolen databases from private and public sector sources, excessive spam, the increasing problem of identity theft among others.

Conclusion

After reviewing the different laws in the U.S., the E.U. (UK) and Latin America, we can conclude that even thought the EU is well more advanced that other regions in terms of privacy protection, if we refer specifically about children and online privacy protection, the U.S. is currently leading this area with its COPPA act and the proactive actions that the FTC take in order to make companies comply with this act.

The EU Acts are very complete and very restrictive but not as detailed and specific about children and the online activity. L.A. is not well developed in the area of privacy laws and definitely not in the case of children online privacy protection.

Nowadays, as children are using the internet more and more, it is imperative that the governments create and implement specific laws regarding children privacy protection. Generally Children are not aware of all the risks that are associated with sharing their information online. Although COPPA is a specific law that regulates this subject, it should continue evolving creating better tools for verification of parental consent.

[1] Overview of U.S. Laws Relating to E-Commerce – Ladas & Parry LLP Intellectual Property Law. http://www.ladas.com/Internet/ECommerce/EComme05.html

[2] COPPA – Children’s Online Privacy Protection Act, http://www.coppa.org/coppa.htm

[3] EU Data Protection Directive Definition, SearchSecurity.co.UK, http://searchsecurity.techtarget.co.uk/sDefinition/0,,sid180_gci1293055,00.html

[4] Directive 95/46/EC of the European Parliament and of the Council, http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf

[5] Data Protection Act of 1998, United Kingdom Act of Parliament, http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1

[6] The Information Commissioner’s Office of the UK, http://www.ico.gov.uk/what_we_cover/data_protection/the_basics.aspx

[7] The Information Commissioner’s Office of the UK, Data Protection Good Practice Note, http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/collecting_personal_information_from_websites_v1.0.pdf

[8] Law 19628 (In Spanish) http://www.sernac.cl/leyes/compendio/docs_compendio/Ley19628.pdf

[9] Law 25326 (In Spanish) http://www.red.org.ar/ley.htm

[10] Online Academic Sources: http://www.habeasdata.org/ (Spanish), http://www.habeasdata.org.co (Spanish), http://relatorestematicos.uniandes.edu.co/index.php/proteccion-datos-personales/relatoria/121-proteccion-datos-america-latina.html (Spanish)

[11] Montevideo Memorandum: http://www.iijusticia.org/Memo.htm

[12] Tecnoiuris.com, Personal Data Protection Law FAQ, http://www.tecnoiuris.com.ar/proteccion-datos-personales/preguntas-frecuentes.php

[13] Chase Case: http://www.smh.com.au/articles/2003/05/05/1051987657714.html

[14] Privacy International – Silenced – Latin America Profile, http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-103798