Top
Subscribe to Legal Notes
* indicates required
Back office

Entries in children (3)

Sunday
Jan152012

Parental involvement in children's Facebook activities is essential

Technically only children aged 13 and older may register and maintain Facebook profiles but, in practice, children younger than this are active on Facebook. Children being active on the Internet poses a number of challenges, especially to their privacy and safety so it is essential that parents supervise their children when they use online services. If you are interested in finding out more, take a look at our post about what parents can do to better protect their children's privacy online.

Mashable published an infographic in a post titled "Most Parents Monitor Kids on the Internet – And Have Their Passwords" which is worth reading.

AuthorPaul Jacobson | DateSunday, January 15, 2012 at 7:48AM | | CommentPost a Comment
in , ,
Wednesday
Nov092011

What parents can do to better protect their children's privacy online

School children singing, Pie Town, New Mexico (LOC)

Our children are growing up with digital devices and an increasingly social Web and are, in the process, sharing their personal information, oblivious to the risks. Parents are increasingly finding themselves in foreign territory with no real idea where to begin to address their children's privacy. This post is intended to give parents an overview of the privacy frameworks in place and some of the factors to bear in mind.

Protection of Personal Information Bill

This is a draft Bill, making its way through Parliament at the moment. It gives the right to privacy in the Bill of Rights more substance. The Bill focuses on privacy as in informational self-determination, as opposed to privacy as in secrecy. It establishes a framework for what personal information can be collected from whom and what can be done with that personal information. I wrote about this in my post titled "Privacy is about choice":

Privacy has become more about informational self-determination - each person's ability to decide what becomes of their personal information. Facebook has been a bit of a cowboy with users' personal information for some time now and the primary concern, as I see it, is that Facebook has decided, from time to time, to expose more of users' profile information to the public Web and make that level of disclosure a new default. It has also progressively changed its privacy policy to allow for greater transparency. What it has done is severely limit users' choices to the point where their choice has become whether to include information on their profiles or not, bearing in mind that any of their personal information could suddenly be made public.

While the Bill is still subject to change, we can draw on a few of the trends in the Bill:

  • Personal information can only be collected with the data subject's consent, generally speaking (the term "data subject" is the term used for the person whose personal information is collected);
  • Data subjects' consent must be informed and this means the party collecting the personal information must inform the data subject what personal information is being collected and what it will be used for (this is the rationale for detailed privacy policies);
  • Personal information should only be used for the purpose it is collected for and should either be destroyed or anonymised (the Bill talks about "de-identifying" personal information)
    • ; and
  • Personal information should be kept secure and only disclosed where the data subject consents to disclosure or where required by legal authority.

Children's personal information is subject to a further requirement. By children, I am talking about children under the age of 18 (a person is legally recognised as an adult, a major, when that person turns 18 - there are exceptions, though, relating to an incapacity or inability to manage the person's own affairs). The February 2011 draft of the Bill (the current draft as I type this) requires prior consent from a "competent person" before collecting and using a child's personal information. A "competent person" is defined as follows:

A “competent person”, for purposes of paragraph (a), means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child

The position with children is different to general personal information processing because it requires prior consent from that competent person (usually a parent or guardian). In practice this can be a little tricky to obtain for various reasons. The first reason is that, when it comes to the major social networks, its not clear that the Protection of Personal Information Bill applies to those social networks. That said, the provisions dealing with data transfers outside South Africa require that countries this personal information is transferred to subscribe to similar personal information protection principles in their laws.

Consumer Protection Act

The Consumer Protection Act highlights another reason obtaining consent from children for collection of their personal information is tricky. As I pointed out in my post "Why Website terms and conditions matter", a website's terms and conditions is a contract between the site's visitors and users and the site owner. This implies that the parties to this contract have the legal ability to enter into a contract in the first place (this is also known as "contractual capacity"). Section 39 of the Consumer Protection Act deals with this issue when it comes to children:

Agreements with persons lacking legal capacity

39. (1) An agreement to enter into a transaction, or for the supply of any goods or services, to or at the direction of a consumer—

(a) ...
(b) is voidable at the option of the consumer, if—

(i) at the time the agreement was made the consumer was an unemancipated minor;
(ii) the agreement was made without the consent of an adult responsible for that minor; and
(iii) the agreement has not been ratified by either—

(aa) an adult responsible for that minor; or
(bb) the consumer after being emancipated or becoming an adult.

(2) Subsection (1) does not apply to an agreement if the consumer, or any person acting on behalf of the consumer, directly or indirectly, by act or omission—

(a) induced the supplier to believe that the consumer had an unfettered legal capacity to contract; or
(b) attempted to obscure or suppress the fact that the consumer did not have an unfettered legal capacity to contract.

What this means is that a child can enter into a contract with a social network but the parent or guardian whose consent is necessary to ratify or confirm the contract can effectively void that contract. Bear in mind that the contract here probably includes a privacy policy in terms of which the child presumably confirmed that the "competent person" concerned had consented to the social network collecting the child's personal information. The risk to the social network is that the parent or guardian would decide to void the contract between the child and the social network and, effectively, negate the consent to the social network's collection of the child's personal information. This presents a practical challenge to social networks when it comes to applying contractual terms to children's access to their services and their collection of children's personal information.

Social networks

The major social networks and services like Facebook and Google's various services cater for children accessing their services. Facebook's protections are more robust than Google's in many respects. Facebook limits who can see children's Facebook activity. According to Facebook's Safety Centre –

The only people who can see what teenagers post are their Facebook friends, friends of friends and networks (like the school they attend). We maintain added protections and security settings for teenagers (aged 13-17) that ensure their profiles and posts don't show up in public search results. Similarly, if teenagers share their location through Places, only their Facebook friends can see it.

Parents should spend some time reading through the information provided in social networks' privacy information pages. Here are a couple that will probably be pretty relevant:

General tips

Parents should acknowledge that their children are digital natives. Digital is an important part of their daily lives and will be increasingly important in almost all aspects of our daily lives, including the business environment. Trying to block access to this may not work, either for long or at all. Instead parents should engage with their children as much as possible about the services they are using and educate them about the very real risks of disclosing too much information about themselves.

While many parents are unfamiliar with the services their children are using, perhaps even intimidated by those services, they should make every effort to find out more. Often this means creating their own profiles on some of these services and "friending" their kids (even though this would probably mortify your teenagers) so you can keep an eye on what they are doing. That said, children can probably manipulate privacy settings to hide their activities so it falls to parents to learn as much as they possibly can about services like Facebook, Twitter, Google+ and Mxit and what these services' privacy practices are.

Parents are users too and they should bear in mind that their social activities can comprise their children's privacy. I wrote about this is a post titled "The privacy myth" a while ago (the post's main theme is that privacy as in secrecy is a myth online) –

There are two strategies which can help mitigate the effect of the Internet on personal privacy. The first is to proactively manage your identity online. This means using services like ClaimID to create coherent and comprehensive personal profiles online and taking steps to differentiate aspects of your personality from those that either have no link to you or which are misrepresentations or misuses of your identity.

Another simple, yet powerful, strategy is to decide in advance which items of your personal information will never be disclosed online, ever. This strategy depends on the principle that what you don't disclose can't be disseminated and misused. Examples of personal information never to disclose may include your identity number, your home address, your home phone number, your children's school and so on. Particularly sensitive personal information should be closely guarded from disclosure at all times and this requires vigilance.

The major social networks have improved their privacy practices quite a bit in the last few years. There is a common perception that Facebook is inherently insecure but its worth bearing in mind that children may be more at risk when they are out and about in public compared to when they are using Facebook with their privacy settings responsibly configured.

Protecting your children's privacy is not easy and it is more about controlling what is disclosed and how its used rather than keeping it hidden altogether. That said, it can be done but it require diligence and attentiveness.

Update: I have come across a couple sites dealing with children's safety online which may be informative:

AuthorPaul Jacobson | DateWednesday, November 9, 2011 at 11:07AM | | CommentPost a Comment
in , ,
Wednesday
Aug042010

The trouble with children these days

I've written about the importance of terms of use and privacy policies online a number of times and the contractual nature of those documents. They form an important part of a site's contractual framework that governs access to and use of a site. Although most people don't take the time to read those documents, when prepared and presented properly on a site, they are nevertheless binding contracts with visitors to a site. Well, for the most part ...

What most people don't realise is that this general rule doesn't apply to minors, that is children or people under the age of 18. This poses a very interesting and troublesome challenge to anyone who operates a website which caters for or may even be aimed at children. Possible implications could include the invalidity of website terms of use and privacy policies as contracts with minors and even violations of the anticipated Protection of Personal Information Bill which will regulate how personal information may be collected and processed when it is passed, hopefully later this year.

School children singing, Pie Town, New Mexico (LOC)

The contractual issue has to do with children's legal capacity to enter into a contract. The Children's Act sets the age of majority at 18 so anyone younger than 18 years of age is likely a minor (I say likely because minors can be emancipated and would become adults or majors when emancipated, even if they are younger than 18. This is by far the exception to the rule and usually the result of a court process). The general rule was set out in the case of Edelstein v Edelstein (1952 3 SA 1 A) by the then-Appellate Division (now the Supreme Court of Appeal). Judge Van den Heever said the following in that judgment:

In Roman Dutch law the judgment of a minor is considered immature throughout his minority and he is consequently not bound by his contracts."

This is a general principle and there are exceptions to it. These exceptions include instances where the child enters into a contract with a guardian's or parent's consent or where the contract is purely beneficial for the child and imposes no obligations. The challenge or website proprietors is that their terms of use and privacy policies frequently impose obligations on visitors or users and where a child makes use of an online service or browses to a website without a guardian's or parent's consent, that child can't be regarded as having entered into a contract with the website proprietor in the form of that legal framework on the website. In a nutshell, website terms of use and privacy policies could be ineffective when it comes to minors and that means all the protections those documents afford site owners could fall away when dealing with children.

When it comes to privacy policies there is an additional dimension which complicates matters somewhat. The Protection of Personal Information Bill prohibits processing of a child's personal information. The term "processing" has specific meaning in the Bill:

"processing" means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including-

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, use;

(b) dissemination by means of transmission, distribution or making available in any other form; or

(c) merging, linking, as well as blocking, degradation, erasure or destruction of information;

One exception to this prohibition is where a parent or guardian consents to a provider processing the child's personal information although I expect that this consent must be informed. Short of a provider satisfying these requirements, it will not be permitted to "process" a child's personal information at all. This means that a provider may not permit a child to create profiles on their service, submit any personal information or even comment on a blog post where doing so would mean submitting a name, email address or any other personal information in the process. The Bill defines personal information as follows:

"personal information" means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

(b) information relating to the education or the medical, financial, criminal or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;

(d) the blood type or any other biometric information of the person;

(e) the personal opinions, views or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and

(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

Consider the scope of "personal information" for a moment and you start to appreciate how far reaching these provisions will be.

Restrictions on access to sites for minors isn't new but the usual way providers have tried to deal with this has been by including a provision in their terms of use to the effect that the visitor confirms he or she is above a certain age. The problem with this approach is that agreeing to that provision in the terms of use is an exercise of contractual capacity which adults generally enjoy. As I pointed out above, children, for the most part, do not enjoy this contractual capacity so those sorts of age verification provisions are meaningless. It then potentially falls to the provider to verify visitors' age independently of the visitors' say so or to accept that any claims they thought they may have against minors using their service would not exist contractually where they can't establish a binding contract against the minor.

This may all sound rather esoteric but it could have real implications for providers who, for example, operate a paid service which a child accesses and then refuses to pay for. This could affect mobile content providers who sell mobile content, often as a subscription service. Children increasingly have mobile phones of their own and could easily subscribe to a mobile subscription service where charges could rapidly escalate if not kept in check.

Providers need to take special care when it comes to children both for contractual and privacy reasons. It is not enough to rely on vague age verification statements. Providers need to do more than that or they could assume a substantial risk. Certainly more risk than they assume at the moment.

AuthorPaul Jacobson | DateWednesday, August 4, 2010 at 10:02PM | | CommentPost a Comment
in , , ,