What parents can do to better protect their children’s privacy online

School children singing, Pie Town, New Mexico (LOC)

Our children are growing up with digital devices and an increasingly social Web and are, in the process, sharing their personal information, oblivious to the risks. Parents are increasingly finding themselves in foreign territory with no real idea where to begin to address their children’s privacy. This post is intended to give parents an overview of the privacy frameworks in place and some of the factors to bear in mind.

Protection of Personal Information Bill

This is a draft Bill, making its way through Parliament at the moment. It gives the right to privacy in the Bill of Rights more substance. The Bill focuses on privacy as in informational self-determination, as opposed to privacy as in secrecy. It establishes a framework for what personal information can be collected from whom and what can be done with that personal information. I wrote about this in my post titled “Privacy is about choice“:

Privacy has become more about informational self-determination – each person’s ability to decide what becomes of their personal information. Facebook has been a bit of a cowboy with users’ personal information for some time now and the primary concern, as I see it, is that Facebook has decided, from time to time, to expose more of users’ profile information to the public Web and make that level of disclosure a new default. It has also progressively changed its privacy policy to allow for greater transparency. What it has done is severely limit users’ choices to the point where their choice has become whether to include information on their profiles or not, bearing in mind that any of their personal information could suddenly be made public.

While the Bill is still subject to change, we can draw on a few of the trends in the Bill:

  • Personal information can only be collected with the data subject’s consent, generally speaking (the term “data subject” is the term used for the person whose personal information is collected);
  • Data subjects’ consent must be informed and this means the party collecting the personal information must inform the data subject what personal information is being collected and what it will be used for (this is the rationale for detailed privacy policies);
  • Personal information should only be used for the purpose it is collected for and should either be destroyed or anonymised (the Bill talks about “de-identifying” personal information)
  • ; and

  • Personal information should be kept secure and only disclosed where the data subject consents to disclosure or where required by legal authority.

Children’s personal information is subject to a further requirement. By children, I am talking about children under the age of 18 (a person is legally recognised as an adult, a major, when that person turns 18 – there are exceptions, though, relating to an incapacity or inability to manage the person’s own affairs). The February 2011 draft of the Bill (the current draft as I type this) requires prior consent from a “competent person” before collecting and using a child’s personal information. A “competent person” is defined as follows:

A “competent person”, for purposes of paragraph (a), means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child

The position with children is different to general personal information processing because it requires prior consent from that competent person (usually a parent or guardian). In practice this can be a little tricky to obtain for various reasons. The first reason is that, when it comes to the major social networks, its not clear that the Protection of Personal Information Bill applies to those social networks. That said, the provisions dealing with data transfers outside South Africa require that countries this personal information is transferred to subscribe to similar personal information protection principles in their laws.

Consumer Protection Act

The Consumer Protection Act highlights another reason obtaining consent from children for collection of their personal information is tricky. As I pointed out in my post “Why Website terms and conditions matter“, a website’s terms and conditions is a contract between the site’s visitors and users and the site owner. This implies that the parties to this contract have the legal ability to enter into a contract in the first place (this is also known as “contractual capacity”). Section 39 of the Consumer Protection Act deals with this issue when it comes to children:

Agreements with persons lacking legal capacity

39. (1) An agreement to enter into a transaction, or for the supply of any goods or services, to or at the direction of a consumer—

(a) …
(b) is voidable at the option of the consumer, if—

(i) at the time the agreement was made the consumer was an unemancipated minor;
(ii) the agreement was made without the consent of an adult responsible for that minor; and
(iii) the agreement has not been ratified by either—

(aa) an adult responsible for that minor; or
(bb) the consumer after being emancipated or becoming an adult.

(2) Subsection (1) does not apply to an agreement if the consumer, or any person acting on behalf of the consumer, directly or indirectly, by act or omission—

(a) induced the supplier to believe that the consumer had an unfettered legal capacity to contract; or
(b) attempted to obscure or suppress the fact that the consumer did not have an unfettered legal capacity to contract.

What this means is that a child can enter into a contract with a social network but the parent or guardian whose consent is necessary to ratify or confirm the contract can effectively void that contract. Bear in mind that the contract here probably includes a privacy policy in terms of which the child presumably confirmed that the “competent person” concerned had consented to the social network collecting the child’s personal information. The risk to the social network is that the parent or guardian would decide to void the contract between the child and the social network and, effectively, negate the consent to the social network’s collection of the child’s personal information. This presents a practical challenge to social networks when it comes to applying contractual terms to children’s access to their services and their collection of children’s personal information.

Social networks

The major social networks and services like Facebook and Google’s various services cater for children accessing their services. Facebook’s protections are more robust than Google’s in many respects. Facebook limits who can see children’s Facebook activity. According to Facebook’s Safety Centre –

The only people who can see what teenagers post are their Facebook friends, friends of friends and networks (like the school they attend). We maintain added protections and security settings for teenagers (aged 13-17) that ensure their profiles and posts don’t show up in public search results. Similarly, if teenagers share their location through Places, only their Facebook friends can see it.

Parents should spend some time reading through the information provided in social networks’ privacy information pages. Here are a couple that will probably be pretty relevant:

General tips

Parents should acknowledge that their children are digital natives. Digital is an important part of their daily lives and will be increasingly important in almost all aspects of our daily lives, including the business environment. Trying to block access to this may not work, either for long or at all. Instead parents should engage with their children as much as possible about the services they are using and educate them about the very real risks of disclosing too much information about themselves.

While many parents are unfamiliar with the services their children are using, perhaps even intimidated by those services, they should make every effort to find out more. Often this means creating their own profiles on some of these services and “friending” their kids (even though this would probably mortify your teenagers) so you can keep an eye on what they are doing. That said, children can probably manipulate privacy settings to hide their activities so it falls to parents to learn as much as they possibly can about services like Facebook, Twitter, Google+ and Mxit and what these services’ privacy practices are.

Parents are users too and they should bear in mind that their social activities can comprise their children’s privacy. I wrote about this is a post titled “The privacy myth” a while ago (the post’s main theme is that privacy as in secrecy is a myth online) –

There are two strategies which can help mitigate the effect of the Internet on personal privacy. The first is to proactively manage your identity online. This means using services like ClaimID to create coherent and comprehensive personal profiles online and taking steps to differentiate aspects of your personality from those that either have no link to you or which are misrepresentations or misuses of your identity.

Another simple, yet powerful, strategy is to decide in advance which items of your personal information will never be disclosed online, ever. This strategy depends on the principle that what you don’t disclose can’t be disseminated and misused. Examples of personal information never to disclose may include your identity number, your home address, your home phone number, your children’s school and so on. Particularly sensitive personal information should be closely guarded from disclosure at all times and this requires vigilance.

The major social networks have improved their privacy practices quite a bit in the last few years. There is a common perception that Facebook is inherently insecure but its worth bearing in mind that children may be more at risk when they are out and about in public compared to when they are using Facebook with their privacy settings responsibly configured.

Protecting your children’s privacy is not easy and it is more about controlling what is disclosed and how its used rather than keeping it hidden altogether. That said, it can be done but it require diligence and attentiveness.

Update: I have come across a couple sites dealing with children’s safety online which may be informative:

Published by Paul Jacobson

Enthusiast, writer, Happiness Engineer at @automattic. I take photos too. Passionate about my wife, Gina and #proudDad.

%d bloggers like this: