A Simple Step to Better Online Child Privacy

Fact: Many websites share your personal information with “trusted third-party partners”.

It could be for research, to improve or measure ad performance, or “to better understand their audiences”. We can never be sure just how our data is used behind the scenes, and increased data sharing also leads to increased risk of data theft, so it’s not surprising many of us try to opt out of data sharing when we can. But what about children? How can parents and guardians protect their child’s data? (Note this is separate from the topic of censoring content for children.)

There are a growing number of international laws (e.g. COPPA, GDPR, CCPA) that cover the protection of children’s privacy online, but some issues remain:

  • Websites for a general audience don’t want to know whether a user is a child. That would introduce compliance hurdles, so such websites would prefer to remain unaware and treat all users as adults when it comes to handling personal information.
  • Devices such as game consoles or phones often already know the age of a user, e.g. via parental controls, but that should not be visible to every website the user visits. We’re trying to limit data sharing, not increase it.
  • Users shouldn’t be forced to tell websites how old they are. Not only is this a cumbersome user experience that normalises the sharing of personal information, users may not be 100% truthful. 😲

To summarise: How can a website protect a child’s data without knowing whether a user is a child?

This is where Robin Berjon comes in. He’s covered the above points in more detail in his post “A Signal for Child Privacy” and proposed a solution using a signal that already exists – Global Privacy Control (GPC). [1]

Robin’s proposal is pleasantly simple. If a device or browser knows that the user is a child, it should enable GPC and hide the setting from the user, i.e. GPC can’t be disabled. For everyone else, GPC can be displayed and enabled/disabled by the user.

Flow chart showing proposed client behaviour.
If user is a child, enable GPC and don't show GPC setting.
If user is not a child, show GPC setting and let user decide whether to enable or disable.

This seems to me like a practical solution that could be implemented today. The benefits are:

  • Parents and guardians don’t need to do anything – it’s all governed by the device/browser account.
  • By respecting GPC, websites don’t need to worry about the age of users when it comes to processing personal information.

The downside is that effort is needed from client builders, and my concern is how to encourage them to implement it. There would be respect from privacy-aware consumers, but is that enough of an incentive? Would it need pressure from corporate partners or even regulation?

“I do think that this should be expected from clients at a regulatory level” says Robin, pointing to his 2021 paper “The Fiduciary Duties of User Agents” as a potential starting point for discussions with regulators.

Whatever the best adoption method is, the idea itself seems so full of potential I’d love to see more awareness and discussion. Has anything been overlooked? What would the next step be? What could help this become widely adopted?

[1] Global Privacy Control (GPC) is a setting in some browsers and extensions that tells websites you don’t want your personal information to be sold or shared. In some jurisdictions this preference is enforced by privacy laws. For example, GPC is a valid “Do Not Sell My Personal Information” signal according to the California Consumer Privacy Act (CCPA), and earlier this year (2022) retailer Sephora paid the state of California a $1.2M penalty for not respecting when users had enabled the GPC signal. In other words, GPC has teeth.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s