Recent data breaches and hacks have prompted many of us to limit the personal information we put online.
But what about our kids?
Digital advertising aimed at children is now a billion-dollar industry and growing rapidly, but unlike the US, Australia has no child-specific laws governing how their data is captured and stored.
Dylan Collins is the CEO of kids digital media company SuperAwesome and is one of the world’s leading commenters on child data protection.
He walks us through this issue and why he fears a “digital 9/11-type event” for child data.
What’s going on here?
Over the past decade, the number of children going online has exploded.
SuperAwesome estimates that globally, children account for as many as 100,000 new internet users every day and spend more than 21 hours a week online.
Mr Collins said the rapid uptake presented significant issues.
“They’re interacting with things like YouTube, Facebook, all the various other social networks which were originally designed for adults and which were originally designed to capture a huge amount of personal data and personal information,” he said.
“What’s happening is they’re unwittingly capturing huge, vast amounts of data on children around the world.”
What is being captured?
A lot of personal information.
Mr Collins estimates that by the time the average child turns 13 online advertisers and marketers have captured more than 72 million bits of data.
They do this using “cookies”, which can track everything from the type of content the child is watching, to where they are, and what device they’re using.
“Over time this builds up into a huge profile that can be used to identify the child on the internet,” Mr Collins said.
Why is this data being captured?
In some cases it’s unwittingly, as sites like YouTube and Facebook can’t always distinguish between adult and child users, Mr Collins said.
In other cases, it’s all about advertising.
A 2017 report by PwC found the global kids digital ad market will hit $US1.2 billion by 2019.
It also found the under-13 digital media market was experiencing 25 per cent year-on-year growth.
“Typically with an adult, when you log into Facebook this information is being shared with hundreds of companies behind the scenes that you don’t know about,” Mr Collins said.
“You think about the same thing with children and you’ve got personal data on seven-year-olds and eight-year-olds and nine-year-olds being shared in all sorts of places that no-one has any visibility on.”
What is the fear?
Aside from how advertisers might target kids, the key fear is this data will get leaked or misused.
In April it was revealed 87 million Facebook users worldwide — and more than 300,000 in Australia — had their personal information exposed in the Cambridge Analytica privacy scandal.
“This stuff gets out and it gets out easily,” he said.
“We’re looking at a possible digital 9/11-type event around children’s data.
“It’s just inevitable something bad is going to happen here, which we have already seen on the adult side with things like Cambridge Analytica.”
What is being done?
The US has legislation specifically designed to regulate the collection of child data, and European laws have recently been expanded to provide greater protection for kids.
In the US, the Children’s Online Privacy Protection Rule (COPPA) states:
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
In the EU, an expansion of the existing General Data Protection Regulation came into effect just last month, requiring parental consent for the collection of certain data for kids under 16.
In Australia, children are covered by the Privacy Act 1988 — which applies to people of all ages — rather than any child-specific regulation.
When it comes to children and their capacity to consent to the collection of sensitive personal information — like political, religious or philosophical beliefs — the Office of the Australian Information Commissioner has guidelines, which state:
As a general principle, an individual under the age of 18 has capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. In some circumstances, it may be appropriate for a parent or guardian to consent on behalf of a young person, for example, if the child is young or lacks the maturity or understanding to do so themselves … An individual aged under 15 is presumed not to have capacity to consent.
Mr Collins said he expected Australia to follow the lead of the US and EU with child-specific, data-collection regulations.
“They’re setting a global standard, so I think Australia will be very, very soon,” he said.