Robin Berjon

Some actual knowledge

A Signal for Child Privacy

Greenish abstract picture.

We are traversing a (much-needed) period of increasing child privacy regulation. We have child-specific guidance for the GDPR, renewed interest in COPPA and the slew of US state student privacy laws, child-oriented provisions in the CCPA and CPRA, California’s age-appropriate design law, and forthcoming additions such as New York State’s “New York Child Privacy and Protection Act.” And that’s only those that I happen to think of off the top of my head, there are many more.

For child-directed services, the situation is often relatively clear: you have to treat your users as children, with privacy safeguards to match. But the question is somewhat more complex for services aimed at broad audiences: we would still like children to have their rights respected when using those.

The difficulty in doing this well resides in knowing that the user is a child. You have several options, none of which are much good:

What we want is a system that automatically triggers child privacy protections, without a user interface, but that also doesn’t reveal that a person is a child. Is that even possible? Yes, we can use the Spartacus method. Basically, you want to align the privacy rights of children with the privacy rights of any person who is using the Global Privacy Control, or GPC signal (eg. not sale of the data and no use of sensitive data, and there is no reason to believe that this couldn’t work just as well under the GDPR). Note that these privacy rights can be understood broadly for instance to include excessive engagement drivers or unfair nudging methods.

You then turn on GPC by default for children, ideally using knowledge that sits at the OS or generally the user agent level thereby signally that the corresponding rights must be afforded. This creates a system in which children benefit from much broader privacy protections but are hidden in a wider group (of privacy-conscious adults) such that no one can tell that they are children.

As part of this arrangement, it is important that services must not use the GPC for other types of age gating (eg. porn, alcohol) as that would constitute a loss of service that would violate the rights of the adults in the set.

This approach is simple to specify and simple for businesses to implement, especially since it aligns with compliance requirements that many of them already operate under.