Cookies, Consent & Children Prove a Challenge
Consent is fast becoming a dirty word in the digital world. Online operators are struggling to meet the demands of the ePrivacy Directive, the Transparency and Consent Framework (TCF 2.0) and AppTrackingTransparency in iOS14 while end users are overcome with consent fatigue. In the children’s space, online operators are accustomed to obtaining consent from parents, but today these operators face the challenge of also aligning the various demands of cookie consent and tracking opt-in and opt-outs. It’s a cookie conundrum and tracking is tricky territory. Cookie consent banners and industry frameworks fail to take into account the need for parental consent in a child directed service where no parent maybe present.
To add to this confusion, the age of consent differs around the world. One of the objectives of the General Data Protection Act, (GDPR) was to harmonize data privacy protections across the 27 EU member states. However, each one can choose a different age of consent as low as 13 and as high as 16, so no harmony on that front (see PRIVO's GDPR Age of Consent Map). In the US, the Children’s Online Privacy Protection Act (COPPA) requires parent consent for the collection and use personal information from children 12 and under, with no protection for teens. So again, no harmony to support alignment in dealing with child data.
There’s also the issue of the ePrivacy Directive requirement to gain consent for cookies when a user lands on a website. Consent is required for any non-necessary cookies including analytics. Analytics may not be directly necessary to deliver the service but gathering analytics data is a key to improving the service and building a better user experience. It’s a benefit to the user that does not pose a risk if the analytics data is used for first party purposes only. Under COPPA there is an exception for support for internal operations. However, the directive, which will become a regulation and align with the GDPR, does not allow for such analytics without consent. The GDPR requires consent from the holder of parental responsibility but the user here is a child and likely no parent is present on a child directed site. Consequently, analytics cookies have to be off by default, and if the child agrees to these cookies the consent is not valid. If they don’t agree, the site cannot make informed improvements to the experience for the child or understand its business.
Profiling of children for interest-based advertising is widely and rightly considered a no go area under the GDPR and UK’s Information Commissioner’s (ICO) Children’s Code which comes into force in four months’ time. However, contextual advertising, with no tracking or profile building, poses a low risk to a child and is a revenue stream for many online services, without which they could not provide experiences for children. The TCF requires opt in consent even to contextual ads. But if the service is child-directed the child should not be required to consent to something they have little understanding of. If the child does not opt in then no contextual ads can be delivered, revenue is diminished, and the services likely won’t be maintained or will need to be paid for by the parent.
Each of these scenarios demonstrate the inconsistency and lack of harmony that operators of online services face when trying to bring privacy enhanced experiences to children.
Children’s privacy has been on the fringes of the bigger debates around data protection in the online world. It’s now moving into the spotlight. During the coming months, the European Data Protection Board is due to release its guidance on child privacy protection, the COPPA Rule Review will be published by the Federal Trace Commission, Brazil’s LGDP will come into force and the Irish Data Protection Commission is reviewing comments on its consultation on children’s privacy protections, The Fundamentals. The online world is one big digital environment and children should be able to access rather than be denied at the door because operators are struggling to align regulatory requirements. Therefore, the regulators and powerful app platforms, Android and iOS, must consider children at every step of the way. At the same time, they must support industry to navigate the complexities of consent and the implications of requirements that may prove unworkable for some of the valuable online services that young people benefit from.
About the authors
Claire Quinn, CPO is the Chief Privacy Officer at PRIVO.
Celeste Rollason is the Third-Party Program Manager at PRIVO.