Children spend more and more time online today than ever before. While parental controls are encouraged by many web browsers, it is virtually impossible to thoroughly monitor or limit children’s online activities and interactions. With the ever-increasing appeal of social networking sites and the pervasiveness of smartphones and their downloadable applications, children’s personal information is more at risk than ever.
While Canada is at the forefront of privacy protection and legislation, the protection of personal information is regulated generally, without specific regard to the protection of children’s personal information. The collection, use and disclosure of personal information is closely regulated in the private sector (by the Personal Information Protection and Electronic Documents Act (“PIPEDA”), a federal statute, and similar provincial statutes in British Columbia, Alberta and Quebec), in the public sector (by the federal Privacy Act and similar provincial statutes), and even in the health sector, where personal health information is subject to various protections. Nonetheless, Canada has not yet adopted legislation to specifically address the question of children’s privacy, whether online or otherwise.
Children, however, are most in need of protection. They are more vulnerable than adults and far less likely to read and understand privacy policies and statements. An unbounded and uninhibited sharing of personal information risks exposing children not only to identity thieves, but also to pedophiles or kidnappers, particularly where geolocation information is concerned. While children may be increasingly tech-savvy, they are not always aware of the risks associated with exchanging their personal information for access to the latest game or smartphone application.
Since as early as 2008, the Office of the Privacy Commissioner of Canada (the “OPC”) has declared children’s online privacy as a key priority. The OPC, in conjunction with Canada’s Privacy Commissioners and privacy enforcement officials, resolved to implement public education activities with a view to increasing awareness among children and young people of the privacy risks inherent to their online activities. To this end, the OPC has put together a youth presentation package about privacy and the internet to be presented to high school students, as well as funded a project by Atmosphere Industries that will deploy and study a cross-media game aimed at promoting privacy literacy skills among children ages eight and up. The OPC has also launched an annual national video competition, which encourages youth ages 12 to 18 to produce video public service announcements on the importance of privacy.
The Canadian Marketing Association, a national not-for-profit corporation that shapes marketing practices and disciplines in Canada, has also sought to protect children’s online privacy through its implementation of guidelines for marketing to children and teenagers. These guidelines prohibit the collection of personal information of children under the age of 13 and set out consent rules regarding the collection of personal information of children between the ages of 13 and 15. Specifically, marketers may not collect and use a teenager’s contact information without that teenager’s express consent. Disclosure of such contact information is subject to the express consent of the teenager’s parent or guardian. In addition, marketers must obtain the express consent of a teenager’s parent or guardian prior to collecting, using or disclosing any of that teenager’s personal information that is not contact information.
Although these guidelines are on the right track when it comes to the protection of children’s privacy, there are no serious consequences for those marketers who choose not to adhere to them. Moreover, the guidelines are specifically geared to marketers and do not tackle the practices of other types of online operators, such as those services that collect or maintain personal information from or about visitors to various websites or online services.
On September 29, 2011, amendments to PIPEDA were proposed in the House of Commons through the first reading of Bill C-12, the Safeguarding Canadians’ Personal Information Act. Bill C-12 is a reintroduction of Bill C-29, which made it to second reading by the House of Commons in 2010, but failed upon the termination of the last parliamentary session in March 2011. While Bill C-12 does not propose amendments specific to the protection of children’s personal information, clause 5 of the Bill proposes that, for the purposes of clauses 4.3 to 4.3.8 of Schedule 1 to PIPEDA, “the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting.” If passed, Bill C-12 would legislate some protection over children’s personal information, as it is unlikely that a child can be said to have the capacity to understand the nature, purpose and consequences of the collection, use or disclosure of his or her personal information. To proceed to Royal Assent, Bill C-12 must pass second and third readings by the House of Commons, and then survive three readings by the Senate.
In the United States, by contrast, unfair or deceptive acts relating to the online collection of personal information of children under the age of 13 have been proscribed since 1998, through the enactment of the Children’s Online Privacy Protection Act (“COPPA” or the “Act”). COPPA sets out general provisions for website operators regarding the types of privacy policies that they may implement and the manner in which they can request, use and disclose personal information of children under 13 years of age. The term “personal information” is defined broadly in the Act as individually identifiable information collected online, that includes: a first and last name; a physical address (home or otherwise); an email address; a telephone number; a Social Security number; any other identifier that could permit the physical or online contacting of a specific individual; and any other information concerning a child or a child’s parents, that the website operator has collected in combination with other personal information. Compliance with the Act is mandatory, and COPPA grants the Federal Trade Commission (the “FTC”) the authority to adopt, realize and enforce regulations under the Act. Pursuant to its power under COPPA, the FTC issued the Children’s Online Privacy Protection Rule in 1999, a rule that gives parents control over what personal information website operators collect from children under the age of 13.
The FTC recently announced proposed amendments to this Rule. In particular, the FTC proposed updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies. The collection, use and disclosure of such information (when not anonymized) is notably already proscribed in Canada, where such information has previously been found to consist of “personal information.” The FTC also proposed adding new methods to obtain parental consent to the collection, use and disclosure of children’s personal information, such as electronic scans of signed parental consent forms, video-conferencing and the use of government-issued identification. These methods would seek to legitimize the parental consent process. The FTC further suggested the implementation of a requirement that would make operators responsible for the practices of the third-parties to whom they disclose children’s personal information. This proposal echoes principles that have already been set out in Canada’s PIPEDA, whereby an organization must ensure that a third-party to whom it transfers personal information has reasonable procedures in place to protect such information. Finally, the FTC proposed that an operator be imputed as collecting information from a child if it requests, prompts or encourages the child to submit his or her personal information online.
While these proposed amendments would significantly increase the online protection afforded to children under the age of 13, it begs the question as to what is being done for those children who are over the age of 13 and still vulnerable to online predatory practices.
Still, it would seem that the United States is prioritizing the protection of children’s privacy in an online context through its development of children-specific privacy legislation. It remains to be seen whether Canada will choose to follow suit.