Skip to content.

Children’s Privacy: Trends in Europe, the United States and Canada

As children increasingly participate online and at earlier ages, lawmakers around the world are passing legislation to bolster children’s privacy to varying degrees. This article contains a comparative analysis of some of these laws, highlighting trends in children’s privacy, which includes:

  • Children’s personal information is increasingly seen as particularly sensitive and deserving of heightened protections; 

  • Lawmakers are concerned with ensuring organizations obtain valid consent for the collection, use and disclosure of children’s personal information;

  • Organizations collecting, using or disclosing children’s personal information should expect to face heightened reporting and administrative requirements (now and in the future);

  • Organizations must ensure automatically high default privacy settings for children; and

  • Violation of children’s privacy is likely to attract more regulator attention and significant penalties.

 

Europe

The European Union’s overarching General Data Protection Regulation (the “GDPR”) recognizes that children’s personal data should be afforded special protections because they may be less aware of the risks and consequences of data sharing. The GDPR particularly focuses on required consent from young data subjects for the processing of their personal data. Under the GDPR, the age of consent is at 16 years but allows individual member states to lower the age of consent to a minimum of 13 years old, a liberty that certain countries have taken. Article 8 states that a child’s consent is only valid if the holder of parental responsibility also gives consent, with Article 8(2) requiring reasonable effort on the part of the service provider to verify that the parent has given consent.

Regulators under the GDPR have shown that children’s privacy is taken seriously and that they will not shy away from issuing significant fines. The second largest-ever fine under the GDPR was issued in September 2022 for a violation of children’s privacy.

In addition to the GDPR, The Digital Services Act (the “DSA”) has been in force since November 2022. The DSA applies to “digital services”, meaning that it can be applied to a broad range of online services, from simple websites to internet infrastructure services and online platforms. The DSA bans platforms from delivering targeted advertisements to recipients when the platform is aware with reasonable certainty that the recipient of the service is a child. However, in adhering to this rule, the platform should abide by the principle of data minimization – meaning it should not incentivize providers of online platforms to collect the age of the recipient of the service prior to their use.

In the UK, the Age Appropriate Design Code (the “Code”) applies to a wide range of online services such as apps, games, connected toys and devices, and news services. Products and services within the scope of the Code must consider the privacy and protection of children, by design and default. If there is a conflict between the interests of the service and the child, the child’s best interest must be paramount.

 

United States

Children’s privacy in the US is governed by the Children’s Online Privacy Protection Act (“COPPA”). Enacted in 1998, it applies to websites and online services directed at children under 13 years of age. Factors that are considered when determining if a website or service is directed to children include its “visual content”, “presence of child celebrities”, and “music or other audio content”. Businesses that fall within the scope of COPPA are required to provide a clear and comprehensive privacy policy, direct notice of information practices to parents before collection of children’s data, and to ensure that the parent’s “verifiable” consent has been obtained. Parents have ongoing rights to review personal information collected about their child, revoke consent, and delete the child’s data. Businesses within COPPA’s regulatory ambit are not only responsible for their own compliance but are responsible for their vendors’ compliance as well.

Similarly to their European counterparts, regulators in the United States have also demonstrated a willingness to issue significant fines for violations of children’s privacy rules. In 2019, the Federal Trade Commission and the New York Attorney General issued a $170 million civil penalty for violations to COPPA. Specifically, it was alleged that the online service illegally collected personal information from children without their parents’ consent.

At the state level, lawmakers in California have passed into law the California Age-Appropriate Design Code Act (the “CAADCA”), taking effect July 1, 2024. The CAADCA applies to for-profit businesses that "provide an online service, product, or feature likely to be accessed by children" who are under the age of 18. The CAADCA creates several regulatory responsibilities for businesses that fall within its ambit. It introduces periodic reporting requirements and measures that companies must apply to enhance children’s privacy. Such measures include automatically configuring a high setting of privacy for children, clearly providing a privacy policy, and notifications if the child’s activity is being monitored. In addition to the added responsibility for covered businesses, the CAADCA restricts actions that can be taken, including using children’s personal information in a way that is detrimental to the child’s health and well-being, and retaining more information than necessary.

In 2023, Utah became the first state to enact laws limiting how children can use social media. While these two bills, collectively known as the Social Media Regulation Act (SMRA), are not directly aimed at protecting privacy they do have important privacy implications. The SMRA requires social media companies to obtain parental consent for any user under the age of 18. Enhanced privacy protections must then be put in place, for example, restricting the collection and sharing of personal information. However, the child’s privacy is also stripped away as social media companies must provide parents with access to the content and interactions of their child’s account. Infringements of the SMRA can result in injunctions and civil penalties against social media companies. In addition, the legislation authorizes individuals to sue social media companies for damages in the event that harm has been caused by SMRA violations.

The SMRA takes effect on March 1, 2024. Going forward, other states such as Arkansas, Texas, Ohio, Louisiana and New Jersey are also looking to pass legislation targeting social media companies, with similarly significant privacy implications for children.

 

Canada

Unlike its American and European counterparts, Canada does not currently have laws in force that are expressly dedicated to children’s privacy. While the Personal Information Protection and Electronic Documents Act (“PIPEDA”) does not differentiate between adults and youth, the Office of the Privacy Commissioner of Canada (the “OPC”) has consistently viewed personal information relating to youth and children as being particularly sensitive and must be handled accordingly. The OPC has also taken the position that in all but exceptional cases, parental consent must be obtained for the collection, use and disclosure of the personal information of children under the age of 13. In addition, Canada has signed and ratified the UN Convention on the Rights of the Child which protects children’s right to privacy.

There is, however, proposed legislation aimed at bolstering children’s privacy: Bill C-27’s Consumer Privacy Protection Act (the “Bill”). The Bill introduces new protections for children by requiring a higher standard of diligence and protection in respect to the collection and processing of their personal information. A child’s personal information would be the only prescribed category of “sensitive” information, meaning that it would always attract heightened protections, positive obligations for deletion, and a (likely) requirement for express consent for its collection, use or disclosure.

While no fines for violation of children’s privacy have been issued under PIPEDA, if the Bill is enacted, it will give the OPC the power to issue fines in this regard. There is an expectation that the OPC will be particularly interested in fines where children’s personal information is at issue given that it is the only prescribed category of sensitive information.

Authors

Subscribe

Stay Connected

Get the latest posts from this blog

Please enter a valid email address