IS GOOGLE COLLECTING DATA OF MINORS UNLAWFULLY?

INTRODUCTION

The Campaign for a Commercial-Free Childhood (CCFC) and the Center for Digital Democracy (CDD) cited reports from three separate research groups that concluded Google Play Store apps aimed at children quietly transmitted data about individual users to other companies. These advocacy groups on Wednesday called on the US Federal Trade Commission (FTC) to investigate whether apps that Google’s Play Store labels as Teacher approved are unlawfully collecting personal data without parental consent to target ads at children.[1]

WHAT THE ADVOCACY GROUPS HAVE TO SAY

The Campaign for a Commercial-Free Childhood (CCFC) and the Center for Digital Democracy (CDD), which have helped spur FTC action before, cited among other evidence reports from three separate research groups since last June that concluded Play Store apps aimed at children quietly transmitted data about individual users to other companies.[2]

WHAT GOOGLE HAS TO SAY

Google said in response to Wednesday’s complaint that its app store is “committed to providing a positive and safe environment for children and families” and that it “will continue to make the protection of children on our platform a priority”.

THE GENERAL DATA PROTECTION REGULATION (GDPR)

The GDPR[3] protects the data of all Europeans by making demands that all sites that accept visitors/customers from European citizens/residents publish and follow a transparent Privacy Policy. We covered the full GDPR requirements in-depth elsewhere. What’s important here is what the GDPR says about data subjects who are also minors under 18.

[1] Anonymous, Google’s ‘Teacher approved’ apps mislead on kids’ privacy: Activists tell FTC, HINDUSTAN TIMES, (April 2^nd , 2021 , 10:30 am) https://tech.hindustantimes.com/tech/news/googles-teacher-approved-apps-mislead-on-kids-privacy-activists-tell-ftc-71617282337953.html

[2] Paresh Dave, Google’s ‘Teacher approved’ apps mislead on kids’ privacy, activists tell FTC, THOMSON REUTERS, (April 2^nd, 2021, 10:30 am) https://www.reuters.com/article/us-alphabet-google-privacy/googles-teacher-approved-apps-mislead-on-kids-privacy-activists-tell-ftc-idUSKBN2BN0DY

[3] General Data Protection Regulations, European Union, 2016

Anonymous, Google’s ‘Teacher approved’ apps mislead on kids’ privacy: Activists tell FTC, HINDUSTAN TIMES, (April 2^nd , 2021 , 10:30 am) https://tech.hindustantimes.com/tech/news/googles-teacher-approved-apps-mislead-on-kids-privacy-activists-tell-ftc-71617282337953.html

[1] Paresh Dave, Google’s ‘Teacher approved’ apps mislead on kids’ privacy, activists tell FTC, THOMSON REUTERS, (April 2^nd, 2021, 10:30 am) https://www.reuters.com/article/us-alphabet-google-privacy/googles-teacher-approved-apps-mislead-on-kids-privacy-activists-tell-ftc-idUSKBN2BN0DY

[1] General Data Protection Regulations, European Union, 2016

The GDPR sets a general age of consent at 16, which means you can’t legally process the data of a data subject 15 years-old or younger.

THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)

COPPA[1] differs from the GDPR in two critical ways: It only impacts children in the U.S. and it only protects the privacy of children under 13 years old.

MINOR DATA PROTECTION LAWS IN INDIA

Rule 4 of the IT Rules[2] requires body corporate to put up privacy policies for collection and disclosure of personal information. As of now, there is no legislation covering children’s data privacy online, but the Personal Data Protection Bill[3] may turn the tables around.

Chapter IV of the PDP Bill deals with the personal data and sensitive personal data of children.  It provides for a broad requirement that data fiduciaries must process personal data of children in a manner that protects the child’s rights, and is in the best interests of the child[4].

The PDP Bill considers any person below the age of 18 a child, at par with Indian laws on the age of majority, which require a person to be 18 years of age to enter contracts, vote etc. In this context, one of the areas of focus in the PDP Bill’s discussion is on children and children’s rights in the context of personal information is the issue of consent, that is, a contract between the application owner and the person providing the consent, which is based on trust and is a fiduciary relationship.

WHAT HAPPENS WHEN CHILDREN WANT TO ACCESS ONLINE SERVICES

The app must first verify or confirm the age of the child, to ensure that the consent has been obtained from the parent or the guardian. The PDP Bill, however does not explain in the process in which it must be done, except for saying that the government would provide

[1] The  Children’s Online Privacy Protection Act, United States Federal Law, 1998

[2] Regulation 4, Information Technology (Reasonable Security and Procedures and Sensitive Personal Data or Information) Rules, 2011

[3] The Personal Data Protection Bill, 2019

[4] § 16(1) , The Personal Data Protection Bill, 2019

[1] The  Children’s Online Privacy Protection Act, United States Federal Law, 1998

[1] Regulation 4, Information Technology (Reasonable Security and Procedures and Sensitive Personal Data or Information) Rules, 2011

[1] The Personal Data Protection Bill, 2019

[1] § 16(1) , The Personal Data Protection Bill, 2019

regulations on how the age verification would be undertaken.[1] In prescribing these age verification mechanisms, a number of criteria will be taken into consideration:

• The volume of personal data processed, how much of that personal data is likely to be that of a child
• Whether it is possible that there will be any harm to the child from the processing of such personal data.
• Regulations will also classify data fiduciaries that operate commercial websites or online services directed at children, or process large volumes of personal data of children, to be ‘guardian data fiduciaries’.

THE ROAD AHEAD AND WHY APPS MUST CONSIDER MINORS DATA PROTECTION IN THEIR PRIVACY POLICIES

In the future, which is extremely technology driven, most of the education is said to be online. Especially considering the boom in the Ed-Tech sector, where the primary consumers are minors, government make stricter policies in this regard and application companies also take proper cautions and measures to prohibit data breaches, especially since this data would be of minors. Not having, proper privacy policies in place would in fact prove to be counter-productive to the company itself. Showing customers that their privacy is being considered seriously would only, add to the applications achievements. In this age of technology, the consumers can not be easily fooled, especially after people have been reading about the data breaches of different applications and the controversies surrounding Whatsapp and Facebook.

[1] Smitha Krishna Prasad, Personal Data Protection Bill, 2019: Protecting Children’s Data Online, MEDIANAMA, (April 2^nd , 2021 , 10:30 am) https://www.medianama.com/2020/01/223-pdp-bill-2019-children-protection/

[1] Smitha Krishna Prasad, Personal Data Protection Bill, 2019: Protecting Children’s Data Online, MEDIANAMA, (April 2^nd , 2021 , 10:30 am) https://www.medianama.com/2020/01/223-pdp-bill-2019-children-protection/