Why should we care (more) about children’s online privacy? Part 1

In this first post in a series on children’s online privacy, we start by looking at the laws protecting information privacy in Australia and asking whether better protections are particularly needed for children.

Parents say they care about their children’s privacy more than their own and are uncomfortable with businesses tracking the location of a child or selling personal information to third parties (Australian Attitudes to Privacy survey). Given recent high profile data breaches (e.g. Optus data breach 2022), there are good reasons for us all to be concerned about the ways our personal information is being collected, stored and managed. 

Firstly, what is privacy?

While a right to privacy is enshrined in various international agreements, including the Convention on the Rights of the Child, none of these clearly defines ‘privacy’. Instead, a number of different but sometimes overlapping ‘domains’ of privacy have been identified (see ALRC Report). These relate to different areas of our lives, such as our homes and other spaces, our bodies, our communication and our information.

In fact, many people are surprised to learn that there is no general right to privacy in Australia and the ability to sue another for invasion of privacy is not established in Australian law. So, despite a right to privacy being enshrined in various international instruments, without national human rights legislation, a broad ‘right to privacy’ for Australians remains aspirational.

But we do have limited protections for certain aspects of privacy – and information privacy is one.

Information privacy in Australia

Information privacy is about how our personal information, or data, is collected, used and stored. Nationally, protection of our personal information is mainly governed by the Privacy Act 1988. However, the Act does not give individuals the right to take action directly against an entity that has interfered with their privacy. Other things you might be surprised to learn about the Privacy Act 1988 are:

• Most small businesses are not bound by the Act.
• Individuals acting in a personal capacity (e.g. other parents posting about your child) are not covered. 
• The Act allows businesses to collect and use sensitive personal information (e.g. information about health and ethnicity) with consent. Where a business collects and uses personal information that is not sensitive (see definition here) consent is not always necessary.
• The Act does not give us a general right to request the deletion of our data, unlike the right that exists in the United Kingdom and the EU due to the General Data Protection Regulation (GDPR), for example.

What about children?

The Privacy Act 1988 does not contain additional protections for children, even though, in the words of UNICEF, children are “more vulnerable than adults and less able to understand the long-term implications of consenting to their data collection.” Children are also vulnerable because of how much time they spend online and the data trails they build up over a lifetime. To get an idea of how much data you leave online, visit Justdelete.me or your Google advertising profile.

While collecting and using children’s data is not new, digital services have created new ways to commodify and commercialise digital data. It is now possible to connect vast datasets and create algorithms that track, profile and target children. Consider the recent report from Human Rights Watch which found that 89% of 164 educational technologies reviewed “appeared to engage in data practices that put children’s rights at risk, contributed to undermining them, or actively infringed them. ”

At the same time “opportunities provided by the digital environment play an increasingly crucial role in children’s development and may be vital for children’s life and survival” (UN Committee on the Rights of the Child).

The question then is: how do we best protect children within the digital environment, not from it?

In the UK, a statutory code of practice, the Age Appropriate Design Code (the Children’s Code) seeks to put children’s best interests first and clearly set out practices that should be avoided. We recently hosted a seminar about the Children’s code, which you can watch here.

In Australia, the previous federal government proposed to update the Privacy Act 1988. Potential changes could require organisations to gain the consent of a parent or guardian before collecting, using or disclosing the personal information of a child under 16. Other potential changes would require all organisations to ensure that the collection, use and disclosure of a child’s information is reasonable in the circumstances. The Centre made submissions to the part of this review focused on a draft Online Privacy Bill, which mainly affects social media organisations and large online platforms. We recommended that protections for children should be strengthened, but that the age at which a child can give consent to the use of their own data be lowered, so as to not unnecessarily impact on the social and creative opportunities of children online.

With a change in government, we eagerly await the next steps. Ideally, stronger protection for children’s privacy online will apply sector-wide, and not only to social media organisations.

The next post in this series will consider some practical steps that parents, advocates, developers and policy-makers can take to better protect children’s privacy online while we’re waiting for the government to act on legal protections.