At SuperAwesome, we spend a lot of time thinking about the requirements for an internet that is now used by vast numbers of children (versus it’s original design, which was solely for adults).
GDPR-K is rapidly being followed by new children’s laws in many countries that are based on the same principles — data minimisation and privacy by design.
The #kidtech movement is about eliminating (not just reducing) the risk of kids personal data collection as much as possible. Here’s why we believe that a zero-data internet is the only solution to the growing problem of kids digital privacy online.
Kids are the fastest-growing community on the internet
Every day, over 170,000 kids go online for the very first time. Based on an outdated assumption that kids rarely use digital devices, this internet was built for adults, by adults – often collecting as much data as possible. We’ve only recently started giving adults some visibility on how their data is used and shared, let alone thought about how we protect the personal data of kids.
New data privacy laws are designed to protect kids, but they need to be combined with privacy-by-design technology to be truly effective
COPPA allows publishers to collect children’s personal data so long as it is within the scope of internal operations such as analytics or personalization. GDPR-K allows data collection so long as the child is informed about the use of it, with barriers put in place in relation to the sensitivity of the intended data usage rather than the potential data usage. This legal caveats and loopholes will still leave the potential for data breaches if they’re not backed up with platforms that are specifically designed to make sure this doesn’t happen. In the current digital media ecosystem, the risk is still very real.
Want to learn more about kidtech? Check out everything on the subject on our blog, here.
The frantic pace of technological innovation means we are inadvertently creating massive personal data sets on our children
Even where the compliant storage and processing of personal data is taken very seriously, the handling of non-personal, supposedly anonymised, data is often not treated with the same rigour. This leads to an endemic problem of ‘fingerprinting’ on an industrial scale. Fingerprinting is the creation of a unique user profile from previously non-unique data attributes. It occurs naturally in any database that is connecting unique user IDs to other events. In the advertising market, many companies specialise in finding these types of databases, tying them together and generating millions upon millions of new user profiles, many of them of children.
The nature of this accidental fingerprinting process means that often, organisations will have no clue when it is happening. And in most cases, the company is likely not making use of those fingerprints themselves. It’s only once that data set leaves the company — maliciously, inadvertently or for a benevolent purpose that is later hijacked, that the dangers of this situation become clear.
The technical principle of the #kidtech movement: no more unique identifiers (even anonymous) for kids apps and sites
Rather than tying every single piece of data to a user and building regular aggregation and reporting tools on top (which leaves the individual user records bundled with a lot of data and thus vulnerable to the creation of fingerprints), we need systems that do not correlate this data with any unique records in the first place.
This may seem counterintuitive, but it is definitely possible. Most applications can be built on the basis of ‘cohorts’ of users, rather than individual users.
By not tying the unique user ID to every single event that is raised in the system, you avoid enriching that unique ID with lots of data, drastically reducing the risk of creating fingerprints. Yet, you can still benefit from a rich analysis of how users interact with your service and use that data to improve your product.
To many, the #kidtech movement may seem radical. But the direction of travel is only in one direction. Ten years from now, we’ll think it crazy that any app which could be used by children would store and transmit individual user IDs with countless behavioural data points.