KidAware Bulletin – September 2019

China implements stringent child data protection rules; Apple amends its revisions to kids’ developer policies; and other news.

China leaps ahead in child data privacy protections with new regulation

China’s Cyberspace Administration Office has issued new regulations to protect kids’ data privacy online, due to take effect on 1 October 2019. The Regulation on Protection of Children’s Personal Information Online puts into practice the principles of the broader Cyber Security Law (CSL) and the standards set by the Personal Information Security Standard, effective since May 2018.

Among other things the new rules:

  • apply to children under the age of 14; 
  • classify kids’ personal data as ‘sensitive information’
  • require operators to obtain consent from parents before processing such data; 
  • impose stringent security obligations (such as restricted access and encryption); 
  • require companies to appoint a kids’ personal data ‘protection officer’; and
  • oblige them to tightly control any third parties that process personal information from kids.

Note that while the various Chinese laws and regulations contain conflicting definitions of personal information, the base definition under the CSL (information “that can by itself or in combination with other information be used to identify a natural person”) mirrors that given in Article 4.1 of the GDPR, and is presumed to include unique technical identifiers (such as cookie IDs, IP addresses, device IDs) used for profiling and targeted advertising.  

This move puts China on par with the US and the EU in terms of protecting the data privacy of children. It goes one step further with the requirement for companies to appoint a person to be responsible for kids’ data privacy, an idea that is catching on with other regulators.

A number of practical questions remain, including which methods of obtaining consent are acceptable, and how much effort operators must make to verify the identity of a parent or guardian. Note that Hong Kong’s current data privacy laws don’t cover the rights of children separately, so you should assume the new China regulation covers your websites or app users in Hong Kong as well. 

China’s move caps a year of intense activity on the kids’ data privacy front in Asia.  In June, South Korea announced that from 2020, companies will have to obtain parental consent (via text, payment information or smartphone authentication) before collecting personal data from kids under 14.  And in July, The Australian Competition & Consumer Commission (ACCC) made sweeping recommendations to the government to implement a similar parental consent requirement.

Apple implements strict rules to safeguard kids’ personal data 

In early September, Apple announced via TechCrunch a revised set of rules for kids’ app developers, which implement the strictest protections yet for kids’ personal data. The amended guidelines come after a summer of consultation between Apple and the kids’ developer community on how to implement its desired objective: to eliminate all but the most necessary and safe transmission of data from kids’ apps to third parties.

The new guidelines aim to strike a balance between limiting the leakage of personal data with the need of responsible developers to monitor the performance of their apps and generate revenue from advertising. SuperAwesome are fully supportive of the new policies, which further our mission to make the internet safer for kids.

In its blog post, Apple says it will prohibit third-party analytics and advertising SDKs in apps appealing to kids, except: 

  • where no personal information, location information or device information (including IDFA), is transmitted to the third party analytics provider; and,
  • where advertising is only targeted contextually and provided by a third party that has publicly documented practices and policies to protect kids, including a process for human review of ad creatives. 

Essentially, Apple are requiring kids’ developers to work only with partners who are able to adapt or design their service to be compliant with Apple’s strict interpretation of kids’ data privacy laws like COPPA. 

In order to ensure the broadest possible coverage, Apple further specifies that the rules apply not only to apps in the Kids Category but also to “apps intended primarily for kids”. Furthermore, Apple reminds developers that they may not use terms in app metadata that tags an app as “for kids” and similar for apps that are not listed in the Kids Category. This suggests the company is stepping up enforcement against apps that market themselves to kids without complying with the Category rules, which has been a point of frustration for many responsible kids’ developers.

This is a huge step forward from Apple’s app review team, and aligns its developer policies with global data privacy laws as well as emerging best practices for kids’ app design, such as the Kidtech Standard. We believe it will reward developers who take child safety seriously, and will support the growth of a vibrant, growing ecosystem for premium kids’ content supported by dedicated kidtech.

The new rules come into for new apps immediately, and for existing apps on 3 March 2020.

In Other News

Google’s $170 million FTC settlement looks tiny, but the deal signals Silicon Valley’s urgent kids’ problem (Business Insider, 5 Sept 2019)

BI reviews the wider impact of the record COPPA fine (best legal analysis from IAPP and Hunton Andrews Kurth). Our CEO Dylan Collins talks about how this is further spurring investment in kidtech—infrastructure to underpin a safer internet for kids. With growing media coverage of other tech platforms’ kids audiences and concerns about lax disclosure by YouTube influencers with young audiences, the key question is where the FTC and the U.S. state attorneys general will turn their attention next. Meanwhile, the technology press is keeping an eye on the impact of changes YouTube is making to comply with the FTC ruling and how it will affect kids content creators in particular. 

Irish Privacy Regulator Eyes Online Use of Kids’ Data (Bloomberg Law, 6 Sept 2019)

Bloomberg Law reports that Ireland DPC Helen Dixon is considering investigating online platforms’ handling of kids’ data. This matters because Ireland is the legal home for the EU operations of some of the largest online platforms, including Facebook and Google. Dixon has already opened dozens of investigations into potential GDPR breaches by large tech companies. In September the DPC published an initial report based on its ongoing consultation on the data privacy rights of children under GDPR, which is expected to lead to more detailed guidance later this year.

Group Behind California Privacy Law Aims to Strengthen It (The New York Times, 24 Sept 2019)

The privately funded non-profit that surprised industry by getting the state government to pass a sweeping data privacy law earlier this year is now campaigning to go further—requiring California to create a data privacy protection agency, among other amendments. This is just as coverage of the CCPA reaches fever pitch with the implementation deadline of 1 Jan 2020 looming. Under the law, the personal data of minors aged 13-16 may only be collected with express, opt-in consent, effectively building on COPPA by creating a new category of young users above the parental consent threshold of 13. California isn’t the only state crafting new data privacy laws.  AdExchanger lists out more than a dozen such efforts across the U.S.

Video game loot boxes should be classed as gambling, says Commons (The Guardian, 12 Sept 2019)

The Guardian reports on the recommendations of an in-depth ministerial report on Immersive and Addictive Technologies, published by the UK government following months of hearings with representatives of leading games companies, including Epic Games, King and Jagex, as well as tech platforms Facebook, Snapchat and Instagram. The complete report goes well beyond loot boxes, and calls for investment in better age verification technologies; heavily criticizes games makers for using addiction mechanics to extend engagement; and recommends that eSports be covered by the Age-Appropriate Design Code regulation, among other things.

Half of eight-year-olds are signed up to social media using false age (The Independent, 10 Sept 2019)

The Irish Independent reports on the results of a national survey showing that half of 8-year-olds and two-thirds of 11-year-olds lied about their age to gain access to popular social media platforms. It also cites a separate study concluding that the 10 most popular such sites do not take effective measures to enforce their age restrictions despite the GDPR’s requirement they do so. “To access any platform, all you have to do is say you are 16, and this is taken at face value,” according to CyberSafeIreland CEO Alex Cooney.

Children’s expectations regarding fair treatment of their personal data: what policy makers should know (LSE blog, 27 Aug 2019)

The London School of Economics team of kids data privacy researchers—Mariya Stoilova, Prof. Sonia Livingstone and Rishita Nandagiri—publish their findings and recommendations on kids’ own perceptions of their data privacy. It is a commonly voiced complaint that regulators and politicians do not take into account the views of actual consumers when designing new data privacy protections, especially when those consumers are children. This team’s report aims to change that by drawing from in-depth primary research including interviews with over 135 children. The LSE also published an online toolkit that enables young people to understand their digital data privacy via an interactive game.