The privacy of children – significant changes proposed

In the third article in our series on the Attorney-General's Privacy Act Review Report, we continue to outline the effects these changes will have on the Australian people and its businesses

Following on from our previous articles with respect to the Attorney General’s Privacy Act Review Report (Report) (see Article 1 and Article 2) this article addresses the significant proposals of the Report around establishing a new regime for children’s privacy.

Children’s privacy has been a difficult area in Australian privacy law for some time due, in large part, to both (i) a lack of detail in the Privacy Act and APPs themselves and (ii) the pervasiveness of US providers in the digital economy who follow COPPA (the US Children's Online Privacy Protection Act) under which the age a child can consent for privacy purposes is 13 years old. The key proposals of the Report in relation to the privacy of children are:

• Define a child in the Privacy Act as an individual under 18 years of age
   
• When one cannot assess the capacity of a child, enshrine the OAIC’s existing guidance that an individual over the age of 15 has capacity as regards privacy consent, subject to any indications to the contrary of lack of capacity
   
• For online services (and otherwise where privacy collection statements and policies are) directed to children, the relevant collection notices and privacy policies must be clear and understandable for children
   
• Businesses will be legally required to have regard to the best interests of the child as part of considering whether a collection, use or disclosure of a child's personal information is fair and reasonable in the circumstances (and if it's not fair and reasonable that collection, use or disclosure must not occur)

In addition, the Report also proposes (as part of the direct marketing, targeting and profiling proposals) to prohibit direct marketing to, targeting of and trading in the personal information of a child (with only very limited exceptions).

The Report also recommends that, like COPPA, a ‘children’s online privacy code’ (to be adopted as a mandatory code) be used to create a regime as regards children’s online privacy, enshrining certain minimum legal requirements, including the following:

• Privacy by default including having geolocation switched off
   
• Providing obvious 'signs' for children when location tracking is active
   
• A child’s personal information to only be visible or accessible to others if the child 'turns this on' in their settings to allow this
   
• Any optional uses of a child’s personal information, including uses designed to personalise the service, have to be specifically and individually selected and activated by the child (ie not bundled)
   
• Any settings which allow third parties to use that child's personal information must be activated by the child
   
• Child users should have the option to change settings permanently or just for the current use
   
• Nudge techniques to lead or encourage a child to provide unnecessary personal data or turn off privacy protections to be prohibited

In addition to simply clarifying current ‘best practice’ when it comes to dealing with children, the Report’s proposals, in effect, seek to create a set of minimum 'rules of the road' (like COPPA) which are a significant uplift (admittedly from a low base) in Australian privacy law requirements relating to children’s privacy, both generally and online. It will mean that all businesses dealing with children (whether as a large proportion of their customer base or incidentally) will need a significant uplift in their procedures, tech controls, policies and approaches to dealing with children, especially on the marketing side if the direct marketing proposals are also approved. However, we suspect the most uplift will be required for businesses who deal with children only occasionally (or incidentally) which, under current law, have tended to be overlooked/not to apply any special requirements for children using their sites or consuming their services (other than noting their site is not suitable for children).

Legislating the default of 15 years old as the age where capacity may be assumed for privacy purposes does assist to confirm current practice but, unfortunately, does not solve the problem that while a privacy consent can be given at that age, no contract (ie the online terms and conditions of use) can be agreed to by and enforced against anybody under 18 years of age in Australia. This is a missed opportunity.

Also, it still means that a significant cohort of children under 15 years of age, online especially, will need to have their privacy capacity assessed (and the proposals provide more obligations in this regard) individually or, as we suspect in practice, default to obtaining parental or guardian approval. Of course, under the proposals, once a child turns 15 then, pursuant to the children’s online privacy code, the business will need to ensure the child has the 'rights' noted above (eg to 'turn off' parental oversight of and access to their online activities). That is, the proposed changes with respect to children’s privacy will have multiple impacts at different times - at the point of onboarding, assuming they are under 15 years of age at the time and, if they are still users, once they turn 15 years of age.

Again, we suggest that businesses should consider these proposals now in order to start thinking about how you will prepare for what we expect will be a short transition period if the proposals become law. Please do not hesitate to reach out if you have any questions on or if we can be of any assistance.