The Attorney-General’s review proposed changes to children’s privacy: no longer child’s play!

Alec Christie CLYDE & CO

After a long time in hibernation (ie since the Children’s Online Privacy Protection Act (US) (COPPA) was passed in 1998), children’s privacy in relation to online activities and social media has re-emerged as a significant issue. This has been fuelled by the recent announcement of the UK privacy regulator that they are investigating (and will likely take action) against TikTok for infringing children’s privacy. Of course, the expectation is that they will not be the last privacy regulator globally to consider TikTok’s processing of children’s personal information nor will TikTok be the last social media company to be scrutinised for their handling of children’s personal information.

What came out of the Attorney General’s review of the Privacy Act? How are children currently protected, and what are the recommendations that have been made? What does this mean for digital organisations, and what protections should be put in place to mitigate risks against these potential changes?

This article comes from the experts behind the Privacy Law Bulletin. This is written by expert lawyers, academics, and legal experts covering the rapidly changing legal landscape around privacy laws and cases which continue to shape Australia's privacy framework.

Subscribers to the Privacy Law Bulletin can read the full bulletin article HERE.

Now that the public consultation has closed, we are all eagerly awaiting the government’s response to the Attorney-General’s Privacy Act Review (Report) and its 116 proposals for significant changes to the privacy law. There is also some trepidation as to what the government will accept and enact given the Report’s stated goal of the proposals to “align” Australian privacy law much more closely with EU’s General Data Protection Regulation (GDPR) in practice as well as in principle. At a high level, the Report’s proposals generally either seek to:

• address a perceived prevailing uncertainty or misunderstanding of the meaning or application of the existing Australian Privacy Principles (APPs) or concepts (with a GDPR emphasis) or
• as is the case with children’s privacy, create a significantly uplifted (if not wholly new) GDPR-like concept, obligation or regime within the Privacy Act 1988 (Cth) or by parallel legislation

However, it is not just high-profile social media companies and children’s online ecosystems that will be subject to the substantially changed children’s privacy requirements, should the proposals become law. The Report’s proposals will apply significant children’s privacy obligations across all organisations (including schools subject to the Federal Privacy Act) and federal government agencies, irrespective of whether or not they are online, are largely or only incidentally used by children, target children or only occasionally deal with children’s personal information. For example, gig economy food deliveries and online event ticketing agencies (and other similar digital economy businesses) are likely to be unknowingly collecting, using and disclosing significant amounts of children’s (ie individuals under 18 years old) personal information under the mistaken belief that by saying their sites are only for use by adults they somehow get a free pass as regards children’s privacy.

All businesses that process children’s personal information and their privacy advisors should now be considering how best to protect children’s privacy and implement relevant measures under the current Privacy Act/APPs and how best to prepare for the new children’s privacy regime to be ushered in if the proposals are enacted.

The current state of children’s privacy

Children’s privacy has been a difficult area in Australian privacy for some time due, in large part, to both:

• a lack of specific requirements in the Privacy Act and APPs and
• the all-pervasive US social media and online children’s ecosystem providers in the digital economy to which the COPPA applies

Under COPPA, the age from which a child can “consent” for privacy purposes is 13 years old. This has significantly skewed the understanding in Australia (and globally) as to both the obligations that apply in Australia with respect to children’s privacy and the age at which a child can “consent” in a privacy context.

In practice, it is usually businesses outside of social media and online activities/ecosystems for children that do not, often through ignorance, adequately address children’s privacy. In no small part, this is due to a lack of clear obligations under the Privacy Act specifically relevant to children and the difficulty of adapting the existing adult-focused APPs to meet children’s privacy requirements. If the proposals are enacted, however, it will likely be these businesses which will have the furthest to travel to meet the “quantum leap” from doing nothing to having to implement a significant and substantial children’s privacy regime both protecting children’s personal information and giving them substantial rights as regards their personal information.

Also, even for those that follow the Australian practice of 15 years of age as the age for privacy capacity, there is a mistaken belief that this age must therefore also be the age at which children can agree to terms and conditions (T&Cs) online (ie agree to be bound by that contract). This, of course, is not correct: only a person of at least 18 years of age can form a binding contract (and this includes accepting the online T&Cs).

The proposals

The proposals (once enacted) will apply not only to the typical children-focused (and usually online) activities and social media but will also impact a range of traditional and digital/online businesses which, even though not focused on children, incidentally process children’s personal information. The key proposals of the Report in relation to the privacy of children are:

• defining a child in the Privacy Act as an individual under 18 years of age
• when a business cannot individually assess the capacity of a child, enshrine in law the Office of the Australian Information Commissioner’s existing guidance that a child of 15 years of age or over has the capacity as regards privacy consent, subject to any indications to the contrary as to their lack of capacity
• for online services (and otherwise where privacy collection statements and policies are) directed to children, the relevant collection notices and privacy policies must be clear and understandable for children (not just plain English)
• businesses will be legally required to have regard for the best interests of the child as part of considering whether a collection, use or disclosure of a child’s personal information is fair and reasonable in the circumstances (and, if it’s not fair and reasonable, that collection, use or disclosure must not occur) and
• as part of the direct marketing, targeting and profiling proposals, to prohibit direct marketing to, targeting of and trading in the personal information of a child, with only very limited exceptions (very hard to do if you don’t know what children’s personal information you actually hold)

Of significant interest in the above proposals is the introduction of the requirement that, when dealing with children (ie anyone under 18 years of age), each business (whether focused on children or not) must have regard to whether the collection, use or disclosure of the personal information in question is in the best interests of the child and “fair and reasonable in the circumstances”. Therefore, you have to have a process in place to ensure you know when you are dealing with a child.

This is a new concept in Australian privacy law (although other proposals are also suggesting to include a version of this concept for adults too) and is therefore difficult to fully assess until we see the proposed draft wording for the changes to the Privacy Act. However, this concept of the “best interests of the child” derives from the United Nations Convention on the Rights of the Child and has been considered in the UK and Ireland with respect to their work on codes and guidance on the best practice handling of children’s personal information. What we can say now is that it must be a primary consideration along with the commercial interests of the business. In the UK, the Information Commissioner’s Office has noted that where any conflict arises between the “best interests of the child” and a business’ commercial or other interests, it is unlikely that the commercial interests of a business will ever outweigh a child’s right to privacy. This will impose significant additional requirements on businesses both in terms of the content of the obligation and the way in which it is to be complied with (especially for those businesses that don’t know whether or when they collect children’s personal information).

The Report also recommends (and perhaps much more far-reaching in impact) that, in a similar fashion to COPPA, a mandatory “children’s online privacy code” be adopted to create a regime as regards children’s online privacy, enshrining certain minimum legal privacy requirements and rights (akin to a children’s online privacy “Bill of Rights”). These minimum privacy rights include the following:

• privacy by default, including having any geolocation tracking switched off
• providing obvious “signs” for children when location tracking is active
• a child’s personal information to only be visible or accessible to others if the child expressly “turns this on” in their settings to allow this
• any optional uses of a child’s personal information, including uses designed to personalise the service, have to be specifically and individually selected and expressly activated by the child and cannot be bundled with other things
• any settings which allow third parties to use a child’s personal information must be expressly activated by the child (otherwise there is to be no third-party use)
• child users must have the option to change settings permanently or just for the current use(s) and
• “nudge” techniques to lead or encourage a child to provide unnecessary personal data or turn off privacy protections are prohibited

Rather than simply clarifying current “best practice” when it comes to dealing with children online, the Report’s proposals, in effect, seek to create the minimum privacy “rules of the road” or children’s privacy rights (like COPPA) which are a significant uplift (admittedly from a low base) of Australian privacy law requirements relating to children’s privacy.

Not just for social media and online businesses

As noted, these proposals will mean that all businesses dealing with children (whether as a large proportion of their customer base, incidentally, whether or not online and whether or not they know it) will need to uplift their procedures, tech and age access controls, policies and procedures for dealing with children’s personal information, especially on the marketing side if the direct marketing proposals are also enacted. However, it is likely that, almost counterintuitively, most uplift will be required for businesses that deal with children unknowingly or only occasionally or incidentally. Currently, these businesses have tended to overlook/not apply any special requirements for children’s personal information, other than noting their services or site is not for children, and have tended to fly under the regulatory radar. However, this will definitely change if the proposals are enacted.

Of course, one of the more “traditional” undertakings (although nowadays a lot more digital) focused on children are schools. For those schools (ie mostly private) which are subject to the Federal Privacy Act, the proposed changes will be significant: crystallising the privacy “rights” of students from the age of 15 years old with these students having much more control (if not total control) over their personal information (ie its use, collection and disclosure). A practical school scenario that might play out against these proposed privacy rights is the possible ability for students over 15 years of age to “direct” that their sensitive information no longer be disclosed to their parents. Obviously, this may not be the most ideal situation in a school setting and thought will need to be given as to how best to ensure an appropriate mechanism to keep parents informed of key matters while being mindful of the child’s right to privacy and whether sensitive information could be the subject to such restrictions on disclosure (including to the student’s parents).

State schools are subject to their relevant state privacy law, if any, and the proposed changes are only to federal privacy law. Thus, at least as far as schools go, we will start to see a divergence between a child’s privacy rights based solely on whether they go to a state/government or private school. Of course, this is likely an unintended consequence but one that should give the government pause to consider if, as a nation, we wish to create different “classes” of children with differing privacy rights at school, including in relation to their personal information collected and used by third party digital and online applications used at school.

Capacity for privacy and contracting

Legislating the default of 15 years of age as the age where “privacy capacity” may be assumed does assist to confirm current practice in Australia. Unfortunately, however, it puts us at odds with COPPA (with an age of 13 years old) and does not solve the problem of/disconnecting with the capacity to contract. While privacy consent can be given at 15 years of age, a contract (ie the online T&Cs of use) cannot be agreed to by and be enforced against anybody under 18 years of age in Australia (without a parent agreeing to those T&Cs on behalf of the child). This is a missed opportunity for the proposals to address this existing disconnect, especially in the online world and, at least, for specified “online” limited T&Cs in order to resolve this anachronism, in appropriate circumstances. That is, for terms of use, codes of conduct, etc and/or for consideration up to a threshold amount.

It also means that, in practice, a significant cohort of children under 15 years of age, online especially, will need to have their “privacy capacity” assessed individually (and the proposals provide more obligations in this regard). In practice, however, this will likely default to obtaining parental or guardian approval for privacy for any child under 15 years old.

Under the proposed online code, even more clearly than in the school example noted earlier, once a child subject to parental approval (and likely oversight) turns 15, then that business will need to ensure the child then has the “rights” noted above (eg to “turn off” parental oversight of and access to their online activities and their personal information). That is, in practice, the proposed changes with respect to children’s privacy will have multiple and ongoing impacts at different times — at the point of onboarding (assuming they are under 15 years of age at that time) and, if they are still users, once they turn 15 years of age and, for contracting, once they turn 18.

Start preparing now!

Businesses and their privacy advisors must consider these proposals now and start thinking about how to prepare for what will likely be a relatively short transition period once these proposals become law. In fact, businesses and the privacy advisors of businesses which have not focused on what children’s personal information they currently collect (or simply rely on a disclaimer that their services or site are for over 18’s only) should immediately start considering and implementing child-friendly privacy now in order to meet the new proposed requirements within the prescribed time once these proposals are enacted.