International data protection authorities

Resolution on Children’s Online Privacy

30th International Conference of Data Protection and Privacy Commissioners

Strasbourg, 17 October 2008

Privacy Commissioner of Canada

Privacy Commissioner, New Zealand

La Commission Nationale de l’Informatique et des Libertés (France)
Data Protection Commissioner, Ireland
Berlin Data Protection and Freedom of Information Commissioner
Information Commissioner, United Kingdom

Around the world, young people connect to the Internet from their homes, school and wireless devices. They are using the Internet for social interaction – blogging stories, sharing ideas, swapping photos and videos, texting their friends to stay in touch throughout the day, playing online games with other people on the other side of the globe.

In doing so, young people must also navigate the challenges and complexities of protecting their personal information online. Given the unregulated nature of many Internet services, this can be difficult.  Many of the sites most popular with young people collect vast amounts of personal information for sales and marketing purposes.

As the number of Internet-based computer applications and technologies grows, increasing amounts of personal information will be collected and stored. Already, children today are often unaware that their information, habits and behaviour are all being tracked online.

Research indicates young people (and many adults) rarely read the privacy policies for websites they visit. This is unsurprising; as privacy policies for many sites are written in specialized, technical or legal language that is difficult for most readers to understand.

While many young people recognize the risks associated with their online activities, they lack the experience, technical knowledge and tools to mitigate those risks.  They are often unaware of their own legal rights.

Nearly 20 years ago in 1989, the United Nations General Assembly adopted the  International Convention on the Rights of the Child, declaring that states would respect and ensure the rights of children, including the right to the protection of their privacy.

Since that time, Data Protection and Privacy Commissioners have grown increasingly concerned over the online encroachment into the private lives of children.

Furthermore, in its declaration on protecting the dignity, security and privacy of children on the Internet adopted on February 20, 2008 by the Committee of Ministers of the Council of Europe, the latter declares being convinced of the need to inform children about the enduring presence and risks of the content they create on the Internet. It also declared that, other than in the context of law enforcement, there should be no lasting or permanently accessible record of the content created by children on the Internet which challenges their dignity, security and privacy or otherwise renders them vulnerable now or at a later stage in their lives.

At the same time, Commissioners have recognized that an education-based approach, combined with data protection regulation, is one of the most effective methods of addressing the issue. In particular, United Kingdom, Norway, Australia, New Zealand and Canada have all developed innovative education-based solutions to the challenge of protecting children’s privacy on the Internet.

Children and young people have the right to a safe and positive online experience in which they know and understand the intent of those they interact with.

The Data Protection and Privacy Commissioners gathered at the 30th International Conference therefore have resolved to:

Support the development of education-based approaches to improving the state of online privacy, both locally and globally;

Strive to ensure children and young people around the world have access to a safe online environment respectful of their privacy;

Collaborate with partners and stakeholders internationally as well as locally, recognizing cooperation with professionals who influence the lives of children daily is crucial;

Work with each other to share best practices and implement educational activities towards the public meant to increase awareness among children and young people of the privacy risks inherent in their online activities and the smart choices available for controlling their personal information;

Encourage educators to recognize privacy education as fundamental to a child’s education and to include privacy education in their curricula;

Call for legislation in their respective jurisdictions limiting the collection, use and disclosure of children’s personal information, including appropriate provisions for violating those requirements;

Call for appropriate limitations on the collection, use and disclosure of personal information about children for the purposes of online micro-targeting or behavioural advertising;

Urge operators of websites created for children to demonstrate social responsibility by adopting privacy policies and usage agreements that are clear, simple and understandable, and educating users about existing privacy and security risks and website choices available to the users.