Data and digital rights: What you should know about children’s apps


Children interact with technology at increasingly younger ages, which raises concerns about protecting their privacy, security, and confidentiality in the digital environment. Although laws have been passed in recent years, incorporating specific articles into existing legislation and creating rules to regulate cookies and illegal advertising, many adults don’t know what rules exist or what they should consider when young children use mobile phones and tablets.

Legislation on the protection of minors in the digital realm is diverse and varies from country to country. The United States was a pioneer, and since 2000 has had the Children’s Online Privacy Protection Act (known as the COPPA Rule), which regulates the way in which apps, games, and websites are authorized to collect and process personal information of children under the age of 13. This rule is complemented by the Children’s Internet Protection Act (CIPA) on inappropriate content on the Internet.

In Europe, Regulation (EU) 2016/679 regulates the processing of personal data and the free movement of such data, specifying what part of this data affects minors and therefore requires special protection.

This consideration implies, as highlighted by the Committee on Minors of the Spanish Professional Privacy Association (APEP), that developers must inform children and their parents about the processing of their personal data in language that is “clear, simple, and easy to understand for their age”.

In Spain, Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights establishes that, in regard to the processing of personal data, only those over 14 years of age may give their consent directly (Art.7).

What about apps?

Apps are regulated according to the regulations cited above. However, various research has shown that legislation on data protection is not always complied with in applications targeted at minors.

It is important to be aware that some apps can collect and share personal information, allow integrated purchases, make it easier to access social media, include inappropriate advertising, track the child’s location, use the camera or microphone to record their reactions when interacting with the device, and share all this with third parties.

To ensure that children are in a safe environment, adults should not only be aware of current legislation but must also consider a number of security, privacy, and confidentiality issues, which are summarized below:

  1. Security. Inclusion of parental controls with instructions on whether they are done from the device or the app, with an age-appropriate locking system to prevent these from being easily bypassed.
  2. Privacy and confidentiality. The information should be on the developer’s website, the store, and on the application itself, always in a visible place.
  3. Applicable legislation. Know what law affects the app and its geographical scope; also check the validity of the privacy policy and the information system for users in case of changes.
  4. Information collected. Express declaration to not collect data from minors or, if collected, a clear and unambiguous indication of parental authorisation. This means knowing which data, whether it is collected automatically, and if it is later handed over to third parties.
  5. Use of information. Who collects it, if it is shared with other companies, and the final purpose.
  6. Data storage. Retention period for personal data.
  7. In-app purchases. Applications must explicitly state in the store description whether they include integrated purchases (In-app purchases).
  8. Advertising. It is necessary to check whether the app incorporates advertising and, if so, whether it is only of their products or also from third parties.
  9. Social networks. It is a good idea to check whether the application allows access to social networks or whether this access is limited to adults by means of some type of control system.

As Demian Falestchi, CEO of Kids Corp, confirms, it is essential to create a secure and relevant digital ecosystem for children that ensures innovative and entertaining experiences through tools that empower brands and content creators.

This requires not only a legal framework, but also an attempt to ensure that applications, available in stores in different geographical areas, are as homogeneous as possible in regard to data collection and use, and especially at the age considered as minimum for parental consent.

It is imperative that parents control the applications downloaded by their children and get involved in their use, take advantage of effective parental control tools, and especially read and check the privacy policy before downloading them, given that minors don’t have the knowledge nor enough maturity to do so.

In addition, it is important to emphasize the need to obligate developers to write these policies clearly and understandably, with simple texts translated into the app user’s language. But also, mechanisms need to be designed that allow unequivocal confirmation that an adult is authorizing data collection, if this is indeed so, as well as to verify what is being done with data that is shared with third parties.

App stores can exert pressure in this matter by ensuring that, in fact, a developer’s privacy policy meets requirements before authorising that their products are added to the catalogue.

By Araceli García Rodríguez and Raquel Gómez-Díaz, professors of Library Science and Documentation at the University of Salamanca.

This article was originally published in the Spanish version of The Conversation. The EADT is passing it along for your interest, although it does not necessarily reflect the Association’s position.

The Conversation