Unfortunately, it appears that, many websites and apps aimed at, and popular with, children do not appear to be meeting the clarity and simplicity standard. Our broad-brush review of five privacy policies for websites and apps popular with children[6] found that the length of those policies ranged from 3,889 words to 6,016 words. All privacy policies were presented in full form, with only one providing complementary short summaries throughout the (long) length of the policy. Of course, children are not alone in being faced with impenetrable privacy policies; the majority of privacy policies aimed at adults are also incredibly dense and hard to understand.
In particular, our sample of privacy policies revealed that the websites and apps collect (or said in their policy they collect) the following information from users, including children: substantial information on a user's device (including signal strength and battery level); information about third party applications installed on a user's device; information about a user's online and offline actions and purchases from third party providers; communications with other individuals; facial recognition data; the estimated geolocation of users; photographs of users (as provided to third party sites); and data in the user's device phonebook and camera rolls.
Whilst the processing of these types of personal data is not expressly prohibited under data protection law, children may not expect this level of personal data collection, nor have a full appreciation of how organisations will use such data. Such practice may even not be possible in future, given the Code's focus on encouraging default settings which ensure that children have the best possible access to online services and minimise data collection and use.
With some of the policies reviewed, this extensive data collection was only explained later on within what was already a lengthy policy. It seems unlikely that young data subjects would be reading the relevant provisions. The Code specifically requires data controllers to present all necessary information in a way that is likely to appeal to the age of the child who is accessing the service; this can include using diagrams, cartoons, graphics, video or interactive content that will attract and interest children. All of the policies reviewed provide their information in text form only.
Similarly, particularly intrusive data processing activities with potentially wide reaching consequences (for example allowing "shares", "likes" and replies to be publicly available and indexed by search engines, that any private "shares" or chat communications may be posted publicly by another user and that users can see when other users are active on the website/app) were generally not particularly prominent within the policies.
In relation to collecting information about children's communications with other individuals, the Council of Europe has specifically highlighted in its Guidelines that children have a right to private life in the digital environment which includes "respect for the confidentiality of their correspondence and private communications". In our view, this particular form of data collection should be made more prominent to children.
Whilst not directly a transparency issue, the Code notes geolocation data as being of particular concern. It states that geolocation options should be set off by default, with controllers considering the level of granularity of location data that is needed to provide their services, and providing an obvious sign for children when location tracking is enabled. Options which make a child's location visible to others must default back to "off" at the end of each session[7].
The privacy policies we reviewed also contained overly legalistic language, drawn of course from GDPR itself: such as "withdrawal of consent", "legitimate interests", "Model Contractual Clauses" and "the EU-US Privacy Shield". They also included statements that the company relies on "legitimate interest" where it believes that its use of personal data "doesn't significantly impact your privacy" or there is a "compelling reason" for it to do so, and that the company may rely on consent "for a purpose that would otherwise be incompatible with this policy." Use of these technical legal terms and long, vague statements is unlikely to meet the requirements of the GDPR or the Code.
It has not gone unnoticed by the UK's Children's Commissioner who urged companies in its report to "put their terms and conditions in language that children understand". The Code provides guidelines for how controllers can present and tailor information according to the age of a child, warning that simplification of information should never be used with the aim of hiding how children's personal data is being used.
It is therefore clear from our general review of the privacy policy samples that some companies are not explaining their data processing activities in a way which is likely to meet the transparency requirements. Given the complexities surrounding current data processing activities, data controllers could be forgiven for struggling to explain their activities in a clear and transparent manner to children. Over the past few years, data processing activities have become increasingly complex, with data being collected from various sources including from data subjects themselves, websites and apps. However, given the heightened scrutiny surrounding children's data, data controllers would be well advised to simplify their privacy notices in line with the GDPR and Code requirements.
[6]As this was meant only to be an overview, and not an academic study, we do not intend to name the organisations involved, and nor do we claim that the study was conducted with academic rigour.
[7] These requirements however do not apply where the core service offered cannot be provided without the processing of geolocation data.