Is the following true for your organization?
- Have children as your primary users and/or customers? This could include schools, extracurricular activity centres for children, products targeted towards children, medical services for children and the like.
- You track and monitor children online to profile them and/or advertise to them? This could include organizations with online offerings to children like gaming companies, smart ‘toys’ for kids or even brands that have products specially for kids.
- You process Children’s Data on behalf of other organizations?
If yes, then be aware that the world is heading towards a very strict and stringent regime towards protecting our children, their data and their lives online.
What does this translate to?
- You cannot continue collecting whatever data you feel like about children. And yes, this includes all the data you collect via trackers and cookies on your website or via permissions on your mobile apps
- You cannot keep using the data you have for whatever purposes you feel like. Many uses are simply disallowed by the various applicable law(s) while other uses would be allowed only after getting parental consent or the equivalent.
- You cannot do behavioral profiling of kids online by tracking their behavior at every step. You cannot even do targeted online advertising to kids.
- You cannot freely share data with various partners – who, in turn, can happily use it for whatever purposes they feel like
- You will need to put a host of measures in place – technical & procedural – to demonstrate compliance to the above and to meet other requirements of all laws in this sphere applicable to you.
Why this ‘sudden’ concern about children and their data?
It is not at all ‘sudden’. Disquiet around Children’s data has been growing – rapidly – in the last few years. This largely stems from two key concerns:
- The various harms children are exposed to owing to their data being freely used by anyone and everyone are too vast and severe to comprehend. Several of these would manifest over time.
- Children themselves as well as their parents/guardians and other stakeholders are simply not equipped to comprehend these harms and their implications.
So what measures are being adopted?
Basically, laws & regulations are being passed around the world. Or existing ones are being revamped. Some are specialized laws, focused on children, while some include sections around children’s data in their overall Privacy Legislations.
Some of the points these laws address include:
- What kind of Personal Data can/cannot be collected about children, how it can be used and further processed, etc.
- How the parent/guardian needs to be involved and what kind of supervision they can perform.
- Many laws further break down requirements based on the age of the child. For eg, what applies to a 16 year old could be different from what applies to a 6 year old child. The term – first used in the UK for this approach – is ‘Age Appropriate Design Code’ or AADC.
- Extra stringent measures where biometric or health data is involved.
Where is India in all of this?
India is in step with these global developments. The draft Digital Personal Data Protection Bill calls out Children’s data specifically and lists out measures that organizations are required to follow. These are along the lines discussed above. In fact, even earlier versions of India’s privacy bills have focused on Children’s data. So, take this as a ‘given’ for India – whenever the law gets passed.
What can my organization do to prepare?
- Build a ‘Snapshot-yet-comprehensive’ view of your Children’s data
Gain an understanding of what Children’s data your organization is dealing with, what is being done with that data, how is it being used, how is it being shared further, what are your vendors doing with the data, and so on. This helps you ‘take a deep breath’ and understand the extent of your risk exposure.
Keep in mind that this takes a while to do. So, get this exercise going at the earliest.
- Do a ‘Spring Clean’
Once you have this map, take a long hard look at all that is going on and decide which out of this is really essential to your business. Segregate the ‘must have’ from the ‘good to have’. Get your top team together and decide whether all the ‘good to have’ activities are worth the risk your organization is exposed to and see how many of them can be eliminated. “Less Personal Data = Less Risk”
- Start rolling out Measures
Now focus on all the measures that you need to roll out to manage the Privacy of the Children’s data that you will continue to handle and process. Figuring out where you need consent (including parental) and how you need to action it off, what controls you need to put in place within the organization to ensure data gets used only for the purposes it is meant to, rolling out measures for your vendors with whom you are sharing data with, implementing processes to manage rights & incidents, educating your teams and getting your apps & websites tested for Privacy are some of the immediate things to get started with.
Remember, you don’t need to ‘wait for the law’ to do any of the above. Whatever is the final version of the law that gets passed in India/ any other geo, the basics will remain unchanged.
Btw, the above is not ‘rocket science’. There are tried-and-tested frameworks and methodologies available to do all of the above in a structured manner – no matter how small your organization is.
Let us ensure we do our bit to leave the world a better place for our children.
Arrka can help you with all of the above. Our AI & Automation driven platform enables you to get going quickly and manage & sustain your program throughout your privacy compliance lifecycle. To know more contact us or drop us a mail at privacy@arrka.com