On June 9, 2021, the French Supervisory Authority (“CNIL”) published recommendations to help strengthen the protection of minors online (see here, in French). These recommendations are the result of a survey and public consultation conducted by the CNIL in 2020, which focused on the digital practices of minors (see our blog post here). The results of the CNIL’s survey and public consultation indicate that children are accessing the Internet at an early age on a “massive” scale. In light of this reality, the CNIL underscores the importance of ensuring that minors benefit from the effective protection of their personal data when engaging online.
The CNIL addresses its recommendations to a diverse audience that includes online service providers (such as websites and app providers), as well as providers of age-verification systems. Below, we summarize the CNIL’s eight recommendations aimed at enhancing the protection of minors online:
- Regulate the ability of minors to act online – Even though an individual below 18 years of age does not have legal capacity to conclude a contract under French civil law, the CNIL recommends that minors 15 years and older be allowed to conclude contracts for online services that involve the processing of their personal data (e.g., social media and online gaming sites) provided that: (i) the services are adapted to a young user base; (ii) the data processing strictly complies with the GDPR and French data protection law; and (iii) minors are informed in a clear and appropriate manner about the data processing, including their personal data rights.
- Encourage minors to exercise their rights – Even though parents are responsible for exercising personal data rights on behalf of their children under French law, the CNIL is of the opinion that minors should also be able to directly exercise these rights on social networks, gaming and video-sharing platforms.
- Support parents in digital education – The CNIL underscores the importance of providing parents with tools and other forms of support to help keep children safe online. The CNIL proposes to achieve this by, among other things, partnering with stakeholders and other governmental bodies (e.g., the French Ministry of Education).
- Seek the consent of a parent for minors under the age of 15 – The CNIL clarifies that, under French law, parental consent is sufficient if it is obtained from only one parent (rather than both) because the consent of the other parent is presumed, although the parent who did not give consent may still express opposition.
- Promote parental tools that respect the privacy and interests of the minor – The CNIL reminds service providers offering parental tools that they need to comply with data protection law, in particular with the principles of:
- proportionality (e.g., by taking into account the minor’s age and maturity, and ensuring that the tool is not too intrusive on the minor’s private life);
- transparency (e.g., by informing the minor about the tool); and
- data security (e.g., restricting access to the minor’s data).
Parental tools should take into account the best interests of the minor and their private life.
- Adapt terms and disclosures and reinforce the rights of minors by design – The CNIL recommends that online service providers: (i) adapt the language of their privacy policies and user terms so that they are more easily understood by minors; (ii) provide simplified privacy settings and interfaces, and deactivate certain data collection features (such as geolocation) by default; and (iii) publish a list of commitments for the protection of minors’ data in a consolidated and understandable format.
- Verify the age of minors and obtain parental consent while respecting privacy – The CNIL highlights that age verification systems should detract from a minor’s ability to browse the Internet freely without having to identify themself. For this reason, the CNIL sets out the following six criteria that age-verification systems should comply with: (i) proportionality; (ii) data minimization; (iii) robustness; (iv) simplicity; (v) standardization; and (vi) involvement of a third party. The CNIL’s recommendations further elaborate on these criteria and provide examples of mechanisms that can be used to verify a person’s age online.
- Provide specific safeguards to protect the interests of minors – The CNIL recommends that online service providers: (i) offer enhanced privacy settings by default; (ii) avoid profiling minors; and (iii) avoid reusing the personal data of minors and/or transmitting it to third parties for commercial or advertising purposes.
According to the CNIL, these recommendations revolve around three key themes, namely:
- taking into account the need for autonomy of minors and their rights, while at the same time ensuring that they are safe when browsing the Internet;
- reinforcing the fundamental support role of parents and educators in the digital environment, while respecting the privacy interests of the child; and
- ensuring online service providers are aware of their increased responsibility towards minors when processing their personal data, including the obligation to respect minors’ rights.
The CNIL’s recommendations are part of a global trend towards increasing the safety of children online. Among these various initiatives, the CNIL mentions in particular:
- the UN’s recently released General Comment No. 25 (2021) on children’s rights in relation to the digital environment (see here);
- the OECD’s Recommendation of the Council on Children in the Digital Environment (see here);
- the International Telecommunications Unit’s 2020 Child Online Protection (COP) Guidelines on how to achieve a safe online environment that supports the empowerment of children and young people (see here);
- the Council of Europe’s Guidelines to respect, protect and fulfil the rights of the child in the digital environment (see here); and
- UNICEF’s 2017 study on children in an online world (see here).
The CNIL notes that the European Data Protection Board and European Network of Child Advocates have begun a collaboration in this area, and also refers to other recent children’s data initiatives launched by national supervisory authorities, such as the Age Appropriate Design Code published by the UK Information Commissioner’s Office (see our blog post here), and the draft Fundamentals for a Child-Oriented Approach to Data Processing released by the Irish Data Protection Commissioner (see our blog post here).
We are continuing to monitor this area closely and will keep our readers apprised of the latest updates.