Privacy Act review: A closer look at children's privacy — IIS Partners

By Natasha Roberts

In this post, we take a closer look at proposals related to children’s privacy contained in the recent Privacy Act Review Report (the Review) – proposals to which the Government has agreed or agreed in principle.

What was the problem the Review was trying to address?

There is growing recognition that children and young people may be vulnerable in relation to privacy, particularly online. The Review noted that in the digital age kids are increasingly ‘datafied’ and that personal information about children can be used to build profiles and identify moments that children may be particularly vulnerable or receptive to online targeting and marketing (including in relation to harmful products and messaging). As the Report observed, this may affect children and young people’s autonomy and capacity to freely develop their identity.

How did the review propose to address this problem?

The Review took a multifaceted approach to addressing children’s privacy including the following…

Define ‘child’ and restrict marketing, targeting and trading in personal information

Currently the Privacy Act does not define ‘child’ and there are no specific provisions applying to children’s privacy (though organisations are expected to consider an individual’s capacity to consent which may include considerations of age or maturity). The Report proposed reforming the Privacy Act to define a child as an individual under 18 years of age.

In formally defining the meaning of child, the Privacy Act would then provide for certain specific provisions that apply only to children. These include proposals to prohibit the ‘trading’ of personal information of children and restrictions on ‘direct marketing’ and ‘targeting’ of children, other than marketing or targeting that is in the best interests of the child (for example, targeted marketing for essential child support, counselling and community services).

Codify ‘capacity’ in relation to consent

The Privacy Act contains several exceptions that allow certain information handling with the consent of the individual. However, deciding when children have ‘capacity’ to consent can be difficult, in recognition of varying levels of maturity at different ages. Up until now, the Privacy Act has not specified a particular age at which children may consent on their own behalf and guidelines issued by the Information Commissioner have stated that an organisation must decide on a case-by-case basis if an individual under the age of 18 has the capacity to consent. Where that is not practical, the Information Commissioner advises that an organisation may assume an individual over the age of 15 has capacity, unless there is something to suggest otherwise.

The Review recommended retaining this ‘middle path’ between individualisation and practicality, noting that over-reliance on parental consent was impractical and undesirable. The Review did however propose that the Privacy Act codify the principle that valid consent must be given with capacity. While this would result in a change to the Act, it should not result in a major change of approach for organisations given that it formalises what is already contained in the Information Commissioner’s guidelines and what should already be occurring in practice.

Build consideration of ‘best interests of the child’ into fair and reasonable test

Elsewhere we have discussed the proposal for the introduction of a fair and reasonable test to the Privacy Act. The Review further proposes that any such test require organisations to have regard to the best interests of the child as part of considering whether a collection, use or disclosure is fair and reasonable in the circumstances. In our view, this is the most far-reaching of the children’s privacy reforms as it puts the best interests of the child at the heart of decisions about information handling.

Introduce a Children’s Online Privacy Code

Other jurisdictions (notably the UK) have promulgated codes to regulate the privacy of young people online. The Review considered models adopted in those other jurisdictions and came to the view that Australia should introduce a Children’s Online Privacy Code that applies to online services that are ‘likely to be accessed by children’ and which aligns with the UK Age Appropriate Design Code, to the extent possible. According to the Review, a code could address:

Whether specific requirements are needed for assessing capacity
Whether certain collections, uses and disclosures of children’s personal information should be limited
Which default privacy settings should be in place
Whether entities should be required to ‘establish age with a level of certainty that is appropriate to the risks’ or apply the standards in the Children’s Code to all users instead
How privacy information (including collection notices and privacy policies) and tools that enable children to exercise privacy rights (including erasure requests) should be designed to improve accessibility for children, and
If parental controls are provided, how to balance the protection of the child with a child’s right to autonomy and privacy from their parents in certain circumstances.

The Review also proposed amending the Privacy Act to require that collection notices and privacy policies be clear and understandable, in particular for any information addressed specifically to a child. In the context of online services, these requirements are to be specified in the Children’s Online Privacy Code. Specifically, the Code could provide guidance on the format, timing and readability of collection notices and privacy policies.

What are the key takeaways for my organisation?

Privacy law reform is still ongoing, therefore this in an area on which to maintain a watching brief. That said, there is nothing to stop you from reviewing the bullets listed above and assessing your personal information handling activities against those standards. We suggest:

Identifying whether you handle children’s personal information and in what circumstances (for example, in person, online etc) to determine how you may be affected by reforms
Maintaining a watching brief on privacy law reform to see how proposals related to children’s privacy are implemented in practice
Engaging in consultation – the Government has committed to further consultation on children’s privacy and there are likely to be opportunities to comment on bill exposure drafts and the draft code, as its developed
Reviewing the UK’s Age Appropriate Design Code to gain insight on the possible scope and approach of the proposed Children’s Online Privacy Code, noting that the Review specifically called for the proposed code to align with the UK’s Age Appropriate Design Code to the extent possible, and
Considering whether your organisation’s handling of children’s personal information meets the ‘best interests of the child’ test, which is likely to form part of the proposed ‘fair and reasonable test.’ This may require consideration of whether, throughout the handling of a child’s personal information, a child’s physical, psychological and emotional wellbeing is protected.