Websites aimed at minors often collect personal data during the youngsters’ visit whilst allowing access to information and entertainment. Personal data of young web visitors are particularly requested in the context of contests and online services (chat, blogs, e-cards etc.). However, the majority of websites gathering such data from children and teenagers do not comply with data protection legislation.

294 websites of organisations established in Belgium and mainly targeting children and teens were analysed to verify whether they respected their legal obligations. Results show that, while a majority of them (8 out of 10) collect personal data, only a minority (4 out of 10) observe the privacy rights of their young visitors. This results from a study entitled Cyberkids’ e-Privacy at stake? by Prof. dr. Michel Walrave of the University of Antwerp (Belgium).

Only 40% of websites collecting personal data use privacy statements to communicate the identity of the data controller, the reason for collecting user data and the related privacy rights. Many websites do not meet the compulsory information standards. 52% of statements identify the data controller, whereas 86% mention one or several reasons for collecting user data. 54% of privacy statements announce that the data collected from children and youth will be used for direct marketing. Six out of ten privacy statements mention specific essential rights such as access (66%) and the right to correct data (67%).

However, in four out of ten statements no information is given on how to exercise those rights. In 60% of cases where data is declared to be destined for marketing purposes, the right to object is communicated. But only 11% of websites offer an opt-in on the form, whereas 13% offer an opt-out. One fifth (19%) does not mention how consumers can register their objection.

In brief, privacy statements are often incomplete. Besides, the phrasing used is often not adjusted to the young target group. Moreover, only few companies involve parents when collecting personal data, by informing them or asking for their permission. Some 12% of privacy statements contain information for parents while one out of ten invites minors to get parental approval before communicating personal data.

We can thus conclude that minors’ e-privacy rights are less protected than adults’. In previous similar surveys a relative higher percentage of sites were found to be complying with e-privacy obligations. New (co-)regulation initiatives could be implemented in order to clarify when, how and what kind personal data of minors’ can be processed.

Informing young consumers about how to exercise their privacy rights is important for their development. Moreover, it is necessary to clarify in which cases parental advice or permission is indispensable when minors’ data is collected.

Michel Walrave, University of Antwerp