Privacy Act Review: Children’s privacy in the spotlight

Children’s privacy has been in the news for the last few years, with the introduction of information sharing schemes for child safety, the technological upskilling that came with online schooling, and an emphasis on online safety by the eSafety Commissioner. In big privacy news, the U.S. Federal Trade Commission has ordered Epic Games, the maker of video game Fortnite, to pay $245 million (USD) to consumers in part for letting children make purchases without parental involvement.

The proposed amendments to the Privacy Act released by the Attorney-General continue this trend. Below we deep dive into the proposed changes to children’s privacy, and consider how these changes align with other regulatory changes and requirements to protect children.

Who is considered a child under the Privacy Act?

There are multiple different definitions of a “child” or “young person” in different regulatory regimes. Currently, in privacy, there is no rule about who is considered a child. In the absence of a rule, organisations need to apply the “Gillick competence” test to determine a child or young person’s capacity to consent to information handling. This is based on the person’s capacity to understand the consequences of their consent.

There are two alternative proposals to amend the Privacy Act to provide greater clarity:

  1. define a child as a person under 18 years of age; or
  2. embed the 15-year-old assumption of capacity in the Privacy Act.

Consent to the handling of personal information

Currently, there is no definition of consent in the Privacy Act. There is a proposed amendment to codify the principle that consent must be given with capacity to be valid.

Whether an individual has capacity to consent depends on their age and other factors or vulnerability and diversity, such as understanding of English and disabilities. These kinds of considerations are a common trend in legislative amendments, for example, the increasing focus on wide scale vulnerabilities in child safeguarding legislation.

Another proposed amendment is for collection notices and privacy policies be clear and understandable, in particular for any information addressed specifically to a child. This empowers the individual to give informed consent and have more control in the handling of their personal information.

Children’s Online Privacy Code

The ability to implement specific Codes which enforce additional requirements to address identified risks is already in the Privacy Act. This proposal is for a Children’s Online Privacy Code which would:

  • apply to online services that are ‘likely to be accessed by children’ such as apps, games, connected toys (Internet of Things) and online new services;
  • provide guidance on the format, timing and readability of collection notices and privacy policies for children;
  • align as much as possible with the scope of the UK Age Appropriate Design Code; and
  • address how the best interests of child users should be supported in the design of an online service.

How we can help

Privacy and online safety are increasing elements of child safety and safeguarding measures, particular as the Child Safe Standards require organisations to take steps to protect children in online environments. We can help you implement these proposed changes – as recognised best practice ideals – to ensure children in your care are safe online, and are also empowered to understand their privacy rights.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Authors