The ubiquity, digital reach, and permanency of online learning, social media platforms and others have raised serious questions about the privacy and safety of its users, mainly when dealing with children or, say, minors.
This puts immense pressure on some parents who wish to protect their children against such threats to enable them to have a normal childhood free of excessive glare on social networks or media/ comments or loss of unwanted data. Children unschooled in the ways are vulnerable to attacks on news websites/newspapers, whose consequences can lead to severe psychological impacts and even trigger psychiatric illnesses.
To help parents, we have included in this post the laws and acts of different countries that all parents must be aware of to protect the privacy and safety of their children.
United States
CIPA
CIPA stands for the Children's Internet Protection Act (CIPA). In 2000, Congress enacted it to address concerns about children's access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program, making certain communications services and products more affordable for eligible schools and libraries. Later in early 2001, the FCC issued rules implementing CIPA and updated the existing rules.
CIPA's protection measures must block or filter Internet access to pictures that are: (a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors). However, prior to adopting this Internet safety policy, schools and libraries are liable to provide reasonable notice and hold at least one public hearing or meeting to address the proposal.
Furthermore, schools subject to CIPA have two additional certification requirements: 1) their Internet safety policies must include monitoring the online activities of minors; and 2) as required by the Protecting Children in the 21st Century Act, they must provide for educating minors about appropriate online behaviour, including interacting with other individuals on social networking websites and in chat rooms and cyberbullying awareness and response.
They must adopt and implement an Internet safety policy addressing:
- Access by minors to inappropriate matters on the Internet;
- The safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications;
- Unauthorized access, including so-called "hacking" and other unlawful activities by minors online;
- Unauthorized disclosure, use, and dissemination of personal information regarding minors; and
- Measures restricting minors' access to materials harmful to them.
- Schools and libraries must certify they comply with CIPA before receiving E-rate funding.
- CIPA does not apply to schools and libraries receiving discounts for telecommunications service only;
- An authorized person may disable the blocking or filtering measure during use by an adult to enable access for bona fide research or other lawful purposes.
- CIPA does not require the tracking of Internet use by minors or adults.
FERPA
FERPA is the acronym for Family Educational Rights and Privacy Act. This Act gives parents certain rights concerning their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students" (FERPA), a federal law that entitles parents to access their children's school records.
The right to ask for the records to be amended and the right to exercise some control over the release of personally identifiable information from educational records. When a student reaches the age of 18 or enters a postsecondary institution, regardless of his or her age, FERPA rights are transferred from parents to the student ("eligible student"). FERPA is set at 20 USC § 1232g, and FERPA is set at 34 CFR Part 99.
FERPA gives parents certain rights concerning their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
- Parents or eligible students have the right to inspect and review the student's education records maintained by the school. Schools are not required to provide records unless parents or eligible students cannot review the records for reasons such as great distance. Schools may charge a fee for copies.
- Parents or eligible students have the right to request a correct school record that they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.
- Generally, schools must have written permission from the parent or eligible student to release any information from a student's education record.
However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
- School officials with legitimate educational interest;
- Other schools to which a student is transferring;
- Specified officials for audit or evaluation purposes;
- Appropriate parties in connection with financial aid to a student;
- Organizations conducting certain studies for or on behalf of the school;
- Accrediting organizations;
- To comply with a judicial order or lawfully issued subpoena;
- Appropriate officials in cases of health and safety emergencies; and
- Within a juvenile justice system, state and local authorities are pursuant to specific State law.
Amidst all, schools are allowed to disclose "directory" information such as a student's name, address, telephone number, date and place of birth, honours and awards, and dates of attendance without consent. However, it is obligatory to inform parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose their directory information. Also, schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.
COPPA (Children's Online Privacy Protection Act)
Enacted by the United States of America, back in 2000, its children's privacy protection laws known as Children's Online Privacy Protection Act (COPPA). This Act empowers the Federal Trade Commission to make and promulgate regulations to protect and promulgate children's online privacy. COPPA regulates data collection for children under the age of 13.
The act guards children's privacy by restricting the operators of online websites and commercial services to collect any kind of data of children under 13 without parental consent. The restriction also applies to third-party advertisers when they have "real knowledge" of collecting personal information about children under the age of 13 from any other website or online service.
COPPA's scope does not apply directly to unprofitable organizations and educational institutions. However, it does apply to the third party that provides online support to school education. Under these conditions, schools play the role of parents and provide consent to access all data on the terms and conditions of COPPA.
The Children's Online Protection Act (COPPA) (also known as Children's Online Privacy Protection Rule) is a federal privacy law that protects the personal information of children under the age of 13 and requires website and online service operators to obtain the consent of parents or guardians to collect such personal information.
COPPA was first introduced as a law in 1998; COPPA gained popularity in 2000 when hardly any of today's popular online social platforms were developed before the ubiquity of smartphones and apps. Sites like Six Degrees and Classmates were present in the late 1990s, but LinkedIn and MySpace did not launch until 2003. Facebook arrived in 2004, Twitter in 2006, and Instagram in 2010. TikTok existed in a previous form in 2015 but was not available worldwide until 2018.
The Act has undergone significant updates over the years to reflect digital advances, and its definition of "website or online service" includes:
- mobile apps that send or receive information online (such as network-connected games, social networking apps, or apps that display behaviour-based advertising);
- Online gaming platforms.
- plug-ins
- advertising networks
- Web-based geolocation services
- voice-over-internet protocol services
- connected toys or other Internet of Things devices
There are several requirements for parental consent under the Children's Online Privacy Protection Act:
Before collecting, using, or disclosing children's personal information, entities must obtain consent. Because children cannot legally consent, it must be obtained from a parent or guardian. There is flexibility regarding how parents/guardians are informed of the request for information and what purpose.
However, regardless of the technology or platform used, the method must communicate what personal information from the child would be collected, how, and how it would be used and potentially shared with any third parties.
The organization must also take reasonably robust steps to verify that the parent/guardian consent.
Few acceptable methods of obtaining parental consent include:
- Fax, mail, or electronic scan.
- The online payment system provides the account holder with separate transaction notifications.
- Calling a toll-free number staffed by trained personnel.
- Video conferencing with trained personnel.
- Providing a copy of government-issued identification verifiable against a database, provided the identification is expunged after the verification process.
- Answering a series of knowledge-based questions is difficult for someone other than the parent to answer.
- Verifying a picture of a driver's licence or other photo identification submitted by the parent and using facial recognition technology to compare it to a second photo also submitted by the parent.
Parents too are allowed to provide consent to collect and use the child's personal information by the requesting organization but refuse consent to disclose the information to third parties.
If a child's personal information will be collected but only used internally by the organization collecting it and not disclosed, "email plus" consent and verification is acceptable.Parents/guardians must be informed that they can revoke consent at any time, and if changes are made to the collection, use, or disclosure practices consented to, a new notification must be provided and new consent obtained.
However, there are some instances where consent is not needed to collect or use children's personal information, though it should be noted that there may be specific notification requirements even if one or more of these conditions are met.
Few conditions and purposes when the child's, parent's, or contact information of both can be collected without consent are:
The child's and parent's name and online contact information may be collected for:
- Protecting the child's safety
- Obtaining parental consent must be deleted if consent is not obtained within a reasonable period
Directly responding more than once to a child's specific request (child's newsletter subscription request), but this cannot be combined with any other information about the child. The parent/guardian's online contact information may be collected for:
- Providing notification about the child's participation on a site or service that does not collect personal information
- Protect the safety or integrity of the website or online service, take precautions against liability, respond to the judicial process or (as the law permits) provide information to law enforcement agencies.
- A persistent identifier may be used for:
- Supporting internal operations of the website or online service, including:
- maintaining or analyzing the functioning of the site
- performing network communications
- authenticating users of the site or personalizing content
- Serving contextual ads or frequency capping or more.
Those who violate COPPA rules may be fined up to USD 43,280 per violation, with enforcement handled by the Federal Trade Commission. In the recent past, Google was fined USD 170 million in 2019 for violations on YouTube, where children's personal information was collected without consent and used to target them with advertising. In 2020, outside of the US, a class-action lawsuit filed in the UK sought the US $3.2 billion for similar violations of children's data privacy on YouTube.