CNIL publishes 8 recommendations to enhance the protection of children online

09 August 2021

Massively present online, children must be able to benefit from concrete, effective protection of their data. In order to support young people, parents and professionals develop a digital environment that is more respectful of children's best interests, the CNIL has published 8 recommendations stemming from a review conducted with all the stakeholders concerned.

Following an announcement in January, the CNIL has carried out a comprehensive review on data protection for children. As a result of this work and with regard to the societal issues at stake, the CNIL publishes 8 recommendations, with the aim of providing practical advice and clarifying certain aspects of the legal framework.

The recommendations obviously concern children, but also their parents and actors in the digital economy. Furthermore, in order to encourage a more general digital citizenship education policy, the CNIL calls on public authorities to take these recommendations into account.

A major societal challenge

The digital world offers undeniable opportunities for young Internet users: it can contribute to their education, their access to information and leisure, the development of their personality and enable them to build or maintain their family, friends and romantic relationships. However, they may face cyberbullying, online hate and exposure to offensive or inappropriate content.

Their online presence, for example on social networks and gaming platforms, also leads to the mass collection of information about their preferences, identity or lifestyle. The re-use or sharing of this personal data can have serious repercussions on their privacy, their physical and psychological integrity, their family life, their educational pathways and their socio-professional future, and even generate risks of discrimination and exclusion.

Three characteristics encapsulate this societal challenge:

  • Extensive, autonomous and inadequately supervised digital practices: children are growing up in an ever more connected environment. This intensification of use, which is evolving very rapidly, has grown to an unprecedented scale with the health crisis. It is apparent in their precociousness, the time they spend in front of screens and the diversity of the online services they use.
  • Highly coveted data: children, who account for one third of internet users and 40% of new users, represent the "future of the market". They are also "a market of the future": the new growth areas of the data economy, such as the Internet of Things, are particularly targeted at children, and the kidtech market is booming.
  • Less aware and more exposed to risks online: although children are interested in the protection of their private life and image online, they only become aware of the "commodification" of their data gradually, depending on their age but also on their family and socio-cultural background or the diversity of their digital practices. They are also particularly sensitive to the techniques designed to capture their attention, induce them to adopt certain purchasing behaviours and offer them personalised content, thus hindering their exposure to a diversity of opinions.

A new legal landscape to meet today's challenges

To face this challenge, mechanisms for the protection of children exist and are being strengthened by certain European and national legislation. The protection of personal data can usefully contribute to this, in particular through the remedies offered by the exercise of digital rights.

The CNIL has long been interested in the protection of children's data and has notably participated in the emergence of a more robust "right to be forgotten".

In 2018, the entry into force of the GDPR significantly changed the legal landscape by introducing, for the first time, specific provisions dedicated to children into European data protection law. In particular, they require age-appropriate information, provide for the reinforcement of their right to be forgotten and an ability to consent, under certain conditions, to the processing of their data (only over the age of 15 or with their parents for children under 15). They also call for particular vigilance with regard to the profiling of children. However, these texts have given rise to certain questions and a need for clarification, in particular to specify their practical implications and their relationship with national law, notably contract and family law.

At the same time, there are increasing initiatives at the international level, as illustrated by the recent "General Comment on Children's Rights in the Digital Environment" of the UN or the actions of UNICEF, the OECD and the Council of Europe or the International Telecommunication Union (ITU). The European Data Protection Board (EDPB) and the European Network of Childhood Advocates (ENOC) have also started work on the subject. In parallel, several national data protection authorities have made this topic a priority, such as the "Age Code" of the UK ICO- and, the "14 core principles for a child-centred approach to data processing" of the Irish DPC.

Recommendations by CNIL

These recommendations follow a very successful public consultation (with over 700 contributions) and a survey conducted in 2020, but also in-depth legal analysis including active international monitoring.

The CNIL wanted to understand children's perspectives and involve them in its reflection. In addition to the survey, which was carried out in 2020 among young people to find out more about their digital practices and their parents' perceptions of them, the CNIL has launched a series of workshops with children to gather their perceptions of privacy and data protection, and to create interfaces and information methods with them that they understand and which respect their rights.

Striking a balance between autonomy and protection of children

With its recommendations, the CNIL wishes to offer children a digital environment that meets their need for protection and their desire for autonomy.

The autonomy, protection, consent or relationship to parental authority of a 6-year-old child and a 16-year-old adolescent cannot be understood in the same way. The recommendations by CNIL therefore take into account the diversity of practices and the level of maturity of children, as well as the evolving nature of their capacity for discernment and understanding.

The recommendations are structured around three major axes:

  • For children, taking into account their need for autonomy and their rights while ensuring their protection online;
  • For their parents and educators, to assert their fundamental role of support in the digital environment, within a framework that respects the privacy and best interests of the child;
  • For online service providers, to make them aware of their increased responsibility towards children when processing their personal data, in order to offer children online services that respect their rights.

Continuing the dialogue to build a digital environment suitable for children

These recommendations relating to the "online" lives of children mark a starting point in the work of the CNIL. Indeed, some of them open the way to cooperation with those involved, in order to help them become technically operational and to suggest practical advice and appropriate teaching resources. In addition, new content on interface design will be published on the CNIL Data and Design platform.

The CNIL will continue and deepen its reflections in areas such as the educational, medical, banking or judicial fields that raise complex and different legal questions, in order to come up with new recommendations.