Recommendation 6: Strengthen the information and rights of children by design

09 August 2021

Everyone, even children, must be properly informed about how their data is used. This information should be age-appropriate and accessible so that users can effectively understand and take advantage of their rights.

There are hard words that I don't understand, like in Moby Dick.

Quote from a child at a workshop for 8-10 year olds

What the law says

The GDPR requires data subjects to be provided with information about how their personal data will be used and about their rights in an intelligible and easily accessible form, using clear and plain language, especially any information specifically intended for a child. However, one only has to browse through some of the platforms most popular among children to realise that this practice is far from widespread.

This is despite the fact that the obligation to provide appropriate information is the cornerstone of online child protection: it dictates a child's very ability to give informed consent and understand the rights available (e.g. the right to be forgotten). Children will obviously not be able to make use of their rights if they are unaware of them or do not understand the point or benefit of them.

Furthermore, children often describe difficulties when it comes to understanding and exercising their rights, especially on social networks.

The difficulty of exercising rights in figures

75%

of 11-18 year olds say they find it "hard" to delete content about them posted by another internet user

35%

have tried to delete their account on a social network but 58% were unsuccessful.

(Source - in French: Génération numérique survey "Digital practices of young people aged 11 to 18", March 2021)

 

Design is the cornerstone of effective information

There is a need to inform children about their rights and how their data will be used, which requires talking to them in their own language, in a way that makes them want to pay attention. For example, this could mean using clear, simple and short sentences and providing information only when it is needed to make a decision, but also using interactive elements such as icons, videos or images, or to blending the information into the graphic interface of the service in question, so as not to disrupt the user experience.

Avoiding misleading interfaces

This need for information that is intelligible and suited to the target audience naturally places an emphasis on interface design. However, as identified by the CNIL's digital innovation laboratory (LINC), understanding the issue of children's rights by design means recognising that the interfaces they use are far from neutral. Their architecture and the way they are designed dictates the options open to users and their ability to act.

Websites are known to use tricks such as nudges, for gently guiding user behaviour, together with misleading design techniques known as dark patterns, for capturing and controlling user attention. For example, notifications encourage people to log in or stay online, whereas the need to select an age range when creating an account may encourage a child to lie about their real age.

Proposing ethical architectures

Improving the way in which children are informed, give their consent and are allowed to exercise their rights online therefore involves designing tailored interfaces that speak to them, that they understand and use. What is the point of recognising a child's ability to exercise his or her own rights if he or she is unable to do so in practice?

The only way to achieve this is by fully involving them in the design process for these interfaces. The CNIL therefore ran a series of constructive collaboration workshops, with the support of a legal design agency, involving young people of different age groups, in order to rethink the interfaces from their perspective. These workshops in particular identified certain factors that influence how well data protection issues are understood by children, such as age, maturity and social and family background. This culminated in the design of new prototype interfaces, for actions ranging from registering with a platform to changing geolocation settings, including personal data management.

They will be published on the Data and Design platform and the hope is that everyone involved will contribute, improve, discuss and test them, especially the children themselves.


Help and Guidance from the CNIL

In order to improve the information of children and reinforce their rights, the CNIL therefore recommends that online service providers:

  • Provide a version of their terms and conditions and privacy policy that meet the age-appropriate information requirements of services used by children (clear, simple, appealing).
  • For this purpose, design transparent and simple interfaces that can be understood by children and that comply with the specific protection measures proposed by the CNIL (see Recommendation 8). Particular attention should be paid to misleading and manipulative designs (dark patterns) to ensure that none get included in the new interfaces. Privacy settings should be simple to change, and certain options such as geolocation should be disabled by default.
  • Publish a list of their commitments to child data protection in a concise and understandable format, in particular including details of how they comply with these recommendations