Recommendation 8: Provide specific safeguards to protect the interests of the child

09 August 2021

Strengthening the rights of children should also involve specific protection measures by design on the websites, services and apps they are likely to use.

Several safeguards were mentioned during the CNIL public consultation, many corresponding to measures proposed by the UK (ICO) and Irish (DPC) data protection authorities, or international initiatives (OECD and Council of Europe in particular).

They were generally supported by all those who participated, with some reservations in favour of a risk-based analysis of the safeguards taking into account the child's age and how his or her capacity is likely to evolve.

The CNIL aims to issue recommendations for encouraging online service providers to adopt good practices or to establish an appropriate code of conduct. Safeguards should also be taken into account as part of the by design approach.

These recommendations are intended to be discussed with all stakeholders. In view of the converging initiatives under way or planned at European level, it may ultimately be possible to submit these recommendations to the EDPB.

Help and Guidance from the CNIL

Setting up tighter privacy settings by default

One solution would be to ensure that any additional features not part of the core service are disabled by default. For an online game site for example, creating an account and using the website are part of the basic service, whereas geolocation may be an additional option (for example, if it allows the child to identify him or herself on a geographical map of players).

In practice, most children, like most adults, do not change their default settings. The initial choices made by the service designer are therefore crucial.

Preventing the profiling of children

While the GDPR does not generally prohibit the profiling of children, it does highlight the need for specific protection. Indeed, as the European Data Protection Board (EDPB) guidelines on the targeting of social media users point out, "Targeting can influence the shaping of children’s personal preferences and interests, ultimately affecting their autonomy and their right to development". In addition, the GDPR emphasises that automated decision-making based on profiling should not apply to children.

This view is widely supported. It was also expressed during the CNIL public consultation, with 87% of respondents in favour of "default deactivation of profiling systems for children". It is also reflected in the converging initiatives of the ICO's Age Appropriate Design code in the UK and the DPC's Fundamentals in Ireland, which have sought to restrict the profiling of children to cases where it might effectively be in the best interests of the child.

This restriction of profiling to cases where it would allow the protection of children reflects some of the arguments put forward by economic actors who responded to the public consultation. They stressed the potential benefits, in particular the reassurance that children would only receive age-appropriate products and services and only have access to appropriate content.

Avoiding the re-use and third party transmission of child personal data for commercial or advertising purposes

The UN General Comment states that children should be "protected from all forms of exploitation prejudicial to any aspects of their welfare in relation to the digital environment. (...) By creating and sharing content, children may be economic actors in the digital environment, which may result in their exploitation." The UN therefore urges member States to take all appropriate measures to protect children from commodification, and thus to safeguard children in relation to the digital environment.

With regard to the specific safeguards that should be put in place to protect the best interests of the child, the CNIL invites those responsible for online platforms and services used by children to:

  • set up stricter default privacy settings;
  • deactivate by default any profiling systems for children, especially for the purposes of targeted advertising;
  • not re-use or pass on to third parties the data of children for commercial or advertising purposes, unless they can demonstrate that they are acting for overriding reasons in the best interests of the child.