Before we talk about the challenges of processing the personal information of minors, let’s take a step back.
It feels like POPI has been in this kind of legislative limbo for years. Oh wait, it has been years. There seems to be some movement lately. Since Adv Pansy Tlakula and the other members of the Regulator was appointed last year, they have had their inaugural meeting. Despite a lot of speculation, there has been no indication of when the act will become effective. But we will be watching…
We were talking about the information of children (in South Africa that is a person under the age of 18). The fact of the matter is that not all processing of child PI is controversial. Children are large consumers of particularly digital services, of educational products, of apps and games, music…the list goes on.
POPI recognises that children are vulnerable. Processing the personal information of children is prohibited unless one of the following justifications are present:
- A parent or guardian can consent to the processing.
- The processing is necessary for the establishment, exercise or defence of a right or obligation in law (which includes obligations of international public law). This exception is very wide. The phrase ‘in law’ could refer to legislation, the common law or even contract. But in the case of a contract, the child would need parental consent to validly conclude a contract anyway. One would assume that the Regulator will interpret these exceptions are narrowly as possible.
- The personal information is being used for historical, statistical or research purposes if it services a public interest and it is impossible (or would require a disproportionate effort to ask for consent). The business would also need to provide sufficient guarantees that the privacy of child is not disproportionately affected. In most cases POPI can be avoided entirely be de-identifying the information.
- The prohibition also does not apply if the child deliberately made the personal information public with the consent of a parent or guardian.
Most businesses seem to be at a bit of a loss as to how to approach this requirement, particularly in cases where parental consent is required. I often see clauses like this one in terms & conditions:
You must be 18 years of age or older to make use of our services/our website. If you are under 18 years of age, you must have your parent or guardian’s consent.
This is not enough, particularly in cases where no attempts are made to ascertain the age of the consumers and the term is hidden in the terms and conditions. If the person ‘agreeing’ to the term is a child, they do not have the necessary legal capacity to conclude a valid agreement anyway. The problem is that verification methods and obtaining parental consent (particularly online) is notoriously difficult and costly to verify.
First prize is always to obtain the child’s information directly from the parent or guardian. That way, the act of handing over the information doubles as permission to use it, as long as the parent is aware of what the information will be used for.
We are in favour of a risk-based approach. The higher the risk, the more effort and expense will be required by the Information Regulator. The United Kingdom’s Information Commissioner’s (ICO) Personal information online code of practice lists the following scenarios as instances where parental consent should be obtained (at the time it was drafted parental consent was not yet a requirement, but the list is useful nonetheless):
- Where the child’s personal information is going to be disclosed to a third party.
- If the child’s details is going to be used for marketing purposes.
- If the information is going to be made public.
- If the child’s image is going to be used on a website which is open to the public.
- Where the child is going to be asked for personal information of third parties like family members or friends (excluding of course the parent’s details – how else could you get parental consent).
The ICO concludes that ‘where minimal information is being collected, such as an email address to register on a site and to ask the child to confirm their age, then asking the child to tick a box to confirm parental consent and sending an e-mail to the parent may be sufficient.’
Wondering how to get parental consent? You are not alone and there are many ways of doing it. In the past we have found the Advertising Education Forum’s report on best practices for parental consent very helpful. It includes several existing examples of how other businesses are doing it (from page 20).
Matters become particularly complicated for businesses who operate globally, because not all countries have the same age of majority. In such cases it is often necessary to cater for, in this case, the highest common denominator.