Why Corporate Boards Should Prioritize Minors’ Data Privacy, Security, and Safety Issues

Whether your company wants to let kids in or keep them out, companies must now comply with expanding digital privacy and safety laws set out to protect minors. Worldwide, there are two billion children under the age of 18. One in 3 Internet users is a minor. Each attempt by a child to access a website, app, or digital service with their mobile phone, tablet, or other digital device presents a risk for the child and for the company. With the escalating threat of privacy and security breaches, the expectations for proactive measures by boards of directors are transforming. Boards can no longer afford to remain passive in the wake of these risks; action is imperative.

A strong data privacy program and online safety starts at the top, not in the IT or legal department. While the board may not be responsible for the day-to-day management of security and online privacy and safety operations, it is crucial for them to establish priorities and allocate resources to guarantee effective security and privacy practices setting the tone throughout an organization. Investing in privacy today is no longer a cost center but an investment in brand trust and integrity, adding to the overall brand goodwill.

Ensuring the privacy of children's data and online safety is a shared responsibility that we must all uphold. The risks children and teens face online have come into the limelight and cannot be ignored. There are serious risks for mishandling minors’ access or personal data and growing consequences for companies, their executives and board.

Why now? Recent children’s associated privacy fines top $1.3B:
The landscape of international, federal, and state privacy and safety regulations is evolving, with a growing emphasis on companies verifying the age of their online users and obtaining consent. Many of these new regulations and proposed bills would expand the applicability of child and teen privacy laws to more businesses, either by lowering the knowledge standard or by raising the age of protected users.  As modern privacy and safety laws continue to expand and gain traction, individuals are increasingly demanding transparency and control over how their personal information is utilized. Regulators are responding by pushing private right of action by parents whose children have been harmed by non-compliance.

New rules issued in 2023 by the Securities and Exchange Commission (SEC) and an enforcement action by the agency against SolarWinds, a software developer that was the victim of a serious cyberattack, made it clear that directors need to understand the risks and actively engage in cybersecurity oversight. In 2022, some 1.7 million children fell victim to a data breach, meaning 1 in every 43 kids had personal information exposed or compromised, according to a survey by Javelin Strategy and Research. Among households that reported having children who had been victimized by fraud, 74% noted that their child’s identity had been compromised or exposed.

Unique to children, operators who violate the COPPA Rule can be held liable for civil penalties of up to $50,120 per violation by a court.  The General Data Protection Regulation (GDPR) imposes obligations on organizations anywhere in the world if they target or collect data related to people in the EU, including special protections for children’s data. Less severe infringements can result in a fine of €10 million or 2% of a firm's annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm's annual revenue from the preceding year, depending on what is higher. Failure to comply with the UK Children’s Code could lead to a GDPR violation as the Code informs the regulation. 

Not being compliant has many consequences. Paying the fine is just one step. Repairing brand damage is also important to business and organizational success. It takes years to build brand trust and just seconds to destroy it. In addition to fines, companies may be required to create and maintain a comprehensive privacy program that includes biennial assessments and reporting for up to 20 years. Read the  “What are the penalties for COPPA and GDPR violations blog” for more details.

Call to Action
A corporate board that places a strong emphasis on data privacy and online safety has the power to shape the entire organization's approach by fostering a security-focused culture, setting high security standards, and promoting collaboration between technical and strategic teams by breaking down internal barriers.

All companies that offer online services may find themselves in possession of minors' personal data. And so, companies that take part online should discuss the following questions, especially considering the growing body of online privacy and safety laws protecting minors.

Board members might ask the following minor related questions:

1. Does the organization attract minors even if it’s not our intent?
2. Has child data entered our larger general audience database and if so, what are we going to do about it?
3. Do our digital properties have a jurisdictionally aware smart age gate implemented?
4. Do we have a way to block minor devices and data?
5. Do we actively engage children and/or teens?
6. How can we determine a child’s age for appropriate experiences, default controls and ongoing access as they age up?
7. Do we have a mechanism to obtain, document, and manage parental consent for child and teen accounts?
8. Do we have a third party to support our compliance with rapidly growing privacy and safety laws surrounding children?
9. Are we certified compliant by an FTC-approved COPPA Safe Harbor?
10. Is our organization tracking the new state and federal laws being proposed to better protect children and teens? 

In general, these are some foundational questions to ask:

1. What kind of data are we keeping and why? Where and for how long are we keeping it?
2. Are our policies and procedures adequate to protect our data?
3. Are our actual security practices in line with our policies and our public-facing statements?
4. Are our security investments and expenditures in line with our security risks and threats?
5. Is there already a cross-functional team set up to coordinate data policies with technical operations and marketing?

As a reminder, companies – even those that do not target children – are now held accountable by policy makers, parents, and regulatory officials or risk substantial fines, civil liability, and real damage to their reputations and brand value. Kids are everywhere online, and companies need to improve keeping them out or compliantly letting them in.

With the evolving privacy landscape and increased regulation and scrutiny, services will need to engage neutral third parties, like PRIVO, to assess and certify privacy compliance including through data privacy impact assessments. If your service needs support, please contact PRIVO to find out more about our Kids Privacy Assured Program and our privacy technology, and let our experts support you.   

We can all agree, kids should be able to play & learn without giving up their privacy, and companies should be able to do their business online without fearing interaction with kids.