proffesor.clide
tiwoo1407
Children’s data protection vs marketing companies
Emmanuelle Bartoli�
Cardiff Law School, UK
The opportunity that the Internet represents for children is undeniable. The increasing amount of children’s personal data collected online raises an issue balance: how to protect children’s privacy without impeding the development of children’s online opportunities. Businesses collect children’s personal data in order to profile and target them. Aware of the risks such practices represent for children’s data protection, the US Congress has legislated the Child Online Privacy Protection Act (the so-called ‘COPPA’) which became effective in April 2000. In Europe, the collection and use of personal data is covered by the 1995/46 European Directive which has the fundamental aim of protecting individual privacy. The Directive does not, however, distinguish between data subjects who are adults and those who are children: it provides no specific protection for children’s privacy.This paper considers the different approaches adopted in the USA and in Europe with regard to children’s online data protection. In parallel, it appears that soft law is used as a new tool to regulate children’s privacy. Particular attention will be paid to soft law adopted in the UK and in France.
Keywords: children; data protection; COPPA
Introduction
‘Join now it’s free’, ‘Don’t have your account? Create one now!’, ‘Register now and get 100
extra points next time you play’ – these phrases easily catch web users’ eyes and enable
many websites to collect customers’ personal data. Children are very likely to have their
personal data collected when surfing on websites, no matter whether those websites
target them or not.
The presence of children online is increasing and children appear to be very skilful web
users. The opportunity that the Internet represents for children is widely recognised. The
European Union Commissioner responsible for Information Society and Media, Viviane
Reding, very much aware of this phenomenon, has stated that although ‘[c]hildren have
been very quick in making the most of online services such as social networking sites
and mobile phones . . . many still underestimate the hidden risks of using these . . .’. 1
One of these hidden risks may be the collection of personal data. Marketers use various
methods to collect children’s personal data. It goes from the promise to get access to free
games to the possibility to earn virtual money which enables them to buy virtual clothes
for their virtual pets! Collecting children’s personal data may be a gold mine for online
businesses who can profile children according to the details they provide with regard to
ISSN 1360-0869 print/ISSN 1364-6885 online
# 2009 Taylor & Francis
DOI: 10.1080/13600860902742612
http://www.informaworld.com
�Email: [email protected]
International Review of Law, Computers & Technology
Vol. 23, Nos. 1–2, March–July 2009, 35–45
their age, home town, gender, favourite cartoons, parents’ occupation, etc. The information
collected is used to target children with advertisements relevant to their interests, and to
profile them as consumers.
Aware of the increasing risk of children’s data being collected online and then used by e-
businesses to target them, the American Congress has legislated to protect children’s
privacy online and adopted the Child Online Privacy Protection Act (the so-called
‘COPPA’), which became effective in April 2000. 2
In Europe, the collection and use of personal data is clearly framed by the 1995/46 European Directive
3 (‘the Directive’) which fundamental aim is to protect individual
privacy. The Directive does not, however, distinguish between data subjects who are
adults and those who are children: it provides no specific protection for children’s privacy.
The question arises therefore as to know whether there is a need for specific ‘hard’ law
legislation applicable to children’s data protection in Europe.
This paper compares the COPPA provisions as applied to American businesses for the
with the European policy as applied to children online data protection and considers
the weakness and strength of each system. The place of children in the ‘digital media
culture’ 4 needs to be first outlined.
Children and society
Children as marketing subjects
At the end of the nineteenth century, children became part of the merging culture of con-
sumption. The child was considered as ‘a symbol of consumer aspirations – a way of inter-
esting parents in a product’. 5 Since the 1960s, the economic weight of children has
increased.
Children are able to buy with the pocket money they receive and may as a result be qua-
lified as consumers. In addition, children are often involved in the decisions their parents
take when there are important things to buy. In consequence even general audience adver-
tisements are likely to be meaningful to both parents and children.
The Children’s Television Workshop in the USA constituted the first prime opportunity
for marketers to start targeting children directly by TV advertisements. On the Internet,
however, children can be targeted even more directly than on television. Marketers can adver-
tise on websites targeting solely children and can send them e-mails directly on their own
e-mail addresses. This way of marketing is all the more valuable since it is estimated that
93% of children aged 12–17 are online. 6 A study conducted in 2007 suggested that more
than half of American children are expected to belong to a virtual world by 2011. 7 As a
result of this growth many brands have invested in new child-friendly online services. In
2007 over £500 million has been invested in these new virtual worlds by venture capitalists. 8
The commercial pressures resulting from these investments may lead online businesses
to try to collect as much personal data as possible in order to target children with advertise-
ments that match their profiles. It is little surprise, therefore that the Electronic Privacy
Information Centre (EPIC) has spoken of ‘phenomenal rate’ of growth in the collection
of data about children.
It is often argued that parents should play a greater role in the protection of children
when surfing online and Michael Freeman has argued that ‘children’s privacy is largely
controlled by parents’. 9 The generational digital divide between adults and children may
however make this regulation problematic: it is, for instance, difficult to have parents
managing their children’s privacy when they are not themselves able to assess the risks
encountered by their children when surfing on the Internet.
36 E. Bartoli
As a consequence of these difficulties it may well be argued that public bodies have a
responsibility to intervene in order to develop (at the minimum) an awareness of the extent
of the risks that the Internet poses for children’s privacy, allied with proposals for appropri-
ate safeguards.
The United Nations Convention on the Rights of the Child 10
(‘the UN Convention’)
enshrines the principle that children are entitled to ‘special protection’. Children are there-
fore considered as being entitled to rights different than those of adults.
Because children’s decisions may be contrary to their own interests children’s rights
shall always be adopted in consideration of their ‘best interests’. 11
Indeed, the child is
not able to appreciate his or her own interests on his or her own and on top of that, it is
not his or her interest at the present moment but at some later date, his or her interest as
an adult at some undetermined future moment. 12
The fact that children are ready to give
away their personal data in exchange for a present illustrates the fact that children tend
to consider their immediate interest rather than their long term interest. Children are not
mature enough to have the skills to defend themselves against the dangers that the Internet
may present for privacy.
Aware of the increasing threat the Internet represents for children’s personal data and of
the need for children to benefit from specific protection, the US Congress began to consider
the need for specific measures to protect them while online – whether learning or merely
browsing, playing games, or participating in ‘chat rooms’.
The US response to children’s privacy concern
Aware of the fact that the presence of children online represents ‘enormous opportunities for
marketers to promote their products’, 13
Congress noted the correlation between these
opportunities and the ease with which marketers were able to collect a large amount of chil-
dren’s personal data.
Congress commissioned a survey of 212 sites that appeared to be directed at children
under 16. The survey was specifically designed to assess the way data was obtained from chil-
dren, i.e. whether parental consent was requested. The survey findings suggested that 89% of
the websites studied collected personal information from children and of these only 12% noti-
fied parents of their information practices. In addition, it appeared that the majority of the
websites disclosed information to third parties without obtaining prior parental approval.
The necessity for specific legislation regulating the collection of children’s data online
appeared obvious and in due COPPA was enacted by Congress on 21 October 1998 and
became effective on 21 April 2000. In order to assess the effect that the implementation
of COPPA had on practices relating to the collection, use and disclosure of information
from children online, the behaviour of businesses and initiatives with regard to children’s
data collection, children’s ability to obtain access to online information of their choice
and the availability of websites directed at children, the Federal Trade Commission
(FTC) organised a review of COPPA. The results were published in a report dated February
2007 (‘the 2007 Report’). 14
The COPPA provisions: strengths and weaknesses
The provisions of COPPA are brief: the Act gives the FTC rule-making powers – aimed at
prohibiting unfair and deceptive acts and practices in connection with the collection, use
and disclosure of personal information from and about children online. The FTC published
recommendations with regard to the implementation of the COPPA in November 1999.
International Review of Law, Computers & Technology 37
The Act needs therefore to be read in conjunction with the rules and regulations that
flesh it out.
COPPA applies to commercial websites and online services targeting children aged
under 13 and to general websites that have actual knowledge that they may collect data
from children aged under 13.
The relevance of the age limit may be put into question. How can websites know
whether or not they are targeting children under the age of 13? The FTC has established
criteria in order to determine whether a website targets children or not.
It advises that in order to foresee the ‘overall character of a website’ several issues shall
be considered, including:
(1) the subject matter;
(2) the audio or visual content found on the site;
(3) the age of any models depicted on the site;
(4) the language used on the site;
(5) the presence of advertising on the site;
(6) other empirical evidence regarding the age of the actual or intended audience, such
as whether the site uses animated characters or has other child-oriented features.
These criteria are considered to constitute effective and clear guidance for determining
whether a website is directed at children. The FTC has decided that it was not necessary
to further clarify the assessment criteria. However, it seems web actors are in favour of
incorporating additional factors into those guidelines. One could for example think of
including usability components that are used to attract and keep child readers’ – particu-
larly the colour and the interactivity of the website.
A further difficulty concerns the extent to which it is relevant to decide that an Act
applies solely to children under 13. It may also be difficult to establish whether someone
aged 15 is really more capable of deciding whether or not it is in his/her best interest to disclose personal data. ‘Children’s development [being] a process not a race’,
15 makes it
difficult to establish the precise age at which they can make an informed decision to
provide businesses with their personal data and clearly a demarcation point at the 14th birth-
day is entirely arbitrary.
Websites not targeting children – the so-called general audience websites – having
‘actual knowledge’ that they are collecting personal data from a children also fall within
the scope of COPPA. Many websites can easily fall into this category – for instance
those collecting the date of birth of the users will have ‘actual knowledge’ of the fact
that they are collecting data from children when web users will indicate they are under 18.
There is of course the problem of children who provide a false age. Technology does not
exist to prevent children from visiting general audience websites. In fact, the 2007 Report
reveals that an increasing number of general audience websites are calling for the provisions
to be adapted to protect them from the increasing risk of children providing personal data to
websites which are not directly targeting them. Indeed, general audiences’ websites are not
requested to obtain the verifiable parental consent. As a result they are not able to dis-
tinguish between web users who are adults and those who are children.
General audience websites reported that general sites have no way to know for certain
the age of the people visiting their website. It appears that such websites would arguably
need to obtain verifiable consent from or for all of its users to collect any personal infor-
mation in order to comply with the proposed rules. Given that surveys proved that
children tend to lie about their age in order to access general audience websites, it may
38 E. Bartoli
be difficult to know for certain whether the web user who is logging on a given website is an
adult whose collection of personal data is not subject to any restriction.
In consequence, in its 2007 Report the Commission proposed that websites should ask
for age information in a manner that does not bias the answer, i.e. a website should not in
general expressly state that children under the age of 13 are not permitted to access.
Operators to which the provisions apply are requested ‘(i) to provide notice on the
website of what information is collected from children by the operator, how the operator
uses such information, and the operator’s disclosure practices for such information; and
(ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal
information from children’. 16
Website owners are required to state that children’s personal data may be collected.
Parents should in addition be informed of what the website owners intend to do with the
information and whether or not they intend to disclose the children’s personal information
to third parties. For this purpose, website owners must display a ‘clear and prominent’
notice online of the site’s information practices.
‘Verifiable parental consent’ 17 is one of the main contributions of the Act to the protec-
tion of children’s privacy online. The problem, of course, is how to ensure that the consent
provided is genuinely from a parent.
The two procedures proposed to establish the authenticity of the consent to the collec-
tion of the child personal data are: (1) the sending of an e-mail and (2) the provision of the
parents’ credit card details.
Children are however able to get this information quite easily. Technology as it stands
does not yet provide an alternative verification process. Technology is in this context, there-
fore a significant limitation. The law itself is shaped by technology.
Websites owners are required to enable parents to review the data collected. The FTC
requires that parents shall have the power to delete the data but not to alter it. Such a pro-
vision is aimed at protecting both children’s right to privacy and autonomy. COPPA pro-
motes the role of parents in preventing abusive data collection. However this may be in
contradiction with the philosophy of the Internet where instant access is possible. Requiring
parental consent before the collection of personal data (which may be needed to visit the
website) may discourage children, such that they would abandon any visit to a websites
that required such a data. This may have a direct effect on website audience and may
result in economic losses to the website owners. Such a measure would have a preventive
effect, i.e. websites may try to avoid proceeding to the collection of personal data. It appears
that implementing the provisions relating to the deletion of children’s data raises issues.
Indeed there are numerous situations in which websites owner are ought to retain children’s
personal information. This is the case where relevant litigation is threatened or pending,
where a law enforcement investigation is ongoing or where the information is necessary
to detect or prevent unlawful activity. At present it appears that websites are complaining
about having conflicting obligations. Therefore, there is a need to clarify for which purposes
and to what extent should children’s personal data be kept and not deleted.
The Act provides that websites must not condition children’s access to certain games or
parts of websites on the disclosure of personal data. This provision stems directly from
research undertaken by the FTC in 1998 which revealed that many websites were requiring
as a condition of gaining access to certain games or part of websites, the collection from the
child of personal data. This provision is of particular importance because research indicates
that children are willing to trade away personal information for speculative reasons – for
instance in order to win a prize or to enter a contest. This suggests that many young
people do not care about privacy.
International Review of Law, Computers & Technology 39
In practice, it appears that web owners subject to COPPA have developed a number of
innovative ways of offering interactive online experiences for children without collecting
any personal information or collecting very little personal information, such as only an
email address. This may be one of the explanations as to why businesses have not reported
any excessive costs resulting from the implementation of COPPA.
Although it is often asserted that laws regulating the Internet may deter investors in
online businesses, it results from the 2007 Report that broadly speaking the regulation
imposed by COPPA does ‘not appear to have adversely affected the number of websites
directed to children’, 18
and may conclude that children’s online privacy is better protected
since the adoption of the Act.
The assessment of the COPPA implementation showed that broadly speaking the
COPPA provisions are being respected. Since the enactment of COPPA over ten enforce-
ment actions have been taken by the FTC. While analysis of these cases is beyond the
scope of this paper, it should be noted that the enforcement arm of COPPA is seen as
crucial to its effectiveness and that companies found to be in breach of the COPPA
regime have had very high civil penalties imposed and been required to delete all the infor-
mation that they have collected in breach of COPPA.
The above review suggests that children’s online privacy in the USA has been accorded
a high standard of protection, albeit that there are some weaknesses. The question arises as
to whether in Europe such a level of protection is available despite the fact that no equiv-
alent ‘hard’ law has been adopted to protect children’s online privacy.
The European privacy policy: no distinction between data subjects
The European Directive 95/46 on the ‘Protection of Individuals with regard to the Proces- sing of Personal Data’ is the key piece of European legislation regulating the protection of
personal data. 19
It has been widely (albeit recently) implemented by the member states.
The Directive requires that data is processed fairly and lawfully. This implies a high
level of transparency in the process. Companies collecting and processing personal data
must publish their data protection policy. Data must only be collected ‘for specified, explicit
and legitimate purposes’. 20
This requirement implies that before collecting personal data
websites owners must clearly inform their users that data is being collected and must indi-
cate the purpose of such collection. How, it might be asked, are children expected to under-
stand the likely implications for them of providing their data? How can they judge whether
the data collection process is in their best interests? To this extent the requirement to inform
websites’ users before collecting any personal data is not relevant as its stands if applied to
children’s personal data. It should at least be specified that web users are to inform their
users in terms understandable by any class of age.
Article 6 of the Directive provides that data shall be kept up to date. Children’s data may
easily be outdated because their circumstances can change quite quickly and website
owners could easily be found in breach of the Directive. To comply with such provisions,
web owners targeting children will have to set up a process in order to make sure that the
data collected and stored are up to date.
It results from Article 12 of the Directive that data subjects have a right of access to their
data. In relation to children, the question is whether this access right is a right of the child or
whether it is limited to the child’s parents. In Europe, children have rights similar to adults.
However, children are deprived of the right to exercise those rights. Parents have a right of
access resulting from the fact that children cannot exercise their rights. It has to be noted
that the result is roughly the same: parents have a right to control personal data that are
40 E. Bartoli
collected from their children. This raises an issue that is beyond the scope of this paper but
which still need to be taken into consideration: how to balance children’s privacy and the
needs for parents to control what their children do online.
The processing of personal data for the purposes of direct marketing is regulated by the
Directive as well. Data subjects have the right to object on request ‘to the processing of
personal data which may be used for the purposes of “direct marketing”’. One of the
aims of regulating children’s data collection and use is to limit the amount of advertising
mail (the so-called ‘junk mail’) children receive. Provisions of the Directive Article
14(b) does not provide – as it stands – an efficient protection for children against such
junk mail. Indeed, how can one expect to have a child mature enough to address a
request asking not to have his/her personal data used to receive unsolicited mail. It results from the above that the Directives set up a high level of data protection for
individuals. However, its provisions would need to take into consideration the difference
of maturity between the individuals. European legislators, information commissioners
and parents associations have called for the adoption of specific legislation top protect
children’s online privacy.
The sole significant European intiative to date results from the document issued by
Article 29 Working Party on 18 February 2008. 21
This document provides a definition of
children that appears to be slightly different from the one adopted by COPPA. In particular,
Article 29 Working Party stressed that in most legal frameworks dealing with children’s
rights, a child is defined as someone under the age of consent (i.e. in the UK, 18). It
refers to the specificity of children and their needs that ‘education and responsibility are
crucial tools in the protection of children’s data’.
The Article 29 Working Party suggests therefore that when a child becomes sufficiently
mature to make his or her own decisions, then website owners processing data must ensure
that they have the child’s permission as well as the child’s representative’s permission. The
point is to determine how to assess a child’s maturity.
Despite the lack of intervention from the EU, it should be noted that at national level,
several specific Codes of Conduct and Recommendations have been adopted. The follow-
ing section considers the soft law developments that have occurred in this respect in the UK
and in France. Differences of implementation of the Directive in both countries could be
studied. However, this would be beyond the scope of our paper.
The United Kingdom
Although the UK implemented the Directive 95/46 in 1998, it first enacted data protection legislation in 1984 following principles detailed in Guidelines issued by the OECD in 1980.
The influence of the UK during the drafting of the Directive was relatively limited
because privacy was not considered to be a UK Governmental priority at that time. The
implementation of the Directive became, however, a priority for the New Labour Govern-
ment in 1997. The Directive has been strictly implemented into the British legal system. As
yet no specific provisions relating to children’s privacy have been adopted.
This does not however mean that British society is blind to the increasing risks that the
Internet represents for children’s data protection. ‘Soft’ law has, in this respect, overtaken
the lack of intervention from the legislator.
The Direct Marketing Association’s Code of Practice for Commercial Communications
to Children Online 22
provides specific provisions relating to children’s online privacy
relating to children under the age of 14. In the same way as COPPA, the Code of Practice
requires a verifiable parental consent before any children’s personal data is collected
International Review of Law, Computers & Technology 41
and/or disclosed to third parties. Article 5.3 of the said Code of Practice provides that ‘web- sites that are directed to children and that collect personal data from children must require a
child to give their age before any other personal information is requested’. The efficiency of
such measure may be limited given that children tend to give false ages in order to have
access to websites that are not necessarily targeting them. The implemetation of such a pro-
vision would be efficient solely if additional provision were drawing up clear way for the
age to be verified.
The Code requires that a notice is clearly displayed as to the rights of the data subjects,
i.e. the child under 14. The privacy policy applicable to websites must be put in a notice
understandable by a wide audience, including by children. Any websites, whether targeting
children or not, are responsible for ensuring that they do not collect children’s data. If they
are aware that they are collecting such data they must comply with the provisions prescribed
by the Code. This is the reason why websites must request the age of the web user before
collecting any data.
The Model of Good Practices 23
encourages Internet service providers to limit the
amount of children’s personal information made available to other users. Providers of
such services are also asked to offer information and advice in the form of clear security
messages, and to warn children not to disclose contact details such as their phone
numbers and home addresses.
Codes of practices constitute soft law regulations which are known for their greater
flexibility as opposed to hard law legislation. Soft law being adopted by businesses
actors such codes clearly demonstrates the concern of web actors with regard to the protec-
tion of children’s privacy.
In spring 2008, the British Prime Minister called for a review on the general issue of
children and the Internet, coinciding with the publication of a Government sponsored
independent report on the subject, the much publicised Byron Review. 24
It is a pity that
the report only refers briefly to the risks marketing profiling can represent for children’s
privacy. It is only reported that there is evidence that ‘advertising is perceived by
youngsters . . . as an invasion of privacy and [that], according to one study, 95% of teen-
agers in the UK are concerned that personal information is being passed onto advertisers
or other websites’. 25
The report’s author, Tanya Byron, emphasised the actually sensitive nature of children’s
privacy and their difficulty ‘evaluating both the content and source of information while
their brains are still developing the appropriate skills’ and she concluded that it was
‘clear that this kind of contact presents a potential risk to children’. 26
She advises that
‘All sites signing up to a code for social networking providers should be required to set
the privacy settings for under 18 users to the highest level by default. They might also
be required to sign-up to a principle that privacy settings should reduce risk of under 18
users being contacted by strangers.’
One can deplore the fact that this report does not provide any clear recommendation as
to how to prevent children’s privacy from being infringed. It clearly calls for self regulation
by industry but does not provide any clear guidelines.
France
In France, the Act ‘Informatique et Libertés’, i.e. ‘Computers, Files and Liberties’ enacted
on 6 January 1978 is the centrepiece of the French regulatory system with regard to data
protection. This Act sets up the main rights and duties relating to processing of data
protection without distinguishing between data subjects. Although France took its time
42 E. Bartoli
to implement EU Directive 1995/46 into French law no specific provisions relating to chil- dren’s privacy have been introduced.
However, the French Information Commissioner (the CNIL) has been actively involved
in children’s data protection issues for over 25 years. In 1983, for instance, the commision
received a complaint from parents, concerned about the collection by a college of its pupils’
personal data through the use of a questionnaire. CNIL held that personal data of this nature
could not be collected without prior parental consent.
Subsequently, in 1985, the CNIL adopted a recommendation concerning the collection
of children’s data in schools and its position has been constant since then: parental consent
should be obtained prior to the collection of children’s personal data.
In 2001, the CNIL issued a report entitled ‘Internet and the collection of children’s
personal data’ (‘the 2001 Report’). 27
The 2001 Report stated that the collection from
children of information relating to their circle of friends, as to their lifestyle and as to the
socio-professional position of their parents was unconscionable and unfair. In France it is
additionally a well-established principle that the collection of data relating to racial
origin, political affiliation and religious views is prohibited without explicit parental
consent.
In addition the 2001 Report prohibited the making of access to on-line games con-
ditional on the communication of personal data. This recommendation is similar to that
contained in COPPA. It results from the above that the recommendations enclosed in this
2001 Report are very similar to those contained in the COPPA.
However, while COPPA prohibits any kind of collection of children’s personal data
without parental prior consent, the 2001 Report concludes that website owners may
collect, without prior parental consent, the e-mail address as well as the age of the children
using their site for the sole purpose of sending a newsletter. Such recommendation seems to
blur the rules concerning websites targeting children in Europe: indeed, the notion of ‘what
is a newsletter’ could be the subject of a lengthy doctrinal discussion and clearly it may
sometimes be difficult to decide on what constitutes the boundary between a newsletter
and an advertisement.
There is however much to recommend the initiative of the French Information Commis-
sioner – and the information programme that his Commission has developed, with web
pages dedicated to children in order to explain to them how best to protect their privacy
online. The French initiative therefore suggests there is much to be gained from educating
both parents and children rather than by adopting specific rules which may impede the
development of e-commerce without having any positive benefits for children.
Conclusion
On each side of the Atlantic, public authorities and web actors are aware of the risks that the
Internet may pose for children’s privacy: the US and European response to the problem is
however markedly different. The US chose a legislative route that strictly limited the
freedom of marketers’ to collect children’s personal data, and it did so at an early date –
10 years ago. Europe however has only shown concern about this issue recently. The
COPPA provisions enable parents to control their children’s personal data flow a priori.
In Europe, the lack of specific legislation means that children have the same protection
as their parents. However, children can only access their rights through their parents.
Once on the Internet children, in general, are left alone and in practice, their parents
rarely check whether or not websites collecting data respect the European Directive on
Data Protection. In Europe, the sole way parents can control the collection of data from
International Review of Law, Computers & Technology 43
their children is by exercising their children’s rights to be informed. The control is therefore
a posteriori. This represents a major weakness, because it is difficult to see how parents can
in general know which websites their children have visited and, even if this is known it is
difficult to see how in practice they could then request each website to provide them with
the list of the personal data they have collected from their children.
In contrast, it is still too recent to assess the efficiency of the Codes of Practices and the
Recommendations issued in Europe and as to how they compare to the COPPA regulatory
regime.
In either case, however, it seems that both parents’ and children’s education will play a
major role in the success of any children’s data protection policy.
Notes
1. European Commission, IP/08/207, ‘Let’s listen to children: they know how to make the Inter- net a safer place!’, Press release, Brussels, 12 February 2008.
2. Children’s Online Privacy Protection Act of 1998, US Federal Law, 15 USC §6501–6506. 3. Directive 1995/46/EC on the protection of the individual with regard to the processing of per-
sonal data and on the free movement of such data, ‘(10) Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Pro- tection of Human Rights and Fundamental Freedoms and in the general principles of Commu- nity law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community’.
4. Kathryn C. Montgomery, ‘Children in the Digital Age’, The American Prospect, no. 27 (July– August 1996): 69.
5. Stephen Kline, Out of the Garden: Toys, TV and Children’s Culture in the Age of Marketing (London: Verso, 1993), 163.
6. Alexandra Rankin Macgill, ‘Parent and Teenager Internet Use’, Pew Internet & American Life Project, 24 October 2007, http://www.pewinternet.org/pdfs/PIP_Teen_Parents_data_ memo_Oct2007.pdf (accessed July 2008).
7. Bobbie Johnson, ‘Online Marketers Aim for the Kids’, The Guardian, 17 October 2007, Technol- ogy, http://www.guardian.co.uk/technology/2007/oct/17/advertising (accessed July 2008).
8. Ibid. 9. Michael Freeman, ‘The Convention: An English Perspective’, in Children’s Rights – A Com-
parative Perspective, ed. Michael Freeman (Brookfield: Dartmouth, 1996), 103. 10. ‘Convention on the Rights of the Child’, United Nations, Adopted and opened for signature,
ratification and accession by General Assembly Resolution 44/25 of 20 November 1989. 11. Ibid., S.3.1: ‘In all actions concerning children, whether undertaken by public or private social
welfare institutions, courts of law, administrative authorities or legislative bodies, the best inter- ests of the child shall be a primary consideration.’
12. Jean Carbonnier, Droit civil – Tome 2, La Famille, Les Incapacités (Paris: PUF coll. Thémis, 2004), 370.
13. Federal Trade Commission, ‘Privacy: A Report to Congress’, June 1998, www.ftc.gov/reports/ privacy3/priv-23a.pdf (accessed July 2008).
14. Federal trade Commission, ‘Implementing the Children’s Online Privacy Protection Act – A Report to Congress’, February 2007, http://www.ftc.gov/reports/coppa/07COPPA_Report_ to_Congress.pdf (accessed July 2008).
15. Penelope Leach, Children First – What Society Must Do – And is Not Doing for Children Today (London: Penguin Books, 1995), 205.
16. Children’s Online Privacy Protection Act of 1998, Section 1303 (b) (I) (A). 17. Ibid., (ii). 18. Ibid. 19. Ibid., 3 20. Ibid., 3.
44 E. Bartoli
21. Article 29, Data Protection Working Party, ‘Working Document 1/2008 on the Protection of Children’s Personal Data (General Guidelines and the Special Case of Schools)’, 18 February 2008.
22. The Direct Marketing Association, ‘The DMA Code of Practice for Commercial Communi- cations to Children Online’, http://www.myschoollunch.co.uk/Telford/files/general/DMA_ Code.pdf (accessed July 2008).
23. Information Commissioner’s Office, ‘Good Practice Note – Collecting Personal Information using Websites’, http://www.ico.gov.uk/upload/documents/library/data_protection/practical_ application/collecting_personal_information_from_websites_v1.0.pdf (accessed July 2008).
24. Tanya Byron, ‘Safer Children in a Digital World – The Report of the Byron Review’, Depart- ment for Children, Schools and Families, and the Department for Culture, Media and Sport, 27 March 2008. http:www.dcsf.gov.uk/byronreview/pdfs/Final%20Report%20Bookmarked.pdf (accessed November, 1998).
25. Ibid., 58. 26. Ibid. 27. Commission Nationale Informatique et Libertés, ‘Internet et la collecte des données
personnelles auprès des mineurs’, 12 June 2001.
International Review of Law, Computers & Technology 45