Companion document – Putting best interests of young people at the forefront of privacy and access to personal information
This document provides additional information about how organizations might address the principles of the “Putting best interests of young people at the forefront of privacy and access to personal information” resolution. The examples given are not exhaustive.
1. Build in young people’s privacy and best interests by design
Digital privacy risks to young people must be identified and minimized as early as possible.
1.1 Public sector organizations should take care to assess the specific impacts on young people’s privacy when analyzing major projects or programs that rely on personal information (e.g. public digital identity systems);
1.2 Private sector organizations could consult directly with young people before developing a product or service to learn about their specific concerns or to check that measures are adapted to their needs.
2. Be transparent
Young people must be given concise, prominent and clear information suited to their level of maturity.
2.1 All organizations should provide young people with information about :
- its products or services
- its privacy policies and practices
- its purposes for collecting personal information
- its user controls and default settings
- its complaint processes
- any associated privacy risks and
- any other topic relevant to young people accessing the product or service.
2.2 All organizations should encourage young people to ask a parent/guardian (or trusted adult) questions about the information they have been presented.
2.3 All organizations could consider innovative and creative ways to ensure young people understand the privacy information presented to them, such as informational videos.
3. Set privacy protective settings by default and turn off tracking and profiling
Young people should not bear the burden of making technology settings compatible with their fundamental right to privacy. They also have a right to not be tracked or profiled without justification, knowledge or consent.
3.1 All organizations should keep young people’s online profiles and content private by default (e.g. photos, videos, messages) in apps and in online educational platforms.
3.2 Private sector organizations should obtain explicit consent for the collection, use or disclosure of young people’s geolocation data. Those who offer apps that allow young people to activate geolocation should limit the collection of geolocation data to what is reasonably necessary to provide the product or service and should display a conspicuous signal, such as in the status bar of a smartphone, informing them that the function is currently active.
4. Reject deceptive practices
Young people must not be influenced or coerced into making privacy-related decisions contrary to their interests.
4.1 Public sector organizations should evaluate the use of technologies that collect, use or disclose the personal information of young people, including those used in schools, to ensure there are no deceptive design elements. For choosing educational products, the Global Privacy Assembly’s resolution on e-learning platforms may be helpful.
4.2 Private sector organizations should look for innovative and creative ways to encourage young people to adopt privacy protective behaviours. This could include developing dynamic, educational materials (e.g. videos, games or infographics) to explain privacy choices in an age-appropriate way. Tools developed by Canadian privacy authorities may be useful.
5. Limit the disclosure of personal information
There must be clear limits to sharing and uses of young people’s personal information.
6. Allow for deletion or deindexing and limiting retention
Young people are particularly vulnerable when it comes to their online reputation. They should have the ability to correct errors with their personal information and a means to reinvent themselves as they mature and enter adulthood.
6.1 All organizations should, and in some cases, must offer simple means, where appropriate, so that young people can correct their personal information (e.g. deleting messages, recalling sent images or videos).
6.2 Private sector organizations could adopt data retention policies that have special provisions for young people’s data, making them “expire” after a shorter period of time (e.g. older content shared online could be automatically deleted or be made private after a certain number of years).
7. Facilitate access to and correction of personal information
Young people’s access and correction rights should be as easy to exercise as those of adults.
7.1 All organizations should:
- Provide clear and conspicuous notices to young people advising them of their rights of access, correction and appeal, and should include:
- An account of personal information available, and why it is collected and retained;
- What options are available to the young person;
- An explanation of the access, correction and appeal processes;
- Where and how to get assistance;
- A means for the young person to provide feedback; and
- An explanation of the roles of parents/guardians;
- Present personal information provided in response to an access request in a form that is readily understandable by the young person;
- If the requester is a legal guardian, take steps to confirm the relationship to the young person in question.
How organizations can help protect young people online (This version is for young people and those who care for them.)
- Date modified: