Don’t you understand?! Improving Children Privacy Literacy with Age-Appropriate Information Designs

Originally posted to CiTiP's blog

Written by Martin Sas - 14 January 2025

Protecting by Informing: a GDPR Principle

Alongside lawfulness and fairness, transparency stands as a core principle of data protection, pursuant to Art. 5(1)(a) of the General Data Protection Regulation (GDPR).

This principle requires that any information and communication relating to the processing of personal data is concise, easily accessible and easy to understand, and that clear and plain language is used (Recital 39 GDPR). For example, by using visualization (Recital  58 GDPR), such as standardised icons providing a meaningful overview of the intended processing (Recital 60 GDPR). A good example of a set of data protection icons is DaPIS developed by the Legal Design Network.

The rationale behind the principle of transparency is that natural persons should be made aware of the existence of the processing operation and its purposes (Recital 60 GDPR) as well as the associated risks, rules, safeguards, rights and modalities of exercise of these rights (Recital 39 GDPR).

As a result, it will be assumed that the provision of appropriate information enables data subjects to exercise their rights and validly consent to data processing (Recital 32 and Art. 7(2) GDPR).

Hence, data controllers must inform data subjects in accordance with the principle of transparency, in particular for any information addressed specifically to a child (Art. 12(1) GDPR). 

Given their lack of awareness, children merit specific protection with regard to their personal data (Recital 38 GDPR), which include that any information and communication addressed to them should be in such a clear and plain language that they can easily understand (Recital 58 GDPR).

Child-oriented Transparency: a Cornerstone of Children’s Rights

As children cannot validly consent to data processing without the approval of their parents (Art. 8 GDPR), it should be clear to them that they have to seek parental consent.  This further highlights the need to provide appropriate information to children about the existence of the processing and its consequences for them, before the processing even starts, as required by Art. 12(1) GDPR

Beyond ensuring the involvement of parents, theprovision of appropriate information to children is a cornerstone of their protection and empowerment. It serves as the starting point for developing children’s privacy literacy, enabling their progressive autonomy in the exercise of their specific rights protected by the United Nations Convention on the Rights of the Child (UNCRC). Hence, the access to appropriate information (tailored to children’s capacities) serves the child’s best interest (Art. 3 UNCRC) and is in itself a protected right of the child under Art. 17 of the UNCRC.

The Limitations of Information Provision

However, due to its inherent limitations, the information paradigm has been largely criticised by the literature for being ineffective to protect individuals (incl. consumers and data subjects). People do not read, nor understand, privacy policies which, nonetheless, remain the principal channel for communicating privacy information. This is mainly due to the length and complexity of these legal documents, which result in an information overload for the reader. Hence, the privacy literacy of the general population remains limited, especially among young people.

In Belgium, the Gam(e)(a)ble project surveyed 1720 teenagers declaring playing video games. When asked how often they open the privacy statement when starting a new video game, 44.3% of the respondents replied never opening it, or only rarely (11.5%) or very rarely (18.3%). 30.5% of the respondents also acknowledged not understanding anything from the privacy statement.

Finally, 39.5% of the surveyed teenagers declared never changing to the default privacy settings, because they did not know if was possible to change them (17.6%), they don’t know how to do it (12%), they think it takes too much efforts (10%), or they don’t think it is necessary (17.5%).

The Key to Children’s Privacy Literacy: Age-Appropriate Information Designs (AAIDs)

Providing guidance on the specific protection of children’s personal data (Recital 32), data protection authorities have issued codes of practices and recommendations on age-appropriate designs to ensure the respect of the best interest of the child in the design of child-oriented digital services and apps. In these codes and recommendations, children-oriented transparency, via age-appropriate information, is acknowledged as a core component. In parallel, NGOs and academics also highlighted some good practices for informing children about privacy. 

In this paper, I surveyed the different strategies for “age-appropriate information designs” (AAIDs) recommended by data protection authorities, academics, and children protection organisations and summarized them into 7 categories, i.e. “Language”, “Length”, “Communication Format”, “Accessibility”, “Nudging techniques”, “Timing”, and “Parental Involvement” (see Figure 1 below).

As an example of AAID strategy, UNICEF recommends using child-appropriate language, characters, stories, music and humour. The use of visual information, such as cartoon, comics, video, or even games, was also acknowledged as preferable to engage children.

However, there is currently a lack of evidence regarding the effectiveness of each AAID strategy. Some strategies may be more effective than others to convey privacy information to children, while some could even produce counter-productive effects if not used wisely. For example, “layering the information” (i.e. reducing the amount of information provided by displaying only the most important privacy concepts to avoid information overload) has the negative side-effect of decreasing the accessibility of the information presented in lower layers. Similarly, it is almost impossible to produce a set of “icons” that will be considered perfectly representative of data protection concepts and which will be effortlessly recognized by everybody. There is thus a risk that the icons are not understood by data subjects who could end up more confused.

Further testing and evaluation of the identified AAIDs strategies, with the involvement or children and their parents, are therefore needed.

Conclusion: Information Is Not a Standalone Protection

Although AAIDs can possibly increase the engagement of children with important information about their privacy, they do not constitute a silver bullet for ensuring the specific protection in relation to their personal data.

While the provision of information is crucial to raise their awareness on data processing and serves as the starting point for enabling them to exercise their rights, the information paradigm will always suffer from its inherent limitations, thus, creating the risk that children overlook important information about their privacy.

At the moment of the privacy notice, children’s primary concern is to get access to the digital service. Hence they are likely to disregard any obstacle (including relevant information) which would prevent them such access.

Even when they are prompted to seek for parental consent, some children may want to bypass such requirement (e.g., by fear of denial) and may end-up in environment where they personal data are collect without adequate safeguards

Hence, the provision of information cannot serve as a standalone protection without being complemented by other protection measures, such as, in relation to children, conducting children right impact assessment (CRIA), minimising of the data collected from children, preventing profiling children, disabling risky features by default, or providing children (and their parents) with control over the data processing.

Acknowledgement

The research leading to the writing of this blogpost has been performed within the FWO PROGRRES project (grant number: G0D0622N) funded by the Fonds voor Wetenschappelijk Onderzoek – Vlaanderen (FWO).