On July 22, 2022, the Personal Information Protection Commission (the “PIPC”) announced the Guidelines for Protection of Personal Information of Children and Adolescents (the “Guidelines”).
The Guidelines are a part of the follow-up measures to the Basic Plan for Protection of Children and Adolescents’ Personal Information, which the authorities published on July 11, 2022, and are a guidebook for data controllers that process children and adolescents’ personal information for their self-review.
The Guidelines focus on the protection of personal information of children and adolescents online. The Guidelines (i) set forth the principles for protecting personal information of children and adolescents and (ii) provide detailed legal obligations and recommendations for best practice based on the age of children and adolescents whose personal information is collected by the relevant data controllers. In addition, the Guidelines explain the role of not only data controllers, but also manufacturers and others who develop and manufacture toys, devices, apps, and services that are widely used by children and adolescents, as well as providing relevant information for parents and guardians.
The key contents of the Guidelines are as follows.
1. Principles for Protecting Personal Information of Children and Adolescents
The Guidelines set forth the following principles for protecting children and adolescents:
(i) Respect the right to self-determination of personal information;
(ii) Consider the best interests of children and adolescents;
(iii) Provide active support to exercise the rights;
(iv) Strengthen children and adolescents’ capabilities by ensuring transparency; and
(v) Take protective measures in view of the characteristics of each age group.
2. Matters to be Observed at Each Stage of Personal Information Processing
1) Planning / Design Stage – Service planning based on the design principles focused on personal information protection
The Guidelines explain that it is advisable to apply a design focused on personal information protection to those services that collect and use personal information of children and adolescents from the planning and design stage and throughout the personal information processing process to analyze potential risk factors and take preventive measures.
Specifically, the Guidelines recommend that (i) in case of services that are expected to be actually used by children and adolescents, data controllers should check their age by, for instance, having them enter their date of birth or check the statement that they are over the age of 14; (ii) data controllers should set the basic personal information protection settings to “high”; (iii) data controllers should refrain from designing services that require children and adolescents to provide their personal information to data controllers or third parties in return for cash or game items; (iv) the location tracking option should be deactivated by default, and when collecting location information from children and adolescents, they should be clearly made aware that the location tracking function is on; and (v) data controllers should implement reasonable measures so that children under the age of 14 would not use such services by falsely stating their age.
2) Collection Stage – Consent from legal guardian is required to collect personal information of a child under the age of 14
Under the Personal Information Protection Act (“PIPA”), in order to process the personal information of a child under the age of 14, an online service provider needs to obtain consent of their legal guardian. Online service providers need to use forms and language which are clear and easy to understand when informing children under 14 about matters related to personal information processing (Article 39-3, Paragraph (5) of the PIPA).
In addition to the above legal requirement, the Guidelines encourage online service providers to use clear and easy language when informing teenagers over the age of 14 about providing their personal information, for instance by having a separate privacy policy for children and adolescents in addition to a privacy policy for adults.
The Guidelines also explain that if online service providers intend to combine children and adolescents’ behavioral data with their unique identification information for targeted advertising, it is mandatory to clearly notify them and obtain their consent. Even if consent has been obtained, it is desirable to minimize customized advertising targeted at children under the age of 14. Also, even if users are not identified, if the data controller is aware that the user is under the age of 14 or provides a service whose users are mainly children, behavioral data should not be collected or used for the purpose of providing targeted advertising. The data controller is also advised against providing targeted advertising to children who the data controller knows to be under the age of 14.
Furthermore, the Guidelines advise against using any nudge technology that adversely affects the protection of children and adolescents’ personal information, for example by inducing children and adolescents to provide excessive amount of unnecessary personal information or to lower the level of their privacy protection settings.
3) Use and Transfer Stage – Safe use and retention of personal information collected from children and adolescents
Under the Guidelines, if services are provided to children and adolescents in the form of a conversation with AI speakers, chat bots or speaking dolls in text or voice, service providers must not unfairly collect personal information of children and adolescents and must ensure that inappropriate information is not provided to children and adolescents.
In addition, the Guidelines also recommend that if children and adolescents are provided with profiling-based services that use personal information, appropriate security measures should be in place so that children and adolescents would not be exposed to any harmful influence. If it is difficult to have such measures in place, then it is desirable not to provide profiling-based services.
4) Storage / Destruction Stage – Clear and easy guidance / notice on personal information
Pursuant to the PIPA, a data controller must store and manage personal information in a secure manner (Article 29 of the PIPA) and destroy personal information without delay when it is no longer needed (Article 21 of the PIPA).
Furthermore, the Guidelines provide that the information of a legal guardian collected to provide consent to the processing of personal information of children under the age of 14 must be destroyed after verifying the consent. However, if it is deemed necessary to provide information that can prove the legal guardian’s consent in order to respond to customer queries or for other purpose, the data controller may retain the minimum information on the legal guardian necessary to verify their consent (e.g., consent form, e-mail, or voice recording) until the personal information is no longer required due to the child’s cancellation of membership or otherwise. Please note that if the legal guardian refuses to give their consent or if they have not provided consent for five days, the data controller needs to destroy their personal information (Article 13 of the Standard Guidelines on Personal Information Protection).
5) Guarantee of Rights – Actively support the exercise of rights, such as the right to correct or delete personal information
The Guidelines explain that a child aged 14 or older may request to access, correct, delete, or suspend processing of their personal information. As for a child who is under 14 years of age, their legal guardian may request to exercise the child’s rights on their behalf. The Guidelines also state that the data controller should guide and support the legal guardians of children under 14, as well as teenagers who are 14 or older, so that they may exercise their rights relating to personal information.
In addition, the Guidelines explain that data controllers should provide appropriate means and methods to ensure that children, adolescents and their legal guardian can easily understand and exercise their rights related to personal information protection.
The Guidelines also recommend that if children and adolescents have requested to restrict access to their posts (including comments), photos, videos or other similar posts or to exclude them from search results, data controllers or search engine service providers should take measures to comply with such request. For example, the Guidelines recommend that if there is a request from children under the age of 18 or their legal guardian, data controllers and search engine service providers should provide a function to allow them to remove images of the minor from search results.
3. Miscellaneous
The Guidelines require not only data controllers, but also manufacturers of children’s toys and developers of apps and services of which children and adolescents are the main users, to take various measures to protect children and adolescents’ personal information by applying the principle of personal information-oriented design. The Guidelines also provide guidance on the roles of guardians and teachers based on the characteristics of each age group of children and adolescents.
Related Topics
