Authors:
(1) Tinhinane Medjkoune, Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG France;
(2) Oana Goga, LIX, CNRS, Inria, Ecole Polytechnique, Institut Polytechnique de Paris France;
(3) Juliette Senechal, Université de Lille, CRDP, DReDIS-IRJS France. Table of Links Abstract and Introduction Background Legislation on Advertising to Children Mechanisms for Targeting Children Usage of Placement-Based Targeting Limitations Related Works Conclusion, Acknowledgements and References Appendix A APPENDIX A.1 Screenshots A.2 Additional legal excerpts This section provides more details on the meaning and definition of precise words used in different legislations we discuss in Section 3. A.2.1 Additional provisions in the DSA. The Article 28 of the DSA is without prejudice to Union law on protection of personal data. In particular, Article 8 of the GDPR states, concerning conditions applicable to child’s consent in relation to information society services, that, “where the criteria for making data processing lawful is consent (6.1.a of the GDPR) (...) the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. To ensure effective implementation of these due diligence obligations by platforms, the DSA defines a set of administrative sanctions and monitoring measures that will be implemented by the European Commission in relation to VLOPS. In Article 54 supplements this by the possibility for a recipient of services who suffers damage as a result of the violation of a due diligence obligation to obtain compensation for his loss in: “Recipients of the service shall have the right to seek, in accordance with Union and national law, compensation from providers of intermediary services, in respect of any damage or loss suffered due to an infringement by those providers of their obligations under this Regulation”. This solution is a major novelty. It is important to specify that liability will be triggered by the occurrence of a systemic risk, for example concerning the mental health of a child. A.2.2 Additional provisions in the Directive (EU) 2018/1808 of 14 November 2018. Article 28b (3) states that “appropriate measures shall be determined in light of the nature of the content in question, the harm it may cause, the characteristics of the category of persons to be protected as well as the rights and legitimate interests at stake, including those of the video-sharing platform providers and the users having created or uploaded the content as well as the general public interest (...). For the purposes of the protection of minors (...) the most harmful content shall be subject to the strictest access control measures. Those measures shall consist of, as appropriate : (...) (f) establishing and operating age verification systems for users of video-sharing platforms with respect to content which may impair the physical, mental or moral development of minors; (...) (g) providing for parental control systems that are under the control of the end-user with respect to content which may impair the physical, mental or moral development of minors (...). ” A.2.3 Relevant nomenclature in the COPPA. Verifiable parental consent means “any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator’s personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.” Personal information means “individually identifiable information about an individual collected online, including: (1) A first and last name; (2) A home or other physical address including street name and name of a city or town; (3) Online contact information as defined in this section; (4) A screen or user name where it functions in the same manner as online contact information, as defined in this section; (5) A telephone number; (6) A Social Security number; (7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier; (8) A photograph, video, or audio file where such file contains a child’s image or voice; (9) Geolocation information sufficient to identify street name and name of a city or town; or (10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.” This paper is available on arxiv under CC 4.0 license. Authors: (1) Tinhinane Medjkoune, Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG France; (2) Oana Goga, LIX, CNRS, Inria, Ecole Polytechnique, Institut Polytechnique de Paris France; (3) Juliette Senechal, Université de Lille, CRDP, DReDIS-IRJS France. Authors: Authors: (1) Tinhinane Medjkoune, Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG France; (2) Oana Goga, LIX, CNRS, Inria, Ecole Polytechnique, Institut Polytechnique de Paris France; (3) Juliette Senechal, Université de Lille, CRDP, DReDIS-IRJS France. Table of Links Abstract and Introduction Abstract and Introduction Background Background Legislation on Advertising to Children Legislation on Advertising to Children Mechanisms for Targeting Children Mechanisms for Targeting Children Usage of Placement-Based Targeting Usage of Placement-Based Targeting Limitations Limitations Related Works Related Works Conclusion, Acknowledgements and References Conclusion, Acknowledgements and References Appendix Appendix A APPENDIX A.1 Screenshots A.2 Additional legal excerpts This section provides more details on the meaning and definition of precise words used in different legislations we discuss in Section 3. A.2.1 Additional provisions in the DSA. The Article 28 of the DSA is without prejudice to Union law on protection of personal data. In particular, Article 8 of the GDPR states, concerning conditions applicable to child’s consent in relation to information society services, that, “where the criteria for making data processing lawful is consent (6.1.a of the GDPR) (...) the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. A.2.1 Additional provisions in the DSA. “where the criteria for making data processing lawful is consent (6.1.a of the GDPR) (...) the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. To ensure effective implementation of these due diligence obligations by platforms, the DSA defines a set of administrative sanctions and monitoring measures that will be implemented by the European Commission in relation to VLOPS. In Article 54 supplements this by the possibility for a recipient of services who suffers damage as a result of the violation of a due diligence obligation to obtain compensation for his loss in: “Recipients of the service shall have the right to seek, in accordance with Union and national law, compensation from providers of intermediary services, in respect of any damage or loss suffered due to an infringement by those providers of their obligations under this Regulation” . This solution is a major novelty. It is important to specify that liability will be triggered by the occurrence of a systemic risk, for example concerning the mental health of a child. “Recipients of the service shall have the right to seek, in accordance with Union and national law, compensation from providers of intermediary services, in respect of any damage or loss suffered due to an infringement by those providers of their obligations under this Regulation” A.2.2 Additional provisions in the Directive (EU) 2018/1808 of 14 November 2018. Article 28b (3) states that “appropriate measures shall be determined in light of the nature of the content in question, the harm it may cause, the characteristics of the category of persons to be protected as well as the rights and legitimate interests at stake, including those of the video-sharing platform providers and the users having created or uploaded the content as well as the general public interest (...). For the purposes of the protection of minors (...) the most harmful content shall be subject to the strictest access control measures. Those measures shall consist of, as appropriate : (...) (f) establishing and operating age verification systems for users of video-sharing platforms with respect to content which may impair the physical, mental or moral development of minors; (...) (g) providing for parental control systems that are under the control of the end-user with respect to content which may impair the physical, mental or moral development of minors (...). ” A.2.2 Additional provisions in the Directive (EU) 2018/1808 of 14 November 2018. Article 28b (3) states that “appropriate measures shall be determined in light of the nature of the content in question, the harm it may cause, the characteristics of the category of persons to be protected as well as the rights and legitimate interests at stake, including those of the video-sharing platform providers and the users having created or uploaded the content as well as the general public interest (...). For the purposes of the protection of minors (...) the most harmful content shall be subject to the strictest access control measures. Those measures shall consist of, as appropriate : (...) (f) establishing and operating age verification systems for users of video-sharing platforms with respect to content which may impair the physical, mental or moral development of minors; (...) (g) providing for parental control systems that are under the control of the end-user with respect to content which may impair the physical, mental or moral development of minors (...). ” access control age verification parental control A.2.3 Relevant nomenclature in the COPPA. Verifiable parental consent means “any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator’s personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.” A.2.3 Relevant nomenclature in the COPPA. Verifiable parental consent means “any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator’s personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.” Personal information means “individually identifiable information about an individual collected online, including: (1) A first and last name; (2) A home or other physical address including street name and name of a city or town; (3) Online contact information as defined in this section; (4) A screen or user name where it functions in the same manner as online contact information, as defined in this section; (5) A telephone number; (6) A Social Security number; (7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier; (8) A photograph, video, or audio file where such file contains a child’s image or voice; (9) Geolocation information sufficient to identify street name and name of a city or town; or (10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.” Personal information “individually identifiable information about an individual collected online, including: (1) A first and last name; (2) A home or other physical address including street name and name of a city or town; (3) Online contact information as defined in this section; (4) A screen or user name where it functions in the same manner as online contact information, as defined in this section; (5) A telephone number; (6) A Social Security number; (7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier; (8) A photograph, video, or audio file where such file contains a child’s image or voice; (9) Geolocation information sufficient to identify street name and name of a city or town; or (10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.” This paper is available on arxiv under CC 4.0 license. This paper is available on arxiv under CC 4.0 license. available on arxiv

Part of HackerNoon's growing list of open-source research papers, promoting free access to academic material.

COPPA Nomenclature: Unpacking Verifiable Parental Consent and Personal Information

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

4 Strategies for Targeting Children on YouTube Despite Advertising Restrictions

Marketing to Children Through Online Targeted Advertising: Targeting Mechanisms and Legal Analysis

How Advertisers Reach YouTube's Young Audience

Legislation on Advertising to Children

4 Strategies for Targeting Children on YouTube Despite Advertising Restrictions

How Advertisers Use Placement-Based Targeting on Children's Videos

4 Strategies for Targeting Children on YouTube Despite Advertising Restrictions

Marketing to Children Through Online Targeted Advertising: Targeting Mechanisms and Legal Analysis

How Advertisers Reach YouTube's Young Audience

Legislation on Advertising to Children

4 Strategies for Targeting Children on YouTube Despite Advertising Restrictions

How Advertisers Use Placement-Based Targeting on Children's Videos

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps