8 minute read
Parental Access To Data Of Children? The Answer Is Not That Clear
By John Isaza, Esq., Privacy, Records and Information Governance Partner, Rimon Law
Given the growth of online access to products and services, including those in banking, who has access to the data collected through the use of such services? Access to and control of data is the centerpiece of several new omnibus privacy laws, such as California’s Privacy Rights Act (CPRA) and similar legislation recently enacted in Colorado, Utah, Virginia and Connecticut. Although adults may control their own data under these laws, the question of who has access to the data of their children is surprisingly murky. This article provides a brief analysis of laws regarding parental access to data of children, with an emphasis on the data of teenagers in the 14-to-17-year range.
Collection of and Access to Data of Children Under 13 Years of Age
Two key factors when it comes to data of children include: 1) the right of an organization to collect the data in the first place, and 2) who has access to that data once collected. As to collection of the data, there is ample regulation that facilitates organizational collection of data of children 13 and under at both the federal and state levels. In California, for example, Cal. Bus. & Prof. Code Sections 22575 and 22580-22582 require organizations to have parental consent to collect the data of those 13 and under. Under the Federal Children’s Online Privacy Protection Act, we have a similar bright line set at the age of 13 (15 USC §§ 6501-6505). Thus, for children 13 and under, processes and policies that include verifiable parental consent for the collection of children’s data have to be established.
When it comes to access, the right of the parent to collect or simply see the data of their children is not as clear. None of the laws give parents specific access, except in a few limited exceptions such as education and medical records. That said, parental access may be presumed at least for those who are 13 and under, since parental consent is necessary to collect it by law. In the absence of specific legislation granting parents access to the data of their children, and to close the ambiguity gap, organizations still may wish to create policies and procedures that specifically grant parents of children 13 and under full access. Such policies may include the right to access and review not only the data but also the chat history of their children.
Collection of and Access to Data of Teenagers
Alas, the 14 to 17 age range is a group in no-man’s land. The U.S. patchwork of omnibus privacy regulations coming out of California, Colorado, Connecticut, Utah, and Virginia offer little guidance when it comes to parental control of or access to the data of children in the 14-to-17-year range. In fact, they are silent.
At least one state defines a minor as anyone under 18 (Ga. Code § 20-2-720), so that a parent may have access to a child’s data. However, this definition only applies to academic records. In such limited academic circumstances, a parent would thus have a right to access the academic data of their minor children, including teenagers.
This past September 14, 2022, California also passed into law the California Age-Appropriate Design Code Act (known as the Kids Act), which is regrettably silent as well on the issue of access to the data of teenagers. On the contrary, the Kids Act requires companies to notify the child if someone is monitoring their online activity, such as a parent or guardian. The crux of the Kids Acts is basically to prohibit companies from: 1) leading children to provide their personal information online and using children’s personal information; 2) collecting, selling or retaining children’s geolocation details; and 3) profiling children. Before offering new online services that are likely to be accessed by kids, businesses also will be required to complete a data protection impact assessment to be provided to the attorney general. Clearly these requirements are targeted at organizations whose online applications are likely to reach children of any age, so banks should be in the clear for the most part, unless for some reason a targeted banking application is created strictly for the use of children.
Outside the U.S., which in theory could apply to any web application open to the public, the European Union’s GDPR recommends strict controls for data of children 16 and under (Article 8.1). However, these are only recommendations, as each individual country has to promulgate its actual law. Most EU countries set the bar lower at 13 and under. Again, for parental access, the data of teenagers abroad ends up in limbo.
Collection of and Access to Data Via Policies and Procedures
To resolve legal ambiguity, organizations need to create policies that are commensurate with general privacy protections and rights. As a general rule, the parents would not have a specified right to request the data of their children in the 14 to 17 age range, unless the organization makes a business decision to provide for it in its privacy policy and other relevant contractual documents, such as terms and conditions. This analysis would depend on the specific organization and its target audience. As to data of children 13 and under, organizational access to their data is subject to “verifiable” parental consent. By extension, although the law generally is silent on the issue of parental access to their child’s data once collected, it can be inferred from the requirement for parental verification that parents would by extension be entitled to access their children’s data.
When it comes to the data of children in the 14 to 17 age range, in the absence of clear legal guidance, organizations need to assess how much business they might lose when choosing to adopt a similar policy requiring parental consent for older children. To that end, organizations need to consider whether a contract of any sort can be enforced against a minor under 18 (i.e., the minor’s capacity to enter into a contract). Without parental consent, it is arguable that terms and conditions against a minor may not be enforceable, unless the law carves an exception as discussed in the next section for banks.
Impact on the Banking Sector
For banks the capacity to contract argument is exempted under the Illinois statutes. Specifically, Section 45.1 of the Illinois Compiled Statutes states the following:
A state bank may accept deposits made by a minor and may open an account in the name of such minor and the rules and regulations of such bank with respect to each such deposit and account shall be as binding upon such minor as if such minor were of full age and legal capacity. The receipt, acquittance or order of payment of such minor on such account or deposit or any part thereof shall be as binding upon such minor as if such minor were of full age and legal capacity.
Although this statute specifically allows a minor to open a bank account and make deposits, a bank may nonetheless create a policy across the board that a parent has access to all data of their child up to the age of 18, not limited to just their bank account information. This policy could be disclosed to the minor when the account is created. Such a policy may include access to chat histories, data of a minor collected through the website, and other such non-account specific applications that a bank may offer.
If the above approach seems too uncompromising as to teenagers, then the unfettered access of the parent can be limited to either a certain age group (e.g., 16 and under) or to certain kinds of online activity (e.g., banking transactions, but not chat history). The good news here is that the financial institution is at liberty to set its own policy based on its relationship with the customers and their demands.
On the whole, to be safe, the organization may simply adopt the same policy and approach across the board for anyone under 18. And, if the parental access to data is a sticking point for those ages 14 to 17, then as a last resort the organization may specify a carve-out from parental access for those in that age group.
About the Author John Isaza is a partner at Rimon Law, where he chairs the privacy, records management, and information governance practice. Mr. Isaza is one of the world’s foremost experts in the field. He has developed information governance and records retention programs for some of the most highly regulated Global 1000 companies. He is co-author of 7 Steps for Legal Holds of ESI & Other Documents, a contributing author to the ABA’s Internet Law for the Business Lawyer, 2nd Edition, as well as Editor-in-Chief and co-author of Handbook on Global Social Media Law for Business Lawyers. Mr. Isaza is past co-Chair of the American Bar’s Social Media Subcommittee, a Fellow of ARMA International, and current coChair of the ABA’s Consumer Privacy and Data Analytics Subcommittee. John may be reached at John. Isaza@RimonLaw.com or on his cell at +1(949) 632-3860.
