Kid's Privacy & Safety Standards and Acts

The ubiquity, digital reach, and permanency of online learning, social media platforms and others have raised serious questions about the privacy and safety of its users, mainly when dealing with children or, say, minors.

This puts immense pressure on some parents who wish to protect their children against such threats to enable them to have a normal childhood free of excessive glare on social networks or media/ comments or loss of unwanted data. Children unschooled in the ways are vulnerable to attacks on news websites/newspapers, whose consequences can lead to severe psychological impacts and even trigger psychiatric illnesses.

To help parents, we have included in this post the laws and acts of different countries that all parents must be aware of to protect the privacy and safety of their children.

United States


CIPA stands for the Children's Internet Protection Act (CIPA). In 2000, Congress enacted it to address concerns about children's access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program, making certain communications services and products more affordable for eligible schools and libraries. Later in early 2001, the FCC issued rules implementing CIPA and updated the existing rules.

CIPA's protection measures must block or filter Internet access to pictures that are: (a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors). However, prior to adopting this Internet safety policy, schools and libraries are liable to provide reasonable notice and hold at least one public hearing or meeting to address the proposal.

Furthermore, schools subject to CIPA have two additional certification requirements: 1) their Internet safety policies must include monitoring the online activities of minors; and 2) as required by the Protecting Children in the 21st Century Act, they must provide for educating minors about appropriate online behaviour, including interacting with other individuals on social networking websites and in chat rooms and cyberbullying awareness and response.

They must adopt and implement an Internet safety policy addressing:

  •  Access by minors to inappropriate matters on the Internet;
  •  The safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications;
  •  Unauthorized access, including so-called "hacking" and other unlawful activities by minors online;
  •  Unauthorized disclosure, use, and dissemination of personal information regarding minors; and
  •  Measures restricting minors' access to materials harmful to them.
  • Schools and libraries must certify they comply with CIPA before receiving E-rate funding.
  • CIPA does not apply to schools and libraries receiving discounts for telecommunications service only;
  •  An authorized person may disable the blocking or filtering measure during use by an adult to enable access for bona fide research or other lawful purposes. 
  •  CIPA does not require the tracking of Internet use by minors or adults.


FERPA is the acronym for Family Educational Rights and Privacy Act. This Act gives parents certain rights concerning their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students" (FERPA), a federal law that entitles parents to access their children's school records.

The right to ask for the records to be amended and the right to exercise some control over the release of personally identifiable information from educational records. When a student reaches the age of 18 or enters a postsecondary institution, regardless of his or her age, FERPA rights are transferred from parents to the student ("eligible student"). FERPA is set at 20 USC § 1232g, and FERPA is set at 34 CFR Part 99.

FERPA gives parents certain rights concerning their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."

  • Parents or eligible students have the right to inspect and review the student's education records maintained by the school. Schools are not required to provide records unless parents or eligible students cannot review the records for reasons such as great distance. Schools may charge a fee for copies. 
  • Parents or eligible students have the right to request a correct school record that they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.
  • Generally, schools must have written permission from the parent or eligible student to release any information from a student's education record.

However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31): 

  • School officials with legitimate educational interest;
  • Other schools to which a student is transferring;
  • Specified officials for audit or evaluation purposes;
  • Appropriate parties in connection with financial aid to a student;
  • Organizations conducting certain studies for or on behalf of the school;
  • Accrediting organizations;
  • To comply with a judicial order or lawfully issued subpoena; 
  • Appropriate officials in cases of health and safety emergencies; and
  • Within a juvenile justice system, state and local authorities are pursuant to specific State law.

Amidst all, schools are allowed to disclose "directory" information such as a student's name, address, telephone number, date and place of birth, honours and awards, and dates of attendance without consent. However, it is obligatory to inform parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose their directory information. Also, schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.

COPPA (Children's Online Privacy Protection Act)

Enacted by the United States of America, back in 2000, its children's privacy protection laws known as Children's Online Privacy Protection Act (COPPA). This Act empowers the Federal Trade Commission to make and promulgate regulations to protect and promulgate children's online privacy. COPPA regulates data collection for children under the age of 13.

The act guards children's privacy by restricting the operators of online websites and commercial services to collect any kind of data of children under 13 without parental consent. The restriction also applies to third-party advertisers when they have "real knowledge" of collecting personal information about children under the age of 13 from any other website or online service.

COPPA's scope does not apply directly to unprofitable organizations and educational institutions. However, it does apply to the third party that provides online support to school education. Under these conditions, schools play the role of parents and provide consent to access all data on the terms and conditions of COPPA.

The Children's Online Protection Act (COPPA) (also known as Children's Online Privacy Protection Rule) is a federal privacy law that protects the personal information of children under the age of 13 and requires website and online service operators to obtain the consent of parents or guardians to collect such personal information.

COPPA was first introduced as a law in 1998; COPPA gained popularity in 2000 when hardly any of today's popular online social platforms were developed before the ubiquity of smartphones and apps. Sites like Six Degrees and Classmates were present in the late 1990s, but LinkedIn and MySpace did not launch until 2003. Facebook arrived in 2004, Twitter in 2006, and Instagram in 2010. TikTok existed in a previous form in 2015 but was not available worldwide until 2018.

The Act has undergone significant updates over the years to reflect digital advances, and its definition of "website or online service" includes:

  • mobile apps that send or receive information online (such as network-connected games, social networking apps, or apps that display behaviour-based advertising); 
  • Online gaming platforms.
  • plug-ins
  • advertising networks
  • Web-based geolocation services
  • voice-over-internet protocol services
  • connected toys or other Internet of Things devices

There are several requirements for parental consent under the Children's Online Privacy Protection Act: 

Before collecting, using, or disclosing children's personal information, entities must obtain consent. Because children cannot legally consent, it must be obtained from a parent or guardian. There is flexibility regarding how parents/guardians are informed of the request for information and what purpose.

However, regardless of the technology or platform used, the method must communicate what personal information from the child would be collected, how, and how it would be used and potentially shared with any third parties.

The organization must also take reasonably robust steps to verify that the parent/guardian consent.

Few acceptable methods of obtaining parental consent include:

  • Fax, mail, or electronic scan.
  • The online payment system provides the account holder with separate transaction notifications.
  • Calling a toll-free number staffed by trained personnel.
  • Video conferencing with trained personnel.
  • Providing a copy of government-issued identification verifiable against a database, provided the identification is expunged after the verification process. 
  • Answering a series of knowledge-based questions is difficult for someone other than the parent to answer.
  • Verifying a picture of a driver's licence or other photo identification submitted by the parent and using facial recognition technology to compare it to a second photo also submitted by the parent.

Parents too are allowed to provide consent to collect and use the child's personal information by the requesting organization but refuse consent to disclose the information to third parties. 

If a child's personal information will be collected but only used internally by the organization collecting it and not disclosed, "email plus" consent and verification is acceptable.Parents/guardians must be informed that they can revoke consent at any time, and if changes are made to the collection, use, or disclosure practices consented to, a new notification must be provided and new consent obtained.

However, there are some instances where consent is not needed to collect or use children's personal information, though it should be noted that there may be specific notification requirements even if one or more of these conditions are met.

Few conditions and purposes when the child's, parent's, or contact information of both can be collected without consent are:

The child's and parent's name and online contact information may be collected for:

  • Protecting the child's safety 
  • Obtaining parental consent must be deleted if consent is not obtained within a reasonable period

Directly responding more than once to a child's specific request (child's newsletter subscription request), but this cannot be combined with any other information about the child. The parent/guardian's online contact information may be collected for: 

  • Providing notification about the child's participation on a site or service that does not collect personal information 
  • Protect the safety or integrity of the website or online service, take precautions against liability, respond to the judicial process or (as the law permits) provide information to law enforcement agencies. 
  • A persistent identifier may be used for: 
  • Supporting internal operations of the website or online service, including: 
  • maintaining or analyzing the functioning of the site 
  • performing network communications 
  • authenticating users of the site or personalizing content 
  • Serving contextual ads or frequency capping or more. 

Those who violate COPPA rules may be fined up to USD 43,280 per violation, with enforcement handled by the Federal Trade Commission. In the recent past, Google was fined USD 170 million in 2019 for violations on YouTube, where children's personal information was collected without consent and used to target them with advertising. In 2020, outside of the US, a class-action lawsuit filed in the UK sought the US $3.2 billion for similar violations of children's data privacy on YouTube.


Cyber protection of Children's Personal Information

China's cyberspace administration has enacted a law titled "Cyber Protection of Children's Personal Information" to protect children's online privacy. The Act contains various provisions that require network operators to maintain the rightness, purpose and security guaranteed when collecting, transferring or disclosing data. The law applies only to children under 14 years old on the territory of mainland China. The term "network operator" used pursuant to the Act applies to all network operators, websites and application operators. Section 9 of the Act requires that network operators obtain parental consent prior to collecting, using, and transferring personal information about children. The guardian and the children have the right to request the operator to delete and modify all data stored in it if deemed erroneous. In case of a threat of data breach, the network operator must inform the guardian of this threat via email, phone or push notification. In case of a threat of data breach, the network operator must inform the guardian of this threat via email, phone or push notification. If the network operator breaches provisions of the Act, this can have several consequences.

For example, if the system operator does not comply with the requirements of the regulations and there is a significant safety risk or a safety accident. Cybersecurity and information administration officials may have to interview the network operator and require the network operator to correct and eliminate the potential risks. If the Network Operator's behaviour involves a violation of other laws or regulations (including the Cybersecurity Law or the Administrative Measures on Internet Information Services), authorities impose appropriate liability (including criminal) accordingly.

As China's first legislation focused on protecting children's PI in China, the Regulation is a milestone. Key concepts include:

  • the designation of an individual primarily responsible for protecting children's PI,
  • specialized terms of use and privacy policy, and
  • prior consent of guardians.

However, the Regulations do not specify specific details of its implementation, particularly for identifying guardians and obtaining consent. Nonetheless, network operators can already make certain compliance adjustments: operators of websites and applications used by children should prepare conditions of use and privacy regulations specific to children who designates a particular person in charge of the children's PI protection; network operators without minor users would need to adjust their registration rules to ensure that children are not using their services.

European Union

General Data Protection Regulation (GDPR)  

The European Union's General Data Protection Regulation recognizes that children's data should be afforded special protection because they may be little aware of the risks and consequences of data sharing. General Data Protection Regulation or GDPR refers to the world's most robust set of data protection laws that regulates the data shared by the people to the organizations and the safety, privacy, concerns to be taken by them regarding such data. The European Parliament and Council agreed upon GDPR in April 2016 to replace the Data Protection Directive 95/46/EC in Spring 2018 as the primary law regulating how companies protect EU citizens' data. The US law COPPA and China's children's privacy protection laws are drawn based on the GDPR. This Regulation was enacted across 28 European Union member states regarding the protection of data breaches. GDPR provides the citizens of the EU nations to have control over their data used for business purposes by the organizations so that the citizens can bloom with the businesses in the European Union. This law works on seven principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security); and accountability. It sets the liability over controllers and processors of an organization's data to legally collect the owner's data and secure it from any data breach.

As far as the right to privacy of children is concerned, the provisions of the GDPR stipulate that the processing of a child's data is legal when the children are 16 years old. If the children are less than 16 years old, the data processing will be legal only after the consent given by the parent or authority. The minimum age for children under the Act is 13.

The reforms designed reflect the world we live in now and bring laws and obligations around personal data, privacy and consent across Europe up to speed for the internet-connected age.

Fundamentally, almost every facet of our lives is data-driven. Whether it's social media companies, banks, retailers, or governments, virtually all the services we use include collecting and analyzing our data.

The data comprises name, address, credit card number and more are collected, analyzed and, perhaps most importantly, stored by organizations.

When it comes to compliance, under the terms of GDPR, not only do organizations have to ensure that personal data is gathered legally and under strict conditions but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so. If they fail to comply, it can result in a fine ranging from 10 million euros to four per cent of its annual global turnover.

Fines depend upon the seriousness of the violation and whether the company has taken safety compliance and Regulation sufficiently seriously.

As of now, the maximum fine of 20 million euros or four per cent of worldwide turnover for infringements of the rights of the data subjects, unauthorized international transfer of personal data, and failure to put procedures in place for or ignoring subject access requests for their data.


The personal data protection bill 2019

The Personal Data Protection Bill,2019, was first tabled by the government of India in Parliament in December 2019. The bill seeks to protect the personal data of the individual and establishment a data protection authority for the same. Chapter IV of the Personal data protection bill provides provisions for processing the children's and sensitive personal data. It further provides that the government shall do the personal data processing, companies incorporated in India and foreign companies dealing with the personal data, collectively known as "data fiduciary". Section 16 of the bill lays down the grounds regarding data processing. It states that every fiduciary shall process the data in such a manner that serves the children's best interest, protecting the children's rights. The data fiduciary shall verify the age of the children and obtain parental consent before processing any personal data in case of minors. This Regulation brings the data fiduciaries like online commercial services or websites directed to children for educational or extensive data processing purposes as the "guardian fiduciaries". The guardian fiduciaries providing counselling or child protection shall be exempted from obtaining parental consent. The provision shall bring the educational institutions and the counselling institutions within the ambit of "guardian fiduciaries". The Data Protection Authority, a regulating body, incorporated under the Act's provisions, shall have the right to protect the interest of individuals and prevent the misuse of data. If the data fiduciary is found to have indulged in violation or irregularities while processing data, it shall be punished with a fine of 15 crores or 4 per cent of the total annual turnover, whichever is higher.

Now, since the bill hit due to the pandemic, and the bill passes and becomes a fully-fledged Act, the children's right to privacy shall be protected under the provided provisions of the Act.   

United Kingdom

The UK Council for Child Internet Safety (UKCCIS)

UK Council for Child Internet Safety was a group of more than 200 organizations drawn from government, industry, law, academia and charity sectors that work in partnership to help keep children safe online. It has several publications focusing on kids' privacy and safety.

Some of them include:

Education for a Connected World- Framework

The education for a Connected World framework describes the Digital knowledge and skills that children and young people should have the opportunity to develop at different ages and stages of their lives. Its impact on behaviour and development and their skills to navigate it.

The document supports a vital objective of the Government's Internet Security Strategy to help children remain safe and contribute positively online, enabling teachers to develop effective strategies to understand and manage online risks.

Children's Code or Code 

The Children's Code was released by the UK Information Commissioner (ICO) in September 2020, was mandated by Section 123(1) of the UK Data Protection Act of 2018 (UK DPA); it comprises 15 age-appropriate design standards covering entities to must adopt and implement.

The Code was designed to provide a risk-based approach to protecting children's data, allowing children to enjoy the benefits of online services while ensuring companies engage in proportionate data collection and use. By conforming to the standards, businesses should comply with the UK Data Protection Act and EU General Data Protection Regulation that govern the handling of children's data.

The Code applies broadly to online services "provided for remuneration"—including those supported by online advertising—that process the personal data of and are "likely to be accessed" by children under 18 years of age, even if those services are not targeted at children.

The ICO intended that this phrase be interpreted broadly to cover services that business targets to children and those that children are "more probable than not" to access while not covering all services that children could access.

Factors to consider include whether children are likely to be attracted to the nature and content of the service and how users can access the service (e.g., whether a business uses an age-gate). To make this determination, businesses can analyze market research, other sources of online user behaviour, or the user base of similar services.  

Distinct to the US the Children's Privacy Act, which gives parents the power to control the collection, the use and disclosure of their kids' data, the Code requires companies to process data for the best interests of children and that children receive the information and tools necessary to exercise control over their data.

The Code's standards are meant to be technology-neutral design principles that are flexible enough for businesses to apply to different services and technologies. The standards do not ban or specifically prescribe services and "will never replace parental control and guidance, [but] will help people have greater confidence that their children can safely learn, explore and play online." 


Bill 4695/20 

This unique named bill 4695/20 determines that distance learning technology platforms observe, in the collection and sharing of personal data of students, parents and teachers, the requirements set out in the General Data Protection Law (LGPD).

 The Data Protection Law was developed under analysis by the Chamber of Deputies; this proposal amends the Law on Educational Guidelines and Bases, establishing that platforms must guarantee, whenever possible:

  •   The use of technology without providing and sharing personal data; and
  •   Failure to collect and make sensitive data sensitive to racial or ethnic origin, religious or political beliefs, membership in a union or organization of a religious, philosophical or political nature, health or sexual life, genetics or user biometrics.

Additionally, the text provides that the processing, collection and sharing of data from education professionals, parents or guardians and students only occur with their prior and express consent. The data for training artificial intelligence systems will also need to have consented.

Did we miss any? If yes, do write to us. 

About the Author
Author: Saniya Khan
Saniya Khan I am Saniya Khan, Copy-Editor at EdTechReview - India’s leading edtech media. As a part of the group, my aim is to spread awareness on the growing edtech market by guiding all educational stakeholders on latest and quality news, information and resources. A voraciously curious writer with a dedication to excellence creates interesting yet informational pieces, playing with words since 2016.

Like what we do?

The Latest EdTech News To Your Inbox

Follow us: