Connected toy makers should make clear what data they slurp up, the UK's Office of the Children's Commissioner has said in a report warning of the long-term impact of amassing data on kids.
According to the report (PDF), young folk will have sent out an average of 70,000 social media posts by the time they reach 18, while snap-happy parents will have uploaded 1,300 photos and videos of their offspring online before they become teenagers. Added to that is the data gathered through the schools and healthcare systems.
The report also warned of the dangers of internet-connected toys, pointing to the numerous incidents of security failures of these devices.
It called on companies developing products aimed at children to be more transparent about the information they capture, particularly when a toy collects video or audio on a child and whether, where and how that data is stored. This should be on packaging or instruction leaflets, it added.
IoT CloudPets in the doghouse after damning security audit: Now Amazon bans salesREAD MORE
Companies should also make sure that their Ts&Cs are written using conditions children can understand, the commissioner said. A similar requirement exists in the GDPR for privacy notices.
The fact the GDPR sets out specific protections for children was a step in the right direction, the report stated, but added that it "does not address the most fundamental, long-term challenges".
The pace of technological change, it added, means policymakers need to keep it under review. "Swift regulatory action may be needed in order to protect children from being disadvantaged by the way their data is used, especially with regard to profiling and automated (and semi-automated) decision-making," it said.
Haunted for life
The latter point is a source of some concern within the report, as profiling will play a greater role in the children of today's adulthood, if not purely because more data will be available. It means information created in the heady days of youth could impact decisions about jobs, insurance or credit.
A child talking about their mental health problems on social media might find that this information hinders them from getting health insurance or perhaps even other types of credit. Colleges and universities might use not only exam results and personal statements to award places, but data collected from educational apps or connected devices.
As such, the report called for the government to consider requiring that organisations using automated decision-making be more transparent about when and how data used by the algorithm has been collected from under-18s.
There are also questions raised about how collecting so much data on kids can impact their freedom and independence – from parents having the ability to keep tabs on their kids, to errors of judgment at an earlier age that follow the children into adulthood.
"Making mistakes and pushing boundaries is a normal part of childhood, but is less likely when children are being tracked so closely."
The report argued that parents or teachers' expectations might also change – again noting that educational trackers may increase pressure on students.
The amount of data schools slurp on kids is already a bone of contention for campaigners. Earlier this year, a report from children's privacy group Defend Digital Me found that 53 per cent of parents said their kids' schools used CCTV or IPTV cams, while a quarter used biometrics, like fingerprint or facial recognition.
Blighty's National Pupil Database has been used to control immigrationREAD MORE
Elsewhere, there are concerns about the way data collected by schools could be hoovered up by other branches of government, and used for immigration enforcement.
The Children's Commissioner's report noted these growing concerns that "there is no necessary reason to believe that public sector bodies are any better or worse than commercial organisations in terms of the standards they adhere to when handling children's data".
It added there was a "clear implication" of there being more private firms involved in the education system.
But Defend Digital Me director Jen Persson said that, while welcoming the report, she felt it could have gone further in holding the public sector to account.
"While the report mentions apps and school management systems, it barely hints at the vast quantities of information that are teacher opinion or inferred," she said. "This is data that parents and children don't see, and are sent to enormous databases, used by thousands of third-parties families aren't told about and have never heard of."
Blah blah blah, click to agree
The report also argued children are "becoming accustomed to sharing their information without asking why it is needed or what it will be used for", saying a lax attitude has been identified in kids as young as six.
However, it doesn't say whether children might become more aware of the risks as they grow up, socially or politically, particularly as debate about data privacy becomes more mainstream.
A set of recommendations aimed at improving children's and parents' digital understanding and encouraging caution were proposed, but Persson said these "won't fix companies doing bad things if they're careless or creepy". This is where enforcement is needed, she said.
Persson also put recommendations for teaching children their rights into context, noting that there is little funding or capacity in the curriculum for this, and a lack of data protection training for teachers.
"Without the infrastructure to increase teachers' knowledge to enable the children's improved teaching on it, it won't happen." ®