October is a busy month in Brazil for kids, parents, schools, advertisers and companies belonging to the “children’s industry,” as Children’s Day was celebrated Oct. 12. For the same reason, civil society entities, advocacy groups and consumer associations, among others, spend time presenting relevant research and activities taken toward child protection from the previous year.
When it comes to data regarding children, numbers are the best way to assess the relevance of the matter. Research shows that 86% of Brazilian children as young as 9 years old, accounting for 24.3 million individuals, interact online through instant messaging (79%), video or music platforms (77% and 75% respectively), or have profiles on social networks (73%). Internet access is mostly throughout smartphones, especially in rural areas. As data protection and privacy is a hot issue in the country, due to the enactment of the Personal Data Protection Law (effective in August 2020), October seems to be a good opportunity to discuss how children’s data is regulated by Brazilian laws, too.
Since the enactment of the 1988 Federal Constitution, Brazil has constructed a legal system in which child protection is understood to be an absolute priority for all stakeholders involved in their development, including families, schools, civil society, companies and the state in all forms. As such, the obligation to protect children from any form of negligence, discrimination, exploitation, violence, cruelty and/or oppression lies with the family, the civil society and the state.
By adoption of the UN Convention on Children’s Rights, Brazil incorporates the principle of "a child’s best interest" as the rule for all decisions and measures to be taken, as well as what interpretation should be given and when a child’s interests are at stake. Within these lines, the 1992 Child and Adolescent Statute establishes that children and teenagers are entitled to all fundamental rights inherent to natural persons, including the right of privacy and intimacy. It furthermore defines a child as anyone who is below 12 years old and a teenager as any individual who is between 12 to 18 years of age. Additionally, it states that the right of respect which children and teenagers are entitled to encompasses the inviolability of their identity and image and the autonomy of ideas, beliefs and values, a provision heavily discussed when debating the legality of children’s advertising, yet another hot topic in Brazil.
The Brazilian Civil Code determines that personality rights, such as the right of a private life, are not transmissible neither assignable, a guarantee that is extended to all individuals, including children and teenagers. Children and teenagers are subject to parents or legal guardians until they reach 18 years old by the code; these individuals will represent them in all situations within civil life. Except in specific circumstances, civil capacity is acquired only after the completion of 18 years old; although, individuals ranging from 16 to 18 are considered "relatively capable" in their acts, such as giving consent or entering into an agreement, they still must be accompanied by an adult.
As the last piece in this puzzle, the LGPD brings specific provisions on child data. Specifically, the new law determines that child’s and teenager’s data should be processed, while taking into account their best interests and existing laws. More importantly, the LGPD requires parental consent for all processing activities. Therefore, the law adopts a higher protective standard if compared to the U.S. Children's Online Privacy Protection Rule, which is aimed to the "operators of websites and online services" in regulating what must be done to "protect children’s privacy and safety online," as specified in the FTC website, or to the EU General Data Protection Regulation, which states "conditions applicable to a child’s consent, in relation to information society services" in Article 8).
Consent under the LGPD must be given prior, as well as being free, informed, unambiguous, specific and outstanding — a concept of Consumer Law in Brazil, whereby certain provisions should be "detached" from the rest of the text (either by using different font formatting or another visual presentation). Note these last two requirements apply only to this type of consent and the data subject’s consent related to the international transfer of data. Therefore, this is a more protective type of consent.
Highly inspired in the provisions found under COPPA and the GDPR, such consent is to be given by any parent or legal guardian and controllers are responsible for taking reasonable measures to certify the identity of who grants parental consent within the available technologies. Consent is not required only in cases where the information is to contact parents or legal guardian or when necessary for a child’s direct protection; yet in any case, this information cannot be shared with third parties. Again, as provided for in COPPA, children should not be required to provide personal information to be able to play games online or access any application.
When processing children’s data, controllers must publicly inform under their privacy notice the nature of data collected, purposes of use, and how rights under the law can be exercised by the parent, guardian or child itself. Furthermore, the privacy notice and consent language should be simple, clear and easily understandable, taking into consideration children’s physical and intellectual capabilities, so as to allow them to fully perceive the content. The use of audiovisual resources and other technological measures is encouraged by the law, especially if able to allow greater awareness. This provision is also in line with the Statute of Children and Teenagers in which it states children are entitled to products and services that respect their capabilities and level of development.
Questions then arise as to if other legal basis available in the LGPD could be interpreted to allow the processing of child data. Considering "options" available to the private sector, alternatives beyond consent could be: (a) the processing carried out to comply with a legal obligation; (b) to perform a contract where the data subject is a party; (c) to protect the individual’s life; (d) to provide health services; or (e) the controller’s legitimate interest. However, as defined in the LGPD, the law must be applied in the child’s best interest and taking into consideration other legislation on the matter. Furthermore, attention must also be given to the principles within the LGPD that are applicable to all processing activities and all sorts of data. Ultimately, it will depend on the Data Protection Authority, whose directors have not yet been nominated, to issue guidelines and/or specific regulations on the possibility of processing children’s data, as the U.K. Information Commissioner's Office is planning to do in a couple of weeks after carrying out a public hearing on the matter.
In conclusion, to process children’s data in Brazil, any controller must carefully consider provisions in different laws to better address legal boundaries to its activities. Differently from other jurisdictions, Brazil imposes higher standards of legal child protection because it requires parental consent for all individuals below 18 and all processing activities, not only for those related to the provision of online services. How and if other possibilities will be available to controllers and processors of child data once the data authority is established and relevant enforcement makers start to take actions on the matter is yet to be seen.
Photo by sergio souza on Unsplash