Expansive access to the internet has solidified the integration of children and adolescents into the virtual world. According to UNICEF, "one in three internet users is a child under 18 years of age," in Brazil, 92% of children and adolescents reportedly use the internet. Despite the benefits of digital inclusion and connectivity, there are risks associated with excessive device use and exposure to inappropriate content.
Under Brazil's General Data Protection Law, the processing of minors' personal data must strictly align with their best interests, and access to applications should not be conditional on obtaining personal data. However, the effectiveness of risk mitigation tools is often tied to the processing of personal data of children and adolescents. Although not the sole mitigation option, technical and organizational measures can attenuate risk and establish access control and content limitation mechanisms.
Therefore, understanding the legal aspects of processing minors' personal data is vital for appropriate and effective protection. The following analysis is derived from Brazil’s LGPD, but numerous similarities with data protection norms globally, such as the EU General Data Protection Regulation, allows the overall reasoning to be applied elsewhere.
The literal interpretation of Brazilian law suggests that processing children's personal data necessarily requires consent from a parent or guardian. This has spurred discussion on the limits and conditions for processing minors' personal data, leading Brazil's Data Protection Authority to clarify that such data can be processed under the legal bases provided in the LGPD — which include, but are not limited to, consent — as long as the best interest of the minors is observed.
The minimization principle under the LGPD mandates that data used in processing should be "pertinent, proportional, and not excessive," limited only to what is necessary for its intended purposes. In practice, however, while the need to observe the minimization principle is clear, its application is sometimes misconstrued. Some stakeholders apply the minimization principle as an absolute rule, pursuing data minimization at any cost, even if it compromises the best data processing practices for a particular context.
When processing the data of minors this misunderstanding persists, blurring the conceptual distinction between "best interest" and the principle of minimization. However, data minimization and the child’s best interest are neither identical nor mutually exclusive.
There are scenarios where limiting access to minors' data is the most appropriate way to protect their best interest, particularly in cases of targeted advertising and predictive analyses. Conversely, comprehensive or more intrusive data processing might offer more effective control mechanisms for children’s online safety, being plausibly justified by prioritizing the best interests of children and adolescents. Thus, it is important to recognize that the child's best interest is not always synonymous with data minimization; in some cases, a more extensive processing of minors' data aligns better with their best interests.
Another principle, necessity, is associated with not processing excessive data. Nonetheless, the use of data that is insufficient to achieve a certain goal, e.g., child's online protection, can also be a violation of data protection law due to the under use of the necessary information. Furthermore, the robustness of collected data is directly related to the quality of data processing results. Insufficient data robustness (input) may lead to compromised output quality, potentially undermining the primary goal of protecting the best interest of children and adolescents. This shows that minimization of data cannot be a goal in itself, as this can — in certain contexts — lead to questionable results.
Processing data for security purposes can include the use of sensitive information, if the goals to be achieved are proportionate to the interference being caused by the activity. Current capacity for personal data processing enables the identification of users through various elements, including soft biometrics. This category includes data such as typing patterns, the position of the mobile device, and height relative to the ground, among others. When combined, these elements can contribute to assessing the probable age of a user. The discrepancy between self-declared age and observed behavior is crucial in managing minors' access to content and mitigating risks. Other data categories, like accessed websites and screen activity patterns, can also be incorporated into a predictive analysis to determine the real age of users more accurately.
While this procedure is not foolproof, it can better age-verification mechanisms by going beyond the usual, and frequently insufficient, self-declaration; the discrepancy between the declared age and personal data being collected can be an important tool in managing minors’ exposure to risk and inappropriate content. This use can be seen in recent proposals worldwide for industries including pornography (online) and alcoholic beverages (offline).
Moreover, if analyzing these inferences can reveal the identities of minors claiming to be older, it should also be possible to identify those portraying themselves as younger online. As recently highlighted by the European Commission's decision in December 2023, ensuring a safer online environment for children is a priority, and adopting more intensive personal data processing measures can be an adequate pathway to ensure children’s online safety.
It can be asserted, therefore, that when it comes to data protection law, principles of the minor's best interests and of minimization, albeit not incompatible, are not to be simply inferred from one another. That is because prioritizing minors' best interests does not necessarily equate to minimizing data being processed. Although data minimization is crucial for the protection minors in various contexts, handling this information involves nuances, especially when ensuring a safer online environment.
Identification through personal data processing, while subject to legal and ethical considerations, can help effectively managing minors' access to different types of content. In this context, despite implying a more encompassing data processing, certain data processing measures can be effective mechanisms in safeguarding the best interest of the child in a digitalized world.